Most of What You’ve Heard Is Wrong: Demystifying the Dark Web

Preface

In geopolitical – or even gang warfare, there are usually pretty clear sides. You have two opposing groups and their allies, a dispute, and skirmishes or battles. It’s Team A versus Team B. When it comes to cyber warfare, though, people don’t really have a “face” or specific group to associate with malicious activity. How can you defend against an enemy you don’t understand? Who are these people? What do they want? Why would they come after you? How would they come after you?

In the coming weeks, we are going to hear from an inside source just exactly who cyber attackers are, what kinds of groups they organize themselves into, how they communicate, and some ways to know which attacks are likely coming from which sources.

In this installment, we are going to look at the infrastructure of the cyber underworld and identify the big players in cyber crime. This lays the foundation for understanding what cyber criminals are after, their telltale signatures, and what the heck they might want from your business. If you can begin to understand the people on the other side of these attacks, you’ll be better equipped to protect your organization from them, because you won’t only be relying on what someone else said are best practices. You can begin to see where the gaps in your current knowledge and strategies may be, and start proactively protecting your organization’s environment from a more informed place.

To Defend Your Environment, You Need To Understand Your Adversary

Sun Tzu says, “To know your enemy, you must become your enemy.” Nowhere is this truer than in cybersecurity. I often say that if you don’t know all the ways to break in, you’ll never know all the places you need to secure – and how to lock them down. What I want to offer you is the benefit of my knowledge and experience after decades of swimming in – and defending against – the underworld of digital attackers.

DarkNet Versus Dark Web

To begin, let’s differentiate the dark web from a dark net, or DarkNet. You didn’t know they weren’t the same thing? You’re not alone. DarkNet, as a concept, is a private, encrypted service that is only accessible with special tools. To be more specific, there are numerous darknets – not just one. Your company-approved browser will never take you to any of them, no matter how hard you try. DarkNets are comprised of a series of nodes – encrypted networks that talk to each other and are architected to obfuscate users’ locations, identities, etc., which supports total anonymity for users. These nets are the infrastructure on which dark websites are hosted and include all forms of communication – even those not accessed through browsers. Examples of communication channels that are used in darknets, but are not web-accessible, are Telnets, BBS, IRC channels, FTP sites, text, VoIP, etc.

Understanding Non-Web Based DarkNet Communication Channels

• Telnets: a network protocol designed to create a bidirectional, text-based communication channel between two machines. (teletype network)

• BBS: a bulletin board system is a computer or application dedicated to sharing or exchanging of messages.

• IRC channels: internet relay chat channels have been around since 1988 and are direct chats, essentially. They can be used to DM, transfer data, and a channel can be private or open, and is capable of hosting a group or can be limited to just two users. IRCs are not all dark, per se – just specific channels.

• FTP sites: these use file transfer protocol to transfer files between computers. Users have to be granted access.

• Text: you do this every day. It’s just another way criminals can talk to each other.

• VoIP: voice over internet protocol calls conducted over the internet, rather than using a traditional phone line.

Specific examples of darknets include iPFS (based on peer-to-peer media protocol), Gnutella (peer-to-peer network protocol), and Riffle (see more about this one below).

So, What Is the Dark Web, Exactly?

The dark web refers to one way users access all the content hosted on darknets – most of which is illicit and illegal. For this, they need a special browser, like Tor (the onion router) or I2P. Onion routers work by bouncing you through a series of distributed nodes to obfuscate your actual IP, after which you arrive at a communication port.

Riffle is a network-based protocol developed at MIT. It uses the same onion protocol as Tor, but takes connections through a network of nodes, bouncing packets from system to system, and incorporates more defenses than Tor to protect users’ identities.

Each web-based darknet has communication ports. Believe it or not, some of them are so popular that you can actually find their identifying numbers on the standard (www) web. To give you an example of how big these networks are, Tor currently has 10,572 nodes. So, we’re talking about a lot of users.

Most articles you find online will tell you that if you download Tor, you now have access to the DarkNet. That is incorrect. You have access to one part of DarkNet. You aren’t “in the club” just because you have an onion router. The reason for that is most people who write those articles have no idea what exists beyond what they have seen or heard about from a friend – and no idea how or where to look. It’s all in plain sight; you just have to know what you’re looking for.

So, think of darknets as multiple different instances of connected, supporting technology, and the dark web as one context – websites hosted on one instance of DarkNet – and, yes, these are generally criminal marketplaces.

Conclusion

With a clearer understanding of how people who might be called “ne’er do wells” in some circles communicate, it’s easy to see how big the DarkNet really is. Demystifying their world gives us a better picture of what we’re all defending against in cybersecurity – you, us, them…we’re all in it together. It’s a team sport.

If you would like to speak with an expert about testing your incident response plan to make sure you don’t have any gaps that could lead to failure during a real attack, you can reach out to us here anytime. We have the right people on-hand to help.

---