Aidan Murphy: Hello, and welcome to the very first episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’ll be your host as each episode we’re going to take a look at different aspects of the dark web. In the podcast feed, you can already find all of the episodes from the series, this includes deep dives...

Aidan Murphy: Hello, and welcome to the very first episode of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy, and I’ll be your host as each episode we’re going to take a look at different aspects of the dark web. In the podcast feed, you can already find all of the episodes from the series, this includes deep dives into different areas of the dark web, including hacking forums, illegal marketplaces, and ransomware leak sites. In this episode, we’re going to begin at the start, at the very beginning, and define exactly what the dark web is, and how it works.

While it’s a term you may be familiar with, there are a lot of misconceptions about the dark web, we’re going to tackle some of those in this episode, and to do that, I’m joined by two of the biggest brains in the business, Dr Gareth Owenson, renowned academic of internet anonymizing technologies, and now CTO and co-founder of Searchlight Cyber. Hello Gareth.

Gareth Owenson: Hi Aidan.

Aidan Murphy: And cyber-security expert Jim Simpson, director of threat intelligence at Searchlight Cyber. Hey Jim.

Jim Simpson: You alright dude? I like Gareth’s intro better to be honest. Not that I’m getting jealous or anything.

Gareth Owenson: I like mine better too.

Aidan Murphy: Alright, well I’m going to give you a chance to do your own, so before we jump in, can I ask each of you to just give a quick overview of yourselves to our listeners? We’ll start with you Gareth.

Gareth Owenson: Hi everyone, I’m Gareth Owenson. I’m the CTO, that’s Chief Technology Officer, and one of the founders at Searchlight Cyber. Before I started Searchlight, I was an academic working the field of cryptography, dark web, cryptocurrencies. I’d been doing that for about ten to fifteen years, published some of the most influential papers in the realms of dark webs, really focused on trying to help the likes of law enforcement uncover some of the crime which is taking place and ultimately go on and investigate those crimes. One of the reasons why I wanted to set up a company with Searchlight is because when we were working with law enforcement, they had a problem with investigating crimes on the dark web, but they didn’t really know how to. What they really wanted was a tool-set which we could put in front of them that would help them solve the crimes, and so that’s where Searchlight came from, it’s really to build that set of tools so that law enforcement can investigate people who believe they can act with impunity on the dark web, and ultimately, put them behind bars. We’ve been running now for about 6 years and have very much been helping government and law enforcement do that over that time.

Aidan Murphy: Brilliant, thanks Gareth. And Jim, do you mind just giving us a very quick introduction to yourself?

Jim Simpson: Yes, I’m Jim Simpson. I’m the Director of Threat Intelligence at Searchlight Cyber. I’m also a SANS certified instructor candidate on the Forensics 578 course, which is the CTI course that SANS offer. I don’t have any law enforcement background, so I’ve come from the enterprise side of things. Previous to this, I worked at Blackberry Cylance as the Director of Threat Intel over there. Before that, I was in industry helping different organizations protect themselves, doing SOC work and a bit of IR work, incident response work. At Searchlight, we head up the collection side of things. We try and identify where we want to get collection from, which is going to help both our enterprise and our law enforcement customers. As well as once that data has been collected, we do some reports and we work with that data to make sure that you can get some good stuff out of it.

Aidan Murphy: Brilliant, well, thanks Jim. I’m actually going to stick with you, because before we get into, I guess, the topic of the podcast of how the dark web works and we rely on Gareth as the foremost expert to talk us through, I just wanted to get your perspective on what the dark web means to cyber-security or the cyber-security community. How relevant is it to that community? How much of an impact does it have on the day to day?

Jim Simpson: Yes, I mean we’ll talk about the different services and everything that are offered on the dark web throughout the rest of this podcast I think, but from a security understanding perspective, you want to know where your threats are going to come from, right? As we’ve seen the landscape grow, we’ve seen specialization in different areas within the criminal underworld or the ecosystem, whatever fancy name you want to give it, where the bad guys operate. One side of that is that initial access side. People are selling access to companies, or people’s credentials might have been compromised and they might be for sale on either an auto-shop or marketplace, which is kind of what we’re looking at. From the security defenders perspective, so if I’m defending myself from whatever’s happening out there, those can be really early signals that’s something’s going wrong in your environment and can actually help you stop further attacks. If someone’s selling initial access to your environment, you have suffered a breach at that point. You are compromised, but, the whole point of their access is to sell their access on to someone else who’s going to do something else which is much worse. There’s a bit of signal that you can use to start hunting throughout your environment to try and find what might have been sold and what access might be present, to stop whatever the following actions are.

From a law enforcement perspective, like Gareth was talking about earlier, we need to make sure that we have a record of everything that’s going on. A lot of the ways in which people end up getting caught is OPSEC failures from early days, when they’re starting out, and if you don’t have that historic record of what’s happened and who said what and what bits of data they’ve given away, you’re going to struggle to get back to who they are as a person, and yes, that’s where this technology like the stuff that Searchlight offers gives you that historical view on things. If you’re just relying on the dark web to be there when you want to go back to it, you’re not in control of it. You might be reliant on a piece of data that someone’s taken down. If someone else has taken a copy of that before it’s taken down, then, yes, that’s where you need to go to see what it was, see the history. It’s like a wayback machine for the dark web.

Aidan Murphy: Out of interest, because I don’t think I’ve ever asked you, and this seems like a good time, as someone I’m taking as completely representative of the cyber-security community as a whole, how much did you know about the dark web before you came to Searchlight?

Jim Simpson: That’s a good question. So I kind of knew what it was. Working from the malware side of things, before when I was at Blackberry, we used the dark web to try and find out who was selling what. We were way more focused on malware back then than anything else. So we were looking for strings, we were looking for people selling different bits of code and trying to get hold of that code early on to make sure that one, we were defending against it, and two, where it was being used and seeing if we were seeing it in any of our environments. So from a research perspective, I’d used it, but it wasn’t, like, I didn’t understand necessarily how it worked. It was only when I started talking to Dr Big Brain, that’s now my new nickname for you, that I got a bit more of an idea of where it works and the uses for it.

Aidan Murphy: Brilliantly set up, so Gareth, we’ll turn to you then. So it’s a really obvious question, but I don’t think it’s actually an obvious answer for a lot of listeners, so I guess I’ll ask you. What exactly are we talking about when we say ‘the dark web’?

Gareth Owenson: Yes, I mean it’s somewhat of a poorly defined term. It’s one of those things that, kind of like, you know it when you see it. Typically, I think when people have tried to come up with a definition for it, what they’ve called it is an encrypted part of the internet that requires special software to access, I think is the textbook definition. What practically that means is, it’s normally somewhere on the internet where you download some specialist software, and that software is really designed to hide your identity, and then you browse web pages without those websites knowing where you are or who you are. Naturally, when you introduce forms of anonymity to people, groups of people that is, often lots of crimes start to emerge, because people will think they can act without any kind of consequences. So typically when you look at dark webs, that’s what happens. It grants them some form of anonymity, by downloading the specialist software, and then it’s called the dark web because you end up with this concentration of crimes taking place in that particular forum. It’s really stemming from the fact that there is this anonymity in the first place.

Aidan Murphy: Yes, that’s really interesting, because I mentioned misconceptions at the beginning and I do think, one that I’ve seen even in cyber-security press, is just that the dark web describes all kind of bad things that happen on the internet. But, from what you’re saying, it’s actually a specific area that is purposefully obfuscated or hidden, whichever word you want to use.

Gareth Owenson: Yes, I mean there are several different dark webs and they all behave very slightly differently, but from a user point of view, normally it’s an additional piece of software you download, but it behaves like a web browser. You’re browsing web pages but your activity of browsing gives you some form of anonymity while you’re browsing those pages. As you said, bad stuff does happen on the dark web, in fact it makes up the majority of activity which takes place on dark webs. There are so called good uses for anonymity, and so you do see some of those activities on the dark web, but unfortunately they’re generally outweighed quite significantly by the negative criminal activity which takes place. Examples of good uses would be, if you’re in China for example and you want to access information which is blocked by the Chinese government through censorship, then you could use a dark web tool to bypass that censorship and see that information. Or if you’re an activist in China, wanting to publish something about the Chinese government, obviously it’s a very dangerous activity, you can publish something on a dark web and the idea is the dark web makes it difficult to know where that information is located and so therefore makes it difficult for the authorities to locate the publisher of that information. That’s the textbook example of what dark webs are designed for, it’s just an unfortunate fact of reality that when you give large groups of people anonymity crime tends to emerge. Either because it attracts those kinds of people, or because they fear the consequences less. I suspect it’s probably a bit of both.

Aidan Murphy: I’m sure a sociologist listening has very strong opinions, but before we get into the bad use cases then, one thing I wanted to just ask about, because I do think it helps clear things up in people’s minds, is how does the dark web differ from what we call the deep web and the clear web, which are also phrases you hear people through around quite a lot? Do you have a definition of those that can help distinguish the dark web?

Gareth Owenson: Yes, sure. This is a little bit more delineated. So the clear web really is any kind of website that you would go to in your Chrome browser that’s out on the public internet. So, you know, Facebook’s on the clear web, Twitter’s on the clear web, your bank’s on the clear web, New York Times, BBC etc. And you can all access those on your phone, on your desktop computers, without any kind of specialist software, and they’re designed to be accessed by people without any kind of restriction. That’s generally what is understood as the clear web. There is some overlap between the clear web and the so called deep web, because the deep web, in its strictest definition is really any website which isn’t indexed by Google. What practically that means is, it’s websites like for example closed forums, that require a login page to get into the forum. Google can’t index it because Google doesn’t have a login for it, so that’s technically part of the deep web. Also a company intranet for example, it’s only accessible by the employees, inside the company network. It’s still a webpage, it’s still accessed through Chrome or Firefox, but because Google can’t get to it because it’s behind that company firewall, that’s technically part of the deep web. Then also, you would see things like control systems, so things like industrial control systems like CCTV cameras, you know, network file sharing devices, those sorts of things. They’ve all got web pages to access them, but they’re not designed for public consumption. They’re not designed to be indexed by Google and so they’re part of the so called deep web as it were.

Then the dark web, is really kind of an extension of the deep web, but you need a specialist kind of software to access it. So on a deep web or on the deep web, typically using Chrome or Firefox, no specialist software to access those sites. With a dark web, you are using specialist software. That specialist software is really giving you the anonymity to access those sites. In many cases though, dark web software is just modify versions of Firefox or Chrome, to add that anonymity in it, so the user experience doesn’t really differ from the deep web or the clear web, other than the fact you’re getting this anonymity in it, and because these dark web websites are somewhat more bandwidth constrained, they tend to look a little bit more like websites out of the 1990s than what you see out of the 2020s nowadays, and that’s just because they’ve got less bandwidth to transfer that data. Although that’s been changing a lot over the last few years as dark webs have gotten faster, they’re starting to look a little bit more modern nowadays than they used to.

Aidan Murphy: Jim, so just jumping in I guess, or referring back to what you were discussing at the beginning. I know from your point of view you see these as sources of intelligence, so I guess the difference between the clear web, the deep web, the dark web, I’m sure there’s a lot of criminal intelligence on the clear web and the deep web as well, but the dark web has those two components, I guess, of anonymity, which means that there’s more criminal activity. It also makes it harder to collect from, is that fair to say?

Jim Simpson: The bandwidth constraints obviously make it trickier. There’s a lot of crossover between the deep web type of sources which Gareth was talking about, where you need that access to get into those pages in order to go and have a look what’s going on. It’s the same idea on the majority of the dark websites. You still need to make sure you have an account on these sites in order to go and have a look at that side of things. I think the dark web, like Gareth said, it’s that anonymity side of things. It just means people have this perception that they can go on there and say whatever they want and do whatever they want, and for the most part, yes, they take advantage of that. It’s the clues they leave behind that are useful for law enforcement. It’s the products that they offer that are useful for enterprise defenders. It’s that signal that we’re trying to take out, of the whole mess of stuff that’s going on on these marketplaces, forums all that kind of thing.

Gareth Owenson: I’d just say, interestingly, like it’s sometimes easier to collect from the dark web than it is from the clear web. A lot of the technology on the dark webs is really ten, twenty years old as far as trying to defeat people crawling those sites. You go on the clear web, people are using these modern technologies like Cloudflare, where they’ve got very sophisticated and complicated CAPTCHAs. Those things make it very difficult to collect from those sites. When you look at the dark web, they’re often building their own CAPTCHAs, they can’t use Cloudflare because it’s not compatible with the dark web, and so it becomes easier to collect from those sites, other than the initial technical knowledge in terms of actually accessing the site to do the collection in the first place. Once you’ve got that knowledge, for a technical person, it’s easier to collect from the dark web, bizarrely, than from the clear web itself, despite it being out in the open.

Aidan Murphy: It raises quite an interesting issue then, because if there are security flaws within the dark web as you’ve mentioned, Gareth, why do criminals use it? Because of this belief that even if those flaws are exploited their anonymity remains?

Gareth Owenson: Yes, I mean obviously the flaws I was just talking about don’t really impact their anonymity, other than the fact, it doesn’t make who runs that site that’s hosting all of that content known, it just means it’s easier for us to collect the information from it than if it were on the clear web using something like Cloudflare or one of those other technologies. But dark webs, like any kind of software, do have flaws in them. Dark webs are kind of an active area of research and have been for quite some time. The idea is, sort of, a perfect system that gives everyone that’s using it anonymity so that no one that’s observing the whole network can work out who someone is, or where that site’s located. The truth is, there is no perfect dark web. Everyone’s striving for this ideal where if you had this global surveillance system, run by the likes of NSA and GCHQ and what have you, they could observe the internet at every single corner of it. A dark web, ideally, would still be able to protect the people using it in the face of an adversary like that, but the reality is none of the modern dark webs protect people when you have a very powerful adversary that can observe the internet all over the world and see where traffic’s being routed through. That’s been known about since the inception of dark webs, and what the field has done is got better at making it harder and harder for those agencies to observe and identify people on dark webs, but it’s still very much possible.

You know, for an adequately resourced or attacker or adversary, it’s just that they’ve made it harder. If you’re on the dark webs, I mean, drugs for example, the NSA is not coming after you, it’s just not their bag. If you’re engaged in terrorist activity, then perhaps you’re slightly more at risk, so if you’re someone peddling traditional crimes, your adversary’s law enforcement really and law enforcement are far less resources than the likes of the NSA or GCHQ who have surveillance systems that could break those dark webs. So, whilst dark webs don’t provide perfect security, they do make it harder to investigate, and it is challenging to identify people and sites, and where they’re located. It’s not impossible, it is challenging however. If you contrast that with being on the clear web, you know, where it’s really quite straightforward to identify who someone is or where they’re located, it’s really an additional barrier of security against law enforcement working out who or where you are. It doesn’t protect absolutely, it just makes it harder and so you’re less like to get caught, or it means that law enforcement have to focus on the high risk offenders and perhaps leave the people at the lower end of the food chain behind because they just don’t have the resource to go after them, it just takes more resources to do that investigation. You know, we’re not advertising it, but there clearly is an advantage to using a dark web for criminals, but it’s not a license to act with absolute impunity and zero consequences because at some point you are likely to get caught if you make a big enough noise.

Aidan Murphy: We should say, it’s part of our mission to make it easier for law enforcement to do that job, so we’re definitely not advocating it. So, at this point I think it’s time to take a forensic look at one of these dark webs. I notice Gareth that you’re being very technically correct in saying dark webs. The most popular dark web is Tor. Would you mind giving us a run through of what Tor is?

Gareth Owenson: So you’re right. When most people say dark web, what they really mean is Tor. And Tor is one of the dark webs. There are, you know, probably a hundred or more other dark webs. But there’s a small number of them which are the most popular. But by far and ahead the most popular is Tor. Now most dark webs, including Tor, work by bouncing your traffic around the world. So let’s say I want to go to the New York Times’ website. Ordinarily, me in the UK would connect directly with the New York Times, request a webpage, and then get the page results back and see the content in my browser. When you add something like Tor in the mix, what actually happens is my traffic starts in the UK but it gets bounced around a collection of relays around the world. And these will be based in countries all over the world, and my computer would pick a random set of three to bounce it through. And so if anyone’s observing my internet connection, all they see is me connecting to the Tor network. They don’t see what I’m doing on the Tor network. That traffic is that bounced all around the world, perhaps through three different countries, and then comes out the final place, and then goes directly to the New York Times. The only thing the New York Times sees is that very last point, wherever my traffic happened to exit the Tor network from. All my ISP sees is me connecting to a dark web. So I get both privacy and anonymity. Privacy meaning you don’t know what I’m doing, and anonymity meaning you don’t know who I am. But I get them at slightly different points. My ISP knows who I am but they don’t know what I’m doing, so I have privacy from my ISP. The New York Times knows what I’m doing, you know, I’m coming to that site and visiting a particular webpage. But they don’t know who I am so I get anonymity. And then, in the middle of that connection, you know, all the traffic’s encrypted so no one knows who I am or indeed what I’m doing. So Tor gives you both of those things but just at different points in the network.

Now the dark web is an extension of that basic Tor network and it gives you the ability to host a website anonymously on top of this idea of bouncing traffic around the network. I wouldn’t go into precisely how it works because it’s quite complicated how it achieves it. But the idea is, if someone wants to host a website, you know, you set up your website and you connect it to the Tor network and you kind of advertise it as being available. And then people can connect to you but by bouncing traffic through these relays all the way around the world before it comes to your site. So the advantage of this over the former example is that you actually don’t know where the site’s being hosted and the site doesn’t know where the user is either. And so both parties end up being anonymous to each other. And so it means you can host a website, can do whatever you want. And it should be, in theory, impossible for law enforcement to work out where that site is being hosted and therefore they can’t take that site down, or they can’t identify you and arrest you. That’s the basic concept behind it, a dark web.

Aidan Murphy: And those sites are called onions, or hidden services. And we should say that Tor stands for The Onion Router.

Gareth Owenson: That’s correct, yes. So Tor is an acronym which stands for The Onion Router which is run by a not-for-profit project called the Tor Project. It was a project originally coming out of DARPA in the US and now has been grown into a big open-source project by a couple of MIT ex-graduates that set up this Tor Project non-profit. The original concept behind it was that, you know, the US government wanted the ability for spies abroad to send messages back to the homeland without knowing who they are. But the problem is if you see someone in, you know, if you’re a spy in China and you connect to a dark web node, for example, the Chinese government can see you connecting to a dark web node. So that’s pretty obvious you’re a spy. The extension to that is then if you get lots of people to use the dark web for innocent reasons, then the fact that you’re connecting to a Tor node is no longer a problem, right? Because you could be using it for one of those innocent reasons. And so that’s the original concept behind how Tor came to fruition.

Aidan Murphy: That makes sense. And it’s not the only dark web so there are others. I2P, ZeroNet. But why has Tor remained so dominant? Is it about ease of use? Is it about the time it’s been around? Reputation? Is there a contributing factor?

Gareth Owenson: Yes, so I2P and Tor have been around about similar amounts of time. And there are dark webs that even predate Tor. But the thing that Tor, I don’t want to say innovated on, but they really focused on was making it to be easier to use. And if you wanted to get onto the dark web today, you can go onto their website, you can download the Tor browser bundle, and you could be on the dark web in three or four minutes. You know, with a web browser, you put in your onion addresses and you go directly to them. So it’s very simple for people to get onto it. I wouldn’t say that’s the only thing that made it popular. Probably one of the main things that popularized it was in the early 2010-2011, a guy called Ross Ulbricht figured that you could launch a drugs website on Tor and law enforcement wouldn’t be able to know where the site’s being hosted. Now there’s this new thing called Bitcoin which is, inverted commas, anonymous way to make payments. And now you have all of the ingredients you need to make an eCommerce site which law enforcement can’t physically get their hands on. And o he launched a drugs website that took Bitcoin as payment, the site being hosted on Tor so you couldn’t work out where he was. The payments via Bitcoin at the time, law enforcement couldn’t work out where those payments were being made to. And so that site obviously thrived very quickly and started getting large numbers of users. Magazines like Wire and a few others picked up on it and that really popularized the whole concept behind Tor and dark webs, so they just exploded in terms of popularity from that day forward. So I think it’s really a combination of the ease of use and also these early use cases which really took off and got lots of publicity in the early days. And now, if you’re any kind of cyber criminal, quote, worth your salt then, you know, you’ll be hosting part of your infrastructure or operations on the Tor network probably because it makes it harder for law enforcement.

Aidan Murphy: Which drug market place was that, Gareth? I’m sure we have a lot of people who know all these things inside out but.

Gareth Owenson: It was called Silk Road.

Aidan Murphy: Silk Road. And there was a Silk Road Two and everything. But we won’t go into the history of them.

Gareth Owenson: There was Silk Road Two, yes, written by a British guy. But he got arrested I think a week-or-so after it got launched. So it wasn’t quite as successful as the first one.

Aidan Murphy: Not the most successful. Well this brings us nicely onto the criminality on the dark web, and I’m going to come back to you Jim. So Gareth has mentioned drugs. From a cyber security perspective though, what type of criminality do we see on the dark web? What’s the kind of smorgasbord that you might expect to find if you were poking around the dark web?

Jim Simpson: There’s a whole bunch of stuff that you can get on there. So there’s different types of markets. So, like, you have sort of escrow markets and auto-shops. So escrow markets you pay a balance in order to get onto the forum, your money’s held there until the sale goes through, and both parties agree. Then that site will pay you back. Auto-shops being, like, the automated version. You go on, you’re trying to buy some credentials and, ‘Yes, you’ve sent over your Bitcoin, here are your creds.’ It all just works without having any, sort of, negotiation or trade in the middle. But when you’re on there, there’s a whole bunch of stuff that you can start looking for. But you can get everything from helping develop malware. You can get FUD services so if you have malware and you want to make sure that a malware will bypass anti-virus, FUD is for fully undetectable services. You can go and buy DDoS or stressors. You can get, like I said, credentials. You can get fullz, which are not just username and password but all sorts of financial information, dates of birth, all your secret passwords, all your questions that you have to answer to get access to Facebook. There are tools out there that just harvest this data and then they will sell those logs on so that, if I wanted to pretend to be you and you had been victim to this, I could go and buy, I don’t know, a hundred different accounts, a hundred different personas, and then pretend to be you on those. Genesis was one of the biggest marketplaces that we’ve seen, recently taken down. Genesis was kind of novel in the way that it did it in that it didn’t just offer you access to those credentials, but it would create, like, an emulation of that user’s browser. So if they had stolen any tokens-, like, if you think about the last time you logged onto Amazon, once you’ve logged on on the computer, you never log-in to Amazon again, right? And that’s because they store, sort of, session tokens and authentication tokens. And then, where Genesis bot would do, would steal those and then create a virtual machine that you could connect to and pretend to be whoever you wanted. So that’s kind of it from the, like, fraud side of things.

But then people are selling initial access, like I talked about before. So you have this idea of initial access brokers where these are people who specialize in getting-, or either exploiting vulnerabilities or getting access to certain companies. They’ll then sell that on to another leg of the, sort of, cyber crime underworld who will then use that access to go and do whatever they want to do. Typically we see that manifest as ransomware. But you’ll see people getting in there for exfiltration of data, IP theft. The more than the whole, sort of, cyber criminal ecosystem has grown, the more specialization there’s been. You don’t have to be able to do everything from initial access or, like, pivoting through a network all the way to exfiltration. If you are good at initial access, you have a scalable business at that point. The more people I can get access to, or the more networks that I can pop, I can own, I can then sell that access onto other people. And that’s where I’ll make my money from it. But it’s all about, ‘How do I monetize access?’ From those guys perspective.

Aidan Murphy: And the dark web, I guess, has allowed those business models to develop?

Jim Simpson: The dark web definitely. And cryptocurrency, like Gareth mentioned earlier, has allowed these to develop because there is this idea of anonymity. And all this type of stuff was happening before. There was just-, getting access to it was more difficult. I guess the dark web, and the forums, and the marketplaces has lowered the barrier to entry on that side of things. That has meant people can specialize and they have a common place to go to sell their wares. Whereas before they would have to either figure out their own way to sell it. It would be in, like, closed little networks which means your total market is a lot smaller. The dark web, like the onion services, the hidden services that exist on Tor, facilitated that trade in these illicit goods and services. But, yes, I mean you can pretty much get everything you want. I mean, that’s from, like, the cyber-security perspective. From the law enforcement perspective it’s, yes, guns, drugs, weapons.

Aidan Murphy: Would you agree with Gareth’s assertion that any cyber criminal worth their salt is using the dark web to some degree? Or maybe flipping the idea on its head, is there a certain profile of cyber criminal that we see on the dark web? Are they at the more sophisticated end? Are we talking script kiddies? State-backed actors?

Jim Simpson: I’d say everyone’s represented on there. You get people on there, and it’s kind of fun reading through some of the forums. You can see the different people at the different levels. You get people who want to get into it and they’re there to get advice. And it’s, like, the training room for it, sort of thing. ‘How do I do this? Anyone got a playbook on how to exploit some vulnerability?’ There’s trade in those vulnerabilities. Some of the initial access will be used by state-backed actors. They don’t want to necessarily do the initial access themselves. And the fact that they can rely on this ecosystem of things coming through means that it’s easier for them to hide in plain sight. Telling the different between state-backed actors and what would have been called script kiddies, back in the day.

Aidan Murphy: You can tell I was still living back in the day.

Jim Simpson: From the script kiddies is that their sophistication is increasing. And the state actors don’t mind that at all because it means that when they’re on operations, it’s more difficult to say, ‘Okay, is this actually state-backed? Or is this just a script kiddie who has learnt their trade by reading all these different forums and training in that world?’

Aidan Murphy: Is there a term I should be using instead of script kiddie?

Gareth Owenson: I’m also curious, yes. What is the new term?

Jim Simpson: No it’s just that-, well, I think the idea behind script kiddies is like, ‘Yes, these are, kind of, Noddy attackers. They don’t really know what they’re doing.’ And I think the point I’m trying to make is that we say script kiddie because they might just be specialized in one area and they do rely on scripts heavily like they rely on playbooks. But it doesn’t mean that the damage they do is any less severe, right? And I think that’s the difference. You sort of, like, say script kiddie as a derogatory term to say someone isn’t well trained. But in reality they can do the same amount of damage as someone who is well trained if they have the right tools and they have the right playbooks.

Gareth Owenson: In many respects, you know, the ransomware groups are kind of the professionalized script kiddie, aren’t they? But they’re prolific in their impact, really become a national security threat for most countries nowadays just because they’re prolific.

Jim Simpson: Exactly.

Gareth Owenson: Not because they’re necessarily technically competent.

Jim Simpson: Yes. And you saw it in the Conti leaks where they leaked the playbooks and, ‘This is how you do an attack our way.’ And it means that someone who has little knowledge, or they can use systems or whatever, but they don’t have to be extremely proficient in order to do it. Here’s the playbook. If this goes wrong, do this. And I don’t know. I’m just trying to make the point that you can say script kiddie and you would be right to say script kiddie, but they still pose a genuine threat. That’s the point I’m trying to make around the skids.

Gareth Owenson: I mean, I think most attackers are some form of script kiddie nowadays, aren’t they? You know, very few people are writing their own exploits to target companies. They’re downloading stuff, they’re buying it, quickly weaponizing things that have just been released. and then just being prolific in it. You know, most organizations are not going to get touched by those.

Jim Simpson: Well, it’s the specialization.

Gareth Owenson: Yes.

Jim Simpson: Yes, you don’t know necessarily have the generalists who are good at every stage of it. You have the specialists in, like, standing up infrastructure. You have the specialists in malware development. You have the specialists who are, like, going through what’s been exfiltrated and reading through all that documentation. Whereas back in the day, you had to be able to do all of it, and you had to be able to do all of it well.

Aidan Murphy: Yes. And all these people meet on the dark web so that’s why it’s such an important topic. I will say at this point, we have episodes covering some of these issues in more detail so do check out the podcast feed for maybe some more on ransomware groups and other things. But I will turn now to you, Gareth. So that’s the cyber security side of things and that’s a huge topic in itself. But you mentioned drugs. There is a more traditional crime element to the dark web. Could you give some sense, I guess, of the type of crime that we observe, or law enforcement observe?

Gareth Owenson: Crime is just crime, right? You have technologies sometimes which enables crime and dark web is just an enabler for traditional types of crime. You know, cyber crime at it’s base is things like fraud and those sorts of things, which traditional crime has just been enabled by cyber. And so the dark web is very much just an enabler of traditional crimes. You know, the big types of activities you see on dark webs like Tor, the sale of drugs gets a lot of press. There are a number of sites selling drugs, weapons, hacked accounts, those sorts of things. There’s child exploitation material. There’s hacking and cyber crime cites selling things that Jim alluded to like accounts, access to company’s networks as well as hacking tools. You know, really the plethora of stuff that you see in the real world or traditionally online, you can see on the dark web. It’s just that it makes it slightly more challenging to investigate a crime when it’s happening on the dark web. You know, you see people doing bomb threats for example. There was a guy out of I think MIT who didn’t want to take his exam because, you know, he hadn’t done his revision. So he emailed a bomb threat to his university using Tor thinking, ‘Well, I’m using Tor so they won’t be able to work out who I am.’ So they received the bomb threat, you know, they canceled the exam, and had I think a partial campus evacuation as well. And then the MIT’s IT team went, ‘So we got the email around this point. The person was probably a student so let’s see who was using Tor around that time.’ And lo and behold, I think there was one or two guys. And they just went and knocked on their doors, and asked them about it. And the guy was like, ‘How did you know it was me?’ ‘Well, we didn’t but you just admitted it, thanks very much.’ So that’s an example of a traditional style crime which has just been enabled by Tor. You know, back when I was a kid you used to it-, well, I didn’t obviously. But people used to do it using the school payphone on the corner.

Aidan Murphy: It’s one of these kind of dark web-, well I mean, it’s a true story. But you do get these, kind of, dark web myths and quite extreme-, hit-men for hire is one that springs to mind.

Gareth Owenson: That’s not a myth, that’s true.

Aidan Murphy: Hit-men for hire on the dark web is true?

Gareth Owenson: Yes, absolutely it’s true.

Aidan Murphy: Have their been cases that are successful?

Gareth Owenson: Yes. Yes, I think there was one this year in the UK, yes.

Aidan Murphy: Oh wow. Okay, well, not so much of a myth then. You mentioned right at the outset of the podcast that the dark web is predominantly used for criminal activity and that’s where this, kind of, dark concept comes from. I know it’s really hard to put numbers on this but what are we talking? You mentioned there were good use cases, you know, people in states that are under repressive regimes and privacy is important. But from your perspective, or I guess from our experience, how much of the dark web is really more about criminality than it is about positive use cases?

Gareth Owenson: Yes, so it is quite a difficult question to answer. But let me give you perhaps some examples which kind of add some color to it. If you were to look at dark web sites and just put them into categories, you know, ‘This is a drug site, so that’s criminal. This is a human rights site, so it’s positive.’ Around sixty percent of dark web sites are criminal in nature in some form. And then there’s a bit of a gray area where it’s difficult to put some of the sites into different buckets. Of those dark web sites, those engaged in this like political style activities, like human rights, allowing people to speak out and those sorts of things, make up around about one percent of those sites. So that’s a very small proportion of those I guess, sort of, example use cases of dark webs. But very much the majority of activity on dark web sites, sort of, looking at a total dark web sites appears to be criminal in nature. When you look at users, where are users going onto the dark web, you see that the vast majority in fact are going to the criminally oriented sites. And so they’re going to the child exploitation sites, the drugs market places, weapons for sale, those sorts of things. And so the bulk of them are in fact going to those criminal sites. They’re coming to the dark web for that sort of stuff. I will just say though, you know, it is difficult to collect accurate stats on the dark web. But that broad picture which is painted is very much accurate.

Aidan Murphy: That’s really helpful. Thanks, Gareth. And Jim, I guess one way I look at the dark web from our perspective is that it’s almost as much challenges as opportunity for cyber-security professionals in particular. Would you mind expanding on that? How do you see the dark web from a security perspective? What challenges does it put up for a defender and what kind of opportunities are there to be grasped for somebody who wants to gather more intelligence?

Jim Simpson: There’s two ways in which you can think about, like, I look at it from intel perspective, right? So if you’re looking at intel, then you need to have collection, and collection is the data that you have that you can ask questions of. What we’ve been talking about so far is what has been advertised on the dark web, what’s on those markets, what’s on the forums, and what people are talking about. And if you have the time to go through that, there’s an awful lot of information out there, there’s an awful lot of data out there that you can ask to say, ‘Am I being targeted? Am I a victim? Do I see anything out there that I think relates to my company?’ And where the specialization that we’ve seen manifest over the past few years, where people are targeting more, like, ‘I’m going to be initial access broker.’ Or whatever. At some point, they have to sell those wares. And if you have decent collection on the dark web you can see when those sales are being advertised for a lot of things. Some stuff happens behind closed doors. But a lot of it happens on the dark web. So if you have visibility into that space, then you have the ability to pick up some of these adverts quicker, see if it relates to you quicker, before the follow-on actions happen. And that specialization and the mix of the dark web actually gives us more of an opportunity right there. What it also does mean is that there are more people, therefore, trying to do it which means you are having maybe an awful lot more of these lower level attacks that you don’t necessarily see until they pop-up on the dark web.

I think the other place where we can look at collection is the, sort of, network traffic. So if, like Gareth talked about when he talked about the dark webs earlier on and Tor specifically, you can either route traffic via Tor in order to hit an endpoint. So if I have a externally facing piece of kit and I don’t want you to know who is attacking that piece of kit or connecting to that piece of kit, you can route that traffic via Tor. If you can see that traffic, you can say, ‘Okay, well someone is trying to hide who they are and they are, like, connecting to our VPN.’ And from a security perspective, that gives you an idea, ‘Okay, well either they have access to it. We can follow on, we can go do some hunting from that perspective.’ If you’re seeing multiple attempts to that VPN, does that mean they don’t have credentials and they’re trying to exploit? In which case, ‘Do I need to patch something sooner?’ And you can use both the traffic collection and the data collection from the sites, and people who are selling their wares as, like, signal that means you can go do something or go act upon something. Start a hunt. There’s a bunch of things, table-top exercises

Aidan Murphy: So from a security defender’s perspective, Tor can almost be used as a red flag of something suspicious going on?

Jim Simpson: Yes, for sure. And it can be used, like I said, numerous different teams within the security realm. So, like, everything from vulnerability management all the way to instant response or threat hunting. You can use different data points to say, ‘Okay, well we know this has happened. We’ve seen some credentials for one of our users being sold on the dark web. Okay, we know that has happened therefore we take action based off that. We can see someone is advertising access to a company that looks like ours. Alright, we’re not a hundred percent certain that’s ours but they’ve given us enough details  in that advert, like they’re selling RDP access with a admin user to a company that’s in our vertical and their turnover is around the same as ours. Okay, we don’t know for definite that we’re targeted, but we can say we might be. Let’s go start a hunt based off of that.’ And when I say a hunt, then you generated hypotheses off that saying, ‘Okay, the initial point of breach is here. What evidence would we look to see at this point?’ And you can go and dig in from that perspective. The traffic connecting multiple times over the same port to a VPN server. Does that mean there’s an exploit in the wild that hasn’t even been revealed by the company yet? There might not be a patch for it. Do we need to take other, like, mitigations on those services to restrict it? Or something along those lines. There’s so much you can do with it, it’s kind of difficult to say, ‘Oh yes, do this one thing if you see this.’ Because it all depends on what the signal is you’re getting. But you are getting a lot of signal from the dark web.

Aidan Murphy: That’s going back to Gareth’s example of the university student. Even an insider threat could be-,

Jim Simpson: Yes, yes. We saw a great example when we were working on some stuff for one of the finance reports that we did. There was some dude on there blatantly saying, ‘I’m a janitor at a bank. I have access to the server room between these hours of the day and no one’s watching me. What should I do?’ And it’s like, okay well, you can tell it was a bit of broken English, so might not be US or UK based. You could figure out a little bit around the working hours. Does that fit your pattern? Do you have anyone who’s, like, on the janitor team coming in? Like, the user words for it. It’s all these different things that you can go look for.

Aidan Murphy: And Gareth, from a law enforcement perspective, I imagine the dark web is more about challenges than it is opportunities? We’ve discussed some of them around anonymity. For them, is it just a pain that the dark web exists?

Gareth Owenson: It certainly is a problem, right? You know, law enforcement have been around a long time. New crimes happen all the time. Law enforcement, like any other industry, evolves and the guys working in law enforcement are generally pretty smart and they’re used to getting round challenges like this. You only have to look in the press to see the large numbers of people getting arrested running dark web sites or buying and selling drugs on them, to see that whilst it’s frustrating for law enforcement, it’s certainly not stopping them identifying and prosecuting people. I think one thing it brings to law enforcement is that, you know, there’s a concentration of criminals in one place. So they’re not necessarily hunting around in lots of places looking for them. Yes, it certainly does bring challenges for them. But that said, law enforcement are pretty good at getting round these sorts of problems. And one of the nice things from a law enforcement point of view is, you know, a criminal only has to screw up once for law enforcement to get them. And so, you know, the criminals are coming on there every single day of the week and they have go to be totally on it, a hundred percent of the time, to get away with not getting caught. The second they make a mistake, there’s a trace left which law enforcement are going to immediately hone in on and that person’s going to be arrested pretty quickly. So in reality, if you’re a criminal, you know, many of whom maybe come into the dark web for the first time, or perhaps on a limited amount of experience on it, not necessarily know best practice. For them to operate over months or years without making a single mistake, it really is nigh on impossible. And so that leaves plenty of opportunity for law enforcement to go ahead and identify people and put them behind bars.

Aidan Murphy: We have a separate episode about how they might go about doing that, so I won’t go into too much depth now. But I think a question that a listener might have, well I would be screaming at my device, is why can’t we just take the dark web down? There’s this hive of criminality and we know who runs it, or you know who runs some of the bigger ones. Why is it still there?

Gareth Owenson: Yes, I mean, that’s a really great question. The reality is, the Tor Project at the moment is part-funded by the US State Department because they believe it helps human rights in oppressive regimes. And so you’ve kind of got the left hand not talking to the right hand. I’m sure the FBI are not too happy that the same government is also partly funding the project. But even if, you know, the US government stopped funding the project and perhaps some of the other sponsors pulled out, I think very likely the dark web would continue in some form because it is an open-source project. And it’s kind of, like, one of those things where you let the cat out the bag, it’s impossible to put it back in again. So the dark web is kind of like that. That said however, Tor is run by a non-profit foundation. And whilst they say outwardly that, you know, they don’t control the network, really they do. And so they do have the technical ability to block criminal sites on the dark web should they wish to do so. But they have an ideological belief that they shouldn’t be the censor and who watches the watchers if they were the censor? And so they don’t engage in any of that stuff, no matter how bad the crime that’s taking place. And so, yes, like any technology it’s possible to restrict it usage. For anyone to conclude otherwise would be deluded. But to wipe it out completely would be a challenge simply because it’s open-source, anyone can download the software. You can even set-up your own Tor network should you wish to do so, should the main one get taken down, and try and attract some users to use it. So we’re at a stage where we can’t put it back. Some people will remember the crypto-wars back in the early 1990s where the US government tried to suppress cryptography being, you know, leaked around the world. And that was a battle that the US government ultimately lost because it’s open-source code that gets leaked out. There were actually some very famous people who deliberately tried to get it on the internet for public consumption. And once it’s out there, it’s very difficult to put it back.

Aidan Murphy: So the reality is that the dark web is here to stay. That seems like a very good note to draw a line under this episode of the Dark Dive and sets us up nicely for subsequent episodes where we’re going to talk about different areas of the dark web. I’d like to say a big thank you to Gareth and Jim for joining me. If you can’t wait to find out more, remember you can follow us for free on Apple Podcast, Spotify, and whatever podcast app you have on your device and get all of the episodes now. If you’d like to get in touch with us here at Searchlight Cyber, you can find our social media accounts and email addresses in the show notes or you can find plenty of information on our website, www.slcyber.io. But until next time, stay safe.