Combatting Dark Web Criminality

Aidan Murphy: Hello and welcome to the final episode of this season of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each episode we look at different aspects of the dark web. In the other episodes we’ve looked at how the dark web works and areas of the dark web, like marketplaces, packing forums...

Aidan Murphy: Hello and welcome to the final episode of this season of The Dark Dive, the podcast that delves into the depths of the dark web. My name is Aidan Murphy and I’m your host as each episode we look at different aspects of the dark web. In the other episodes we’ve looked at how the dark web works and areas of the dark web, like marketplaces, packing forums and ransomware leak sites. A consistent theme across all of the episodes has been the criminality that is enabled by the existence of the dark web and in this episode we’re going to look at how cybersecurity professionals and law enforcement can and are tackling that criminality. To do that, I’m joined by three very senior experts in this field, Ben Jones, CEO and Co-founder of Searchlight Cyber. Hello, Ben.

Ben Jones: Hi.

Aidan Murphy: Returning guest, Dr Gareth Owenson, CTO and Co-founder of Searchlight Cyber. Hello, Gareth.

Gareth Owenson: Hi, Aidan.

Aidan Murphy: And Evan Blair, General Manager of North America for Searchlight Cyber. Hello, Evan.

Evan Blair: Hey everybody, how are you?

Aidan Murphy: Before I jump in I’m just going to ask each of you to introduce yourselves. Can we start with you, Ben?

Ben Jones: Hi, I’m Ben Jones. I started off my career within aerospace engineering, so I used to design engines and aircraft for the military. I then later went and moved into working for a university helping them with their research strategy and commercializing intellectual property developed by the university and that included cybersecurity, as well as defense and other aerospace elements. I then set-up Searchlight, back then it was Searchlight Security, now Searchlight Cyber, with Gareth back in 2017 after we had known each other for quite a few years beforehand, having met at college studying maths.

Aidan Murphy: Brilliant. Thanks, Ben. Gareth?

Gareth Owenson: Hi there. I’m Gareth Owenson. Before Searchlight I was an academic working in the cybersecurity field, specifically looking at dark webs, cryptocurrencies and the sorts of technologies that criminals like to use to evade law enforcement and make money off of unsuspecting victims online. I worked in that field for about ten, fifteen years and it was fairly obvious to me in the mid-teens that law enforcement were struggling to investigate crimes going on on the dark web and so Ben and I teamed up to build tools to help them investigate those crimes, and ultimately bring people to justice and put them behind bars.

Aidan Murphy: Brilliant. Thanks, Gareth and Evan?

Evan Blair: Yes, thanks Aidan. I’ve been in the cybersecurity industry for just about two decades now. I started my career in the financial world but quickly ditched that. My cybersecurity journey started with database security way back when before that was a thing. I spent time on the professional services and partner side, the channel side of things for a while and then I guess most notably co-founded a cybersecurity company called ZeroFox. I ran and led that business through which is now-, we took that business IPO and then I was really thrilled to join the Searchlight leadership team with Ben, Gareth and others to lead the North American business here at Searchlight, it takes intelligence to the dark web and really illuminates an area that has not been very visible to cybersecurity professionals for a long time, giving some very unique insights and having a really, really big impact on cybersecurity, both on the government side and on the enterprise side of things.

Aidan Murphy: Brilliant. Thanks, Evan. I’m going to come back to that point on how the cybersecurity industry has been picking up on the dark web topic. Ben, I’m going to start with you, if that’s alright. So, our very intelligent listenership will have noticed six episodes in that all of the experts on this podcast have been from Searchlight Cyber. I think to set this episode up where we’re going to talk about how organizations and law enforcement can tackle criminality, I think it would be worth explaining who Searchlight Cyber is, what we do and how we help those people, if you wouldn’t mind setting that up for everybody.

Ben Jones: Sure. So, if I start off with some of our earlier history and then take you through some of the evolution of how we got to where we are. The company was originally set-up with a single objective and that was to help protect society from the threats of the dark web. The most obvious place for us to start was within law enforcement, so we developed a tool set which allows investigation across Tor and other areas of the Internet which are harder to access and are a concentration of criminal activity. This tool is called Cerberus, we started selling this tool into the law enforcement community where they were then using that to gather insight into, first of all, what was going on in the dark web because when something is truly dark you don’t even know how big the problem is, let alone how to tackle it. The first problem to solve was how big is the problem and then the second element of that is how do you then enable law enforcement to run their investigations in a part of the Internet that previously was very difficult to access. The Cerberus platform was developed to help law enforcement with that and it’s been very successful in doing so. We then had a number of commercial organizations that were interested in being able to use the tool set as well because the information that’s on the dark web, and also the mission of protecting society goes beyond criminal activity that law enforcement are interested in directly in their investigations. It’s also around protecting individuals and companies, and other parts of society that are also vulnerable to cyber attacks and so we started off selling Cerberus into the non-law enforcement part of the community and we later refined that product into a new product called DarkIQ, which is more efficient at doing some of that network protection and that pre-attack intelligence piece around protecting your organization.

Rather than concentrating on who the threats are being generated by and how to attribute those individuals, it’s more looking at, “What threats are aimed at my particular organization and is there anything I can do in order to try and head those off before they become a big problem for me?” DarkIQ was developed with that in mind to help with the efficiency and broaden the visibility that whether it’s a part of a SOC or a threat intelligence team that a company has as a part of their arsenal to protect themselves. What we’ve been doing in the last few years as well is broadening that reach of where we’ve traditionally been working with law enforcement to work with industry players as well and optimize that tool set and increase the visibility and other elements that are of interest to those people looking at those outside inner threats towards their network, things which they won’t necessarily be able to see by looking at their logs or using the traditional fire walls or antivirus tools, which they should already have as part of their defense system.

Aidan Murphy: Brilliant. Thanks, Ben. That’s a great overview. You’ve kind of outlined two different audiences there, law enforcement and the cybersecurity community. I want to start with law enforcement at quite a high level. We’ve talked throughout these episodes about law enforcement having problems tackling criminality on the dark web but, again, just starting at the highest level, for you what are the main challenges that the dark web creates for law enforcement? What are the barriers it puts up that stop them from doing their job?

Ben Jones: I alluded to that a little bit in my previous answer but, first of all, it starts off with visibility. How big is the problem? A law enforcement agency and a government as a whole need to know where to focus their resources. Which types of crime are happening and which ones have the greatest impact and which ones are the most prevalent? And so it’s being able to answer those questions in terms of where is this happening? How much of it is happening and how much of an impact is it having on society as a whole? That visibility element is the first stage of law enforcement being able to really get their hands around a problem like a dark web, which is deliberately designed for anonymity. Beyond the visibility it then starts coming down into working out where you want to then focus those resources for the largest impact and so which types of crimes you want to focus on, which areas of the dark web you want to focus on and maybe which individuals which you would like to focus on in order to be able to make the greatest impact and greatest return on investment from law enforcement, and the greatest contribution towards the protection of society. You’ve got the visibility, you’ve then got the down selection into the particular areas that you want to work in and then it’s looking at who is this person that comes around attribution? There are other elements there where you can link up different profiles on the dark web with the clear web where people have made OpSec slip ups where you can connect potentially an e-mail address which is used on the dark web to one which is used on the clear web.

It’s then being able to integrate the dark web sources with other sources so that you can then work towards actually attributing these individuals. It’s all of those areas which come together, so the visibility, the target selection and then also the capability of being able to actually do something about what’s happening and be able to go in and attribute those individuals and bring justice to them for the problems that they’ve caused to society as a whole.

Aidan Murphy: I want to build more on that OpSec piece now, I might come to you Gareth because you said in a previous episode that the dark web makes it difficult for investigators but not impossible. I guess Ben has touched on some of it there but what means do law enforcement have to investigate individuals? How can they go about identifying somebody if they’re operating in the dark web and using a username rather than their actual identity?

Gareth Owenson: Yes, I mean, in many ways law enforcement are exploiting the mistakes made by criminals and this is the same in the real world, right? If someone breaks into someone’s home, what are they exploiting? They’re exploiting the fact they’ve left fingerprints behind or they’ve dropped some identification, or something along those lines which gives them a lead which they can then pull on and investigate to find who that individual is. The same is true on the dark web, they’re looking at those criminals making mistakes that leaks details about how that person is. One of the real beauties is for doing any kind of law enforcement investigation is the criminal only has to screw up once and that’s often a lead which law enforcement can put on that ultimately leads to the identification of that individual. In the cyber world we talk about we call it operational security, which means if you’re engaged on some kind of operation, you don’t want your fingerprints being left behind and being identified and to practice perfect operational security. That is that throughout all of your activity, you don’t leave any kind of fingerprints or indicators behind, it’s really quite difficult to do and takes a great deal of training, which of course most of these cyber criminals don’t have and so they make a good effort at trying to protect that operational security but often they slip up. It’s those slip ups that can lead us to identify who that individual is. The criminals that engage in activity on the dark web range in sophistication, you have those guys who are coming on the dark web to sell pot and they’re still stoned and so they’re clearly making mistakes because they’re high and then you’ve got the more sophisticated actors, like Russian state actors, for example, who they know what they’re doing. Again, you’ve got to be on your game 100% of the time and if you’re not then you leave those little breadcrumbs which can be used by law enforcement to identify who they are.

Aidan Murphy: This comes to something that I think we’ve spoken a little bit about in this series again, which is that the dark web is just a tool effectively and, like any tool, it can be used for good purposes and bad purposes. What you’re saying, Gareth, is effectively that even if people are using it for bad purposes, they’re still human and they can still make mistakes and it’s those mistakes of the breadcrumbs that law enforcement should follow.

Gareth Owenson: Yes, I mean, the dark web is designed to give people that are using it anonymity and the people that are hosting material on it anonymity but it’s not perfect and if you don’t set it up right, and you don’t use it in the right way and you use a persona which is not connected with you in any way, shape or form then it makes it more difficult to identify who you are. Again, if you slip up once, I’m afraid that leaves a trace which is often there forever, which can be picked up by law enforcement long after the fact. We’ve seen lots of big law enforcement take-downs of criminal operations on the dark web where some mistake that criminal made in the very early days, for example using their real e-mail address on the set-up of a dark web marketplace, for example, it happened years ago but that trace has been left and it’s law enforcement who come along and exploit that trace, even though the person has been totally on it from that point forward. It was that one slip up which ultimately led to their undoing.

Aidan Murphy: There are some amazing cases of ransomware groups being taken down, bots that are hosted in the dark web marketplaces. Evan, I’m quite interested in this from a US perspective because from a European viewpoint, the US is quite a complicated law enforcement landscape. You watch these shows and every crime there are three agencies that turn up and they’re all fighting over jurisdiction. Do you have a sense in the US where does that lie, you know, investigating these crimes on the dark web. Is that a federal issue? Is that a state issue? Is that a local issue or do we see a real mix across the board?

Evan Blair: Yes, it seems like a cop out to say the latter there but it really is. The US is a complicated web of law enforcement jurisdictions and agencies all vying for responsibility, ownership and all the way down to state and municipalities. Then you’ve got state police, you’ve got federal. It’s a bit patchwork. You’ve seen a lot of movement in the US law enforcement community over the last decade or so pushing into joint task force operations where you have state, local and federal agencies coming together in various regions to combat some of the largest challenges that we’re dealing with and some of those, no surprise here, is fentanyl related and the dark web plays a really big role in the distribution of fentanyl and connecting the dots between those that manufacture it, press pills and then getting it out into the streets. We’ve seen a lot of growth in the cooperation here in the US law enforcement arena but when you are a united set of states that all have their own laws, you run into some of those cross-border challenges. I have had US state-level law enforcement agencies ask me if they can just do a quick search on the dark web for people selling X in Y state. Unfortunately, as Gareth and you just were talking about, right, the dark web is a tool, it’s a communications framework. It’s not like shooting fish in a barrel and certainly it does not allow law enforcement agents to just quickly bracket with a Google search, if you will, where people are. However, as Gareth mentioned, I think our law enforcement professionals are becoming a lot more aware of the threats that need to be pulled within the dark web to start to surface the right actors, the right groups, the right behaviors, which then allow them to search and dig through those breadcrumbs and those unique fingerprints, if you will, that are left behind by actors, either sophisticated or unsophisticated and it starts to allow them to build those nets.

There is unfortunately the way our political system and jurisdiction system is setup, it does pose some challenges. Again, an organization like ours does allow us to cut across some of that red tape by partnering and servicing the needs of a variety of those agencies and then helping them connect the dots when they’re all working on the same case or when they have the same targets in their sights, so that more can be done more quickly.

Aidan Murphy: Because like I said, it’s not just an issue of criminals on the dark web that are respecting the state borders, it’s an international problem as well. It seems, I guess to me as an insider, increasingly you see these press releases and it’s the FBI in collaboration with agencies, not even just in the US but around the world it’s an increasingly international effort that’s being made on the law enforcement side. Is that a fair summation? Is that, again, a new trend or has that been happening for a long time and I’m only just picking up on it now?

Evan Blair: I think collaboration and cooperation is just continuing to grow as this problem becomes more present, there’s a digital aspect to just about every crime is now almost a certainty. The digital domain, the dark web specifically but also just broadly cyberspace doesn’t respect and sort of international geopolitical boundaries. The cooperation element is really, really important and, as you highlighted, you’re seeing lots of different agencies leading task forces made up of, you name it, three letter, four letter national police organizations. It’s good to see that international cooperation growing because it’s the only way that we’re going to really tackle the problem but even trying to tackle the problem it may be the wrong statement. Just trying to play a better version of whack-a-mole, if you will, and trying to root out the home bases or the tunnel infrastructures of those digital criminals so that it makes it harder and harder for them to continue to operate and continue to push their operations. Yes, I think you’re going to see more and more collaboration and cooperation across borders, and you’re starting to see even more partners looking to come into the fold who are not traditionally allies of the US or the Western European powers that are looking to join the law enforcement efforts specifically as it relates to dark web and cyber criminal activity because, again, it’s impacting their countries, their citizens, their economies regardless of where their political affiliations on a national stage lie.

Aidan Murphy: Ben, did you want to come in on that?

Ben Jones: I mean, I was going to comment in the fact that the international collaboration is more of a necessity because of the way in which when you combine an anonymous technology which is global, like the dark web, with an anonymous or perceived anonymous payment system, like cryptocurrency, when you put the two together crime will become international because you’ve now enabled individuals to access a global network anonymously and then be able to then monetize whatever it is that you’re trying to do, whichever criminal activity it is. As a result, quite often when you start an investigation into the dark web, you don’t know where it’s going to land so you pull on a thread which then may take you to another country, and then you’ll have to reach out to that other country and get cooperation that way. I think this international collaboration has come through necessity and you’ve seen a lot of successful partnerships in the past where they have taken down whether it’s a dark net market or a malware group, or something like that, and that international cooperation is difficult. If they’re all using the same tool sets and have the same base level of information, it does make those investigations a bit easier to then communicate and cooperate across those borders. I do feel for the law enforcement community where it’s not easy, you are chasing people around the world and the fact that they have had such success so far I think is testament to their cooperation and ability, and the, sort of, dedication between the different forces to working together to catch those individuals. It’s not an easy job.

Gareth Owenson: As Ben said, I think the vast majority of dark web investigations have an international component. If you look at the cyber crime groups or any criminal groups on the dark web involving one, a couple of people, they don’t know where each other are either. You’ve got criminals in Russia cooperating with people in England and the US, and other countries throughout the world. When you see law enforcement do these take-downs of these big groups, often they are arresting people from all around the world and that’s got to be done in a coordinated fashion. You can’t pop off one person, which then alerts the rest of the group who then destroy evidence. You’ve got to try and take these guys out all simultaneously at the same time, on the same day regardless of where they happen to be in the world.

Aidan Murphy: You mentioned at the beginning, Gareth, in your introduction that when this company was founded it was because we observed law enforcement struggling with this issue, struggling with how to deal with the dark web. In, I guess, the years that Searchlight have been operating, has that situation improved? What progress has been made?

Gareth Owenson: Yes, I think law enforcement have become a lot more sophisticated in doing dark web investigations and part of that is because they’ve had the cooperation from industry where industry has been building tools to help law enforcement do those investigations, but also because some of the technologies have been around longer and so they’ve now has the time to gain the experience required. The main challenge that I think law enforcement has in the investigative techniques is that they’re competing with big tech companies for cyber skills and big tech companies can pay a lot more than government organizations can pay. Law enforcement struggle to recruit and also retain those technically talented people and so they rely on industry to provide the tooling, which gives them not only the skill advancement but also the retention of knowledge from team-to-team as people move on and move around in that law enforcement agency. The second problem they’ve got really is the scale of the problem, if you look at drug marketplaces, or any other kind of marketplace, there are goods being sold in the tens of thousands and so law enforcement can’t take that all on when the perpetrators are all around the world. They have to start doing it in a targeted fashion and primarily they are interested in crimes happening in their own country, and so that limits that investigative appetite if they’ve got a narrow scope for their investigation.

Aidan Murphy: Then we’ll actually throw the same question for you, Ben. In the last seven years, do you think that progress has been made? Is the situation improving on the law enforcement side?

Ben Jones: I think there are two elements to that. I think that the awareness of the dark web has increased and therefore the amount of activity has increased a lot since when we first started in 2017. A number of additional markets, ransomware groups and other criminal activity are now happening on the dark web. And so the threat has grown significantly. The dark web is now in the common lexicon of society, there are Netflix documentaries talking about it, there are YouTube videos talking about it, tutorials. It’s now become something which most people are now aware of and if you’re criminally-inclined, I imagine it’s definitely something that you’d be looking at. First of all, the issue itself has grown significantly since we first started. That being said, law enforcement are tooling up and they’re using companies like ours to then help them with their investigations and so because of that, because of the awareness and training within law enforcement, the specialisms that are now emerging within some of those forces, they are having an increasing impact and there have been some significant take-downs. There were take-downs and investigations which were run way back in 2016 before we had established ourselves as a company but there were few and far between. Now these investigations happen on a regular basis and you’ll have law enforcement agencies using this as part of their standard toolkit. You many have a crime which touches the dark web but it may not operate entirely on the dark web. We’ve also become a key part of that investigative toolkit where if somebody is doing some sort of crime online, they probably have touched the dark web at some point but they may well have touched the standard Internet, or operated things on their phone or from other system. So, rather than the investigations being purely focused on the dark web themselves, it’s also added into that arsenal, that armory to allow law enforcements to make connections where criminals are hopping across different infrastructure and going across different areas, in the same way in which you would launder money by layering it, you also try and protect your criminal activity by layering it through various different networks or through various different techniques.

I think as criminals have become more sophisticated and using the dark web to help them run their operations, law enforcement have become more aware of it, they are having a greater impact but they’re doing it against an increasing tide where there is more and more crime happening within these areas. It’s certainly not to a point where we can sit back and pat ourselves on the back to say, ‘Job done, that threat has been alleviated,’ but it’s also not all despair because we are making inroads here and we’re having successes, and law enforcement, like I said, working with companies like ours are having a real impact. I think that’s key is that cooperation, as Gareth alluded to, between industry and law enforcement to help them achieve what they want to, to have every police force in the world build up their own tool sets or their own specializes within their departments is impossible. This is a prime example of how industry and law enforcement can work together to have a societal good against something like dark web criminal activity.

Aidan Murphy: You’ve discovered a bit of an arm’s race there I guess between the criminal side and the ‘good guys’ we might say and I think that is an analogy that is also very prevalent in the cybersecurity side of things. I’m going to use that as a very natural segue to move onto the business side of things. Evan, one of the themes that’s come out along those lines through these episodes is that as many challenges as the dark web throws up for cybersecurity professionals, it is a host for these gangs who target businesses, markets where they can sell people’s data, trade malware. It also created an opportunity for security teams. Could you maybe elaborate on what that opportunity is? How does the existence of the dark web help security professionals in a way?

Evan Blair: Yes, so I wouldn’t exactly say the existence of the dark web helps security professionals, however I would say that the existence of technology and capabilities to quietly hold information and intelligence from the dark web to illuminate the intentions or motivations behind various actor groups, and various individual actors, has proven to be a big benefit to cybersecurity teams who are focused on defending their infrastructure, their data, their assets and their larger international partner ecosystem. It’s interesting when you look at the dark web in the sense that from data produced by Coinbase we saw over USD 2bn in marketplace turnover, so USD 2bn in crypto exchanged hands on the dark web in a single year and a lot of that was buying and selling access to corporate networks, to corporate environments. These were trading exploits or credentials even to allow criminals to walk in the front door. There has become a huge underground marketplace and economy that’s bigger than many cities and states, and even some small countries in terms of value, driving behavior. On one hand you’ve got an increase of motivation and an increased group of people that have access to harm enterprise and business organizations, even government organizations, any organization around the world from a cyber attack perspective. With that increase in access and communication, it also gives the defenders the ability to see more. While the threat has continued to increase because of the dark web, I would say, it’s really democratized cyber attack.

It’s made it so that folks with less technical acumen and skill sets can spend a few pieces of a bitcoin to buy access to a corporate network, to buy an exploit, to buy a ransomware kit. You’ve seen whole cottage industries and customer support infrastructure stood up around some of these malware tool kits, when they don’t work, when a decryptor gets broken by the law enforcement, they’ll refund money. They really treat their customers the way that you would expect a major, legitimate enterprise or business to treat their customers. It’s created more cybersecurity issues and challenges on the one hand but because we can now harness some of that data, if you have the right tools and technologies in place, it allows us to, I guess, you think about shift left in the cyber kill chain and take action on a threat really before it materializes. I look at this as everybody has seen the movie Minority Report, if you’ve got the right tools, like Searchlight, you effectively have a precog for cyber attack. If you know what to do with that information and that intelligence, if you can piece it together because, again, in the movie it wasn’t perfectly clear. There were details missing, you had some information but not all of it. If you can string that altogether with the tools that you have in place today, the infrastructure that you spent a lot of money and time, and energy on building the monitoring solutions, if you can leverage that intelligence from the dark web you can effectively identify a breach before it occurs, cut-off that access, eliminate the chance of that having an impact on your organization. If you wanted to, some of the more sophisticated cybersecurity teams, and sometimes in partnership with law enforcement, can use that data to lay a trap and use that data to track and follow the cyber actors to see what they’re doing, all unbeknownst to the cyber adversaries there.

I think, yes, the dark web has certainly created more problems because of the democratization of cyber attack, however with tools like Searchlight and a well-trained threat intelligence team, you can actually turn it on its head and make it beneficial to your organization and then, as Gareth was alluding to earlier, the partnership between the law enforcement and the private sector. We’re seeing more and more almost complete investigations passed off to the cyber arms of various federal and state law enforcement agencies from the biggest enterprises in their jurisdictions.

Aidan Murphy: That’s brilliantly explained, Evan, and great use of Minority Report. Now I’m going to have to go away and re-watch that movie. You mentioned there the cyber kill chain, and some of the activity that we observe on the dark web, some great examples. And we sometimes lump this all together as what we call pre-attack activity, or the intelligence we gather from the dark web as pre-attack intelligence. Would you mind just explaining to the listener, maybe, what does that mean? What does pre-attack mean and how is pre-attack intelligence valuable?

Evan Blair: Again, maybe put it in the context of something that you’re more familiar with or that’s just a part of your everyday life. If you are walking to work and the light turns green, naturally, people are going to cross the street and assume that it’s safe. But if you had pre-attack intelligence in this context, if you had insight into what was about to happen, you’d know that two interchanges down the road, there was a high speed chase. And there was a car barreling down the road, not respecting the stop lights, going about 80 miles an hour, coming right for your intersection. And you couldn’t see it right now, and your normal walk to work, you would never have known. But if you had that pre-attack intel, you’d know that car was coming, and you’d be able to get out of the way, cross the street quicker, don’t cross the street, and protect the others around you by sharing that information. Those that are standing at the crosswalk with you, ‘Hey guys, don’t cross the street right now, we’ve got a big problem here. Let’s find another way.’ That, in essence, is pre-attack intel.

And so, in the cyber world, you’re getting that warning that there is a specific group or an actor that has a combination of factors that lead us to believe that there is a real, imminent threat here. So, one of those factors is capability. And so, capability is that a specific actor or actor group has amassed a technical means to compromise your organization. Whether that’s through a third-party software that you use to transfer data, whether that’s through your VPN infrastructure, or a more serious and a zero-day type vulnerability. We saw Citrix Bleed as a very big vulnerability that was traded heavily on the dark web recently, as an example of capability. And so, okay, now we know that they’ve got a technical means to do something bad to us. And so, if I have that information, I can try to shore up the places technically where we’re weak, where we’re soft, based off that intelligence. If you weren’t a cyber security professional, you might think, ‘Well, why wouldn’t we always try to take action on vulnerabilities and weak spots in our technical infrastructure?’

Well, the answer is, simply, you have to cross the street at some point. And you have to look both ways and say, ‘Okay, I don’t think there’s a speeding car coming from three intersections over. I can cross the street now I’ve done my diligence, because I have to get to work.’ In the cyber world, there are any number of vulnerabilities and weak spots that need addressing. I mean, we patch things all the time. Anybody that has a cellphone, the amount of security patches and updates that get pushed to their devices on a regular basis is quite frequent and in a complex enterprise infrastructure, you cannot tackle all of them, ever. And so, you have to prioritize. And so, having that capability intel gives you prioritization. The other piece would be opportunity, and or intent. And so, maybe I’m not an organization in a specific industry that would be a focus of a coordinated effort to use these exploits against my organization. But maybe I am in an industry that is being talked about.

We’ve recently seen a lot of activity in the healthcare space, where actors are specifically targeting hospitals and hospital systems for extraction of data purposes, right. And what they do with that data, again, that’s a whole other segment of investigation. But they’re targeting hospital systems. And so, now that I know that there’s an intent to go after organizations like myself, then, okay, I need to start to put more effort, more energy, more attention into this. And so, when I can combine a lot of those indicators, capability, opportunity and intent, it gives me the triangulation of forces that give me the reasonable expectation that action here will be the right action. Versus spending time doing something else. I’m defending against an issue that hasn’t occurred yet, but I have a high level of certainty that it will occur and, if it doesn’t, that’s okay because I’ve made the right risk calculation in terms of prioritization of resources and effort. If you look at, to your question, going back to the beginning about the kill chain, the cyber kill chain was developed by Lockheed Martin and it was designed to help professionals understand the stages of an attack.

What we say when we mean shift left is, go back to the beginning, further than the beginning, before that attack actually hits your network, right. You don’t want to be in the intersection when that car comes barreling down and have to jump out at the last minute. You want to know that that car might be coming so you never cross that street in the first place.

Aidan Murphy: Brilliant. So this early warning, and Ben, this comes back to a point you mentioned earlier about a solution. So, we built DarkIQ to help companies monitor for these early warning signals that they might be targeted. Could you give the listener an idea of what kind of data on the dark web that is, that we collect? What are those early warning signs and how do they present themselves?

Ben Jones: So, there are a number of different ways in which this data can be used in order to protect your network. So, fundamentally, you can monitor forums and markets to see, firstly, whether or not anything is already being traded on your particular organization. We’ve found examples where people have already gained access to a network, they have a VPN with remote access into a network and they’re looking to sell that. The reason why you get these opportunities, I guess, a way of framing it is looking at the ecosystem around this criminal activity. I mean, a lot of this behavior is driven by money. I mean, there are some hacktivists out there, but the vast majority of this, people are doing it to make some money. And so, they want to do it in such a way where they carry as little risk as possible, and so there is a whole ecosystem around this. And every time there is an exchange of money and data going from one part of the chain to the next part, there’s an opportunity to try and spot that. And so, if you think about the way in which, if you were a criminal and you were going to try and get into this ecosystem, there’s a various different number of ways of doing it.

I think it’s quite rare that you would have an individual who would find an exploitation, go into a network, then establish themselves on the network, migrate across it, run the attack, exfiltrate information, then extort them and wherever else they were planning on going with that. Selling the IP or going back again and making them buy the data back off of you. It’s quite unusual to have an individual go in and do all of those things. And so, every stage, you’ll have somebody who’s looking to specialize in that area. And, in order to be able to then sell their goods or their services, they have to be able to advertise them and they have to be able to get paid for them. And so, every part along that chain, there is an opportunity to spot somebody, either through the flow of money or through the collaboration and looking to sell these services. And so, it could be somebody brokering access into your network. It could be traffic going onto your network and somebody going around trying to exfiltrate data out, taking advantage of, maybe, known vulnerabilities on specific ports. It could be people setting up phishing sites, looking to try and get customer or employee credentials for that particular business and then sell on those credentials.

It could be people who have managed to compromise a credit card, for example, and they don’t want to have to cash out on the credit card. They’ll sell to somebody who can then cash out on the credit card. So, going back to my original point where the dark web combined with cryptocurrencies allows the monetization of criminal activity, you get all of the other assets, all of the other aspects of running a business run along side that, that you would see in the clear web. So, you see dark web markets running like eBay. They’ve got customer service, they have complaints, they have ticketing systems. You have people who are looking to sell their services like a consultant. Whether that’s, sort of, violence as a service, whether it’s hacking as a service or helping people with cash-out schemes or with production of weapons. Whatever it is, in the same way, I guess, in the legal world where you have people who are involved with marketing, business development, sales people, product development. It’s mirrored in the dark web, and there’s a whole ecosystem and community there. And so, each of those different stages within that process give you an opportunity to then try and get a bit of foresight about what’s coming at you.

And so, as I mentioned, to give you some specific answers, you’re looking at things like phishing sites, you’re looking at things like compromises within your network. You’re looking at people brokering access into your network, you’re looking at spikes of traffic that may be coming from the dark web. You can be looking at some general hygiene things surrounding your business, and then when you combine these things together, you get something which is greater than the sum of its parts. Because you’re now, in the same way that you stack risks on top of each other in order to manage your risk, it’s the same with the threats. You’re looking at trying to stack these together, and if you see this, this and this, there’s a higher level of threat which is coming at you. And so, using a platform like DarkIQ, the idea is that you’re trying to stack those threats and try and quantify how big this risk is coming at you. And then, equally, whether there’s anything you can do about it. And so, the platform will then also recommend, ‘This is what we think you should do about it in order to be able to tackle this particular problem.’

Aidan Murphy: Thanks Ben, that’s really helpful and really illustrative. Evan, just before we move on, I guess I wanted to ask, same question I had asked about the law enforcement. On the cyber security side, are people aware, like you say, the ability to prioritize using dark web monitoring and the ability to see these early warning signs? Do we feel that the cyber security community is using intelligence from the dark web to its fullest ability? Has that increased, or is there still a lot to be done on that side?

Evan Blair: No, that’s a good question. So, cyber threat intelligence has been around for a long time. Until recently, my opinion is, the value of cyber threat intelligence has always been more informational or reputational from a protection perspective. There has been a lot of money made in the industry on giving tools to look at broad trends and uncover very sophisticated threat actors, activities, through a lot of manual means. And there has been a lot of money made in helping organizations protect and defend their digital brand and digital reputation. But, there hasn’t been a silver bullet. Intelligence never really reached over the last ten, fifteen years, the levels that it has in the normal geopolitical conflicts, right. Intelligence is the most important aspect of any geopolitical conflict in real life, but we hadn’t seen the prominence of cyber threat intelligence rise to that level. Well, I think things are changing now. With the advent of technologies like Searchlight’s platform that can uncover these indicators on the dark web, tap into, as Ben was just alluding to, that interconnected ecosystem of bad behavior and bad intentions. We’re starting to see a shift.

You know, if you look at the data, and some of this is Searchlight data, some of this is data from Verizon and others, you see a very high percentage of CISOs aware. In the high 80s, almost 90% of CISOs are aware of the need and the value that dark web intelligence can bring. But very few of them have really been able to deploy the dark web intelligence the way that they’d like, and, again, some of that is because when they look at legacy vendors that they’ve been using for cyber threat intelligence, that data is not super timely. It’s not super relevant, and it’s definitely not very actionable. And so, they try, they know, they hear about the promise, they hear others doing it, but with the legacy vendors that rely too much on human collection and curation, they’re not getting the same results. They’re not getting that line-of-fire results, that real-time necessity for cyber defense. But because there are technologies like Searchlight that can give that real-time, relevant and action-oriented intelligence to cyber defenders, you’re starting to see a shift in the discourse across the industry. Where there’s more and more focus on bringing in the right tools and technologies and not the right firms and or people, if that makes sense.

Aidan Murphy: You described, kind of, this era of transition. I’m going to ask each of you this question, but just to wrap up this series, I guess, for people, if you could say one thing to that cyber security audience or law enforcement audience that are listening to this podcast, what would your message be? I’ll start with you, Evan, as it follows on very nicely from your point.

Evan Blair: That’s a tough question, Aidan. One thing. I’m not known for being able to say one thing and one thing only, however, you have to prioritize timeliness, relevancy and actionability in anything related to intelligence. Whether it’s dark web or beyond. Because without those three components, you’re going to be behind the eight-ball, and that’s not where you want to be. And so, find a vendor that can deliver on those three aspects and is willing to work with you and continue to build better automations, faster detections, and support your action-oriented approach to pre-attack intelligence and pre-attack defense within your infrastructure. And don’t be afraid to share data with your partners, your peers, and your competition within your industry. Don’t be afraid to consider your supply chain an integral part of your cyber defense posture, especially when it comes to intelligence. And don’t be afraid to share with law enforcement. Sometimes that’s a little scary, but law enforcement is here to support us. And whether it’s the US Secret Service, Department of Homeland Security, the FBI, your local state police units, your city municipality services, don’t be afraid to reach out, ask for help, share information.

Because, if we can stop these bad guys at the source, if we blow up those mole tunnels, there are less moles popping up that we have to whack as cyber defenders. And so, creating a more healthy partnership is going to be the friend of everybody as we move forward into this new area of intelligence-fueled cyber security.

Aidan Murphy: Brilliant, thanks Evan, I think that’s a really positive message. Gareth, from your perspective, if there was one thing you could convey to law enforcement or cyber security professionals listening that you’d want them to know, what would you say?

Gareth Owenson: I mean, the biggest challenge is making sense from all the data which is out there, and you can’t build your own tooling or use a small number of analysts to go through and mine that information for the stuff that’s relevant for you. You need to partner with an organization which has the experience and the technology to make sense of that information and scale. We talked earlier about law enforcement being able to really advance an investigation because criminals make mistakes. Those mistakes are often made a decade before, for example, it’s buried in the noise. And you need tooling and capability to surface that knowledge to the forefront so you can quickly advance those investigations without going down dead ends for a long period of time before you eventually stumble across it. So, partner with an experienced firm in this space which has the expertise and the technology to really help you do that.

Aidan Murphy: Brilliant, thanks Gareth. And Ben, you can have the final say. What would you like our listeners to take away from this?

Ben Jones: Am I allowed a different piece of advice for law enforcement versus commercial entities?

Aidan Murphy: I’m feeling very generous so yes, of course.

Ben Jones: Thank you. So, for commercial entities, I would suggest, it’s very tempting to try and put out all the fires which are happening right now without investing your time or your effort into trying and stopping the future fires from happening. As much as you do need to address those, try and put out those fires which are currently burning your toes, I would suggest that, even if it’s only a small percentage at the moment if you are really struggling, it is still worth investing in that pre-attack. Because your future self will thank you for it, because it’ll make your life a lot easier going ahead. So, it is very difficult having to deal with a situation if you’re being attacked from all sides right now. Everybody wants that luxury to be able to just breathe and then look at what’s coming at them. Most people aren’t granted that luxury, and so, as well as dealing with those things which are coming at you right now, as difficult as it is, it’s worth investing in trying to do some of that pre-attack analysis as well. Because it will make your life easier in the future. If you don’t do that, you’ll be permanently trying to put out fires. And what you really want to be able to do is invest in those systems which help prevent some of those fires happening in the first place.

So, using a company like ours to then provide you with that pre-attack intelligence is an investment worth making. And to the law enforcement side, you should do what you’re best at doing. And so, that’s going out and investigating these crimes, bringing people to justice and protecting society. Working with a trusted industry partner to then provide the technology to allow you to do that will free up your officers to focus on doing those things which add the most value to society and to help you achieve your goals. And so, spending resource in trying to replicate something which an industry partner has already spent many years developing. And then you’re spending a lot of money internally trying to build something which is going to cost a hell of a lot more, and also won’t be anywhere as sophisticated because you’re just not going to have the bandwidth. So, working with a trusted partner to then enable you to go out and do what you guys do best, that would be my advice to a law enforcement partner.

Aidan Murphy: Brilliant, thanks Ben. That seems like a good note to draw a line under this, the final episode of this season of The Dark Dive. A big thank you to Ben, Gareth and Evan for joining me and sharing their expertise. I’d also like to thank James Marriott, the producer and editor who has helped bring this podcast series to life. If you haven’t listened to the rest of the series, remember you can follow us for free on Apple Podcasts, Spotify, or whatever podcast app you have on your device and listen to all of the previous episodes now. If you’d like to contact us here at Searchlight Cyber, you can find our social media accounts and email address in the show notes. Please feel free to get in touch to let us now if you’ve enjoyed the podcast, if you have any questions, or any topics you’d like us to cover on future podcast episodes. You can also find plenty of information about the dark web on our website, www.slcyber.io. Until next time, stay safe.