Actionable Threat Intelligence and the Dark Web

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone. I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Our discussion today will revolve around

gathering and leveraging threat intelligence. Victoria

Kivilevich, Director of Threat Research at KELA Group will shed

light on the subject. KELA Group is a global leader in

providing threat intelligence services. So Victoria, welcome.

Hi, it's a pleasure.

To set the stage for our discussion, in a

recent news release, Reuters reported that United States has

offered a $15 million reward for information on the Conti

ransomware group. The Conti ransomware group is being blamed

for cyber extortion attacks worldwide. The FBI estimates

that more than 1000 victims of the Conti Group have paid a

total in excess of $150 million in ransomware payments. We will

talk about the Conti Group and more. But let's begin by

providing listeners an overview of the Dark Web. So Victoria,

what is the Dark Web.

So technically, Dark Web is a part

of the internet that isn't indexed by search engines, and

that requires some specific software, configurations or

other means to access it. And apart from Deep Web, which

includes all non-indexed and non-public facing pages -- for

example, intranet or some paywall- protected pages --

apart from that, Dark Web is intentionally hidden and it can

be accessed only via the browser, which is called Tor

(The Onion Router). And Dark Web is often associated with illegal

and cybercrime activities. And it's true, but it's important to

remember that some legitimate platforms are also located in

the Tor network. There are people who prefer to use such

resources because of anonymity and other security reasons. But

since today we are talking about protecting companies using

intelligence gained from the Dark Web of course, we will

focus on Dark Web sources featuring illegal activity.

Moreover, I would prefer to use the term cybercrime ecosystem,

which includes not only Dark Web sources, but also other

underground communities, which can be accessed in the surface

Web. And it is something that you can open from your usual

browser and without any authorization. And these sources

still contain illegal activities. And it is important

not to miss them because they can provide valuable information

too. For example, instant messaging platforms that have

been seen abused by various cyber criminals for illegal

activities. For example, 1000s of telegram channels that sell

stolen passports sensitive information, credit cards, and

more. If you focus only on Dark Web sources, you can miss this

information but it can be very sensitive and important for

enterprise defenders. So the Cybercrime ecosystem we are

talking about represents a wide variety of goods, products and

services offered by and to cyber criminals. It can be physical

goods, such as drugs, and guns, and it can be cyber related

stuff, for example, logins, databases, malware, tools, and

more, which is usually more relevant for defenders from the

side of the company. So I think we can talk about that in detail

a little later.

Sounds good. Sounds great. Yep. I

appreciate you making that correction, instead of using the

word Dark Web, let's talk about it from the standpoint of a

cybercrime ecosystem. Makes a lot of sense. So Victoria,

listeners on this podcast, represent a variety of

organizations. And I'm sure they have their own threat

intelligence gathering and management strategies. I think

they will appreciate your insights on what are some good

practices for organizations to go to these resources and

leverage the intelligence that's out there so that they can

proactively prevent potential attacks. What are your thoughts?

What are your recommendations to organizations?

Sure. So first of all, I just want to

highlight why it is important and what is so fascinating about

that; that the great thing is that with enough preparation

threat intelligence analysts can access the same sources that

cyber criminals have access to. And therefore, you can see how

your company looks from the cyber criminals' perspective.

For example, is it discussed by the cybercriminals as a

potential target? What information related to the

company's been leaked or traded? Is the company's resource listed

as vulnerable to a specific vulnerability? Maybe there is

some hacking tutorial that teaches how to abuse your

company's service for customer employees? So these are just a

few examples of what can be found in cybercrime sources and

information about all the above can be found using threat

intelligence solutions that automate the process, and so

they help to continuously monitor the company's assets in

multiple cybercrime sources. And I believe that's the key because

you can't just go in the Dark Web once and check what's going

on, what's happening regarding your company, and then just

leave it. You need to constantly be ahead of the cybercriminals.

Of course, you can also use manual investigations within the

Dark Web, though it can be a little time consuming because it

requires knowledge of the many relevant sources, forums,

marketplaces, how to access them, foreign language

capabilities, also managing numerous user accounts aliases,

having positive reputation and so on and so on. So conducting

investigation in the cybercrime ecosystem requires time and

effort and some specialized solutions, but it will pay off

with valuable information you can get. So, what do we deem as

valuable information? It's not only raw data, but also the

context. So I believe one of the important steps is trying to

evaluate the information that you see in Dark Web, trying to

connect the dots, and also to have an established process of

how to pass this information to people who make decisions,

because this information can just stay in your daily report

or it can be the information that will be taken into account.

That is so true. In fact, one of the things

that I have found in my research that many of the attacks have

happened, because the threat intelligence wasn't acted upon.

In other words, the threat intelligence was received, it

stayed somewhere it didn't get to the right decision makers.

So, from a procedural standpoint, from an organization

structure standpoint, it's very important that organizations

recognize how to manage this intelligence, like you said, one

thing is to gather the information, the other thing is

to validate it, put it together in a meaningful format, and make

it available in a timely manner to the decision makers so they

can quickly act on it. And acting doesn't necessarily mean

that you have to do something substantive, you can still make

a judgment call and say, Okay, that's good to know. But at this

point, we want to still continue with the status quo. And we will

revisit the situation, maybe in the next few days. So but the

important part is that you have reviewed intelligence, you've

taken a decision. And I also recommend organizations go a

step further, and document this process. So later on, if

something were to happen, there is a fallback in this

documentation where the executives can reference it and

said, Look, we did the due diligence, we made a decision of

going a certain way, for these reasons. Unfortunately, we were

proven wrong. But our best interests were in place we were

we were not acting in an irresponsible manner. So that's

great insight. Moving along, you mentioned about kind of the top

targets. And let's say, I am representing the security team

of my organization. Obviously, I would not want my organization

to be a top target. But I would like to know if it is. And so

I'm just curious, can you shed some light on what makes for a

top target? Yeah, so

Essentially, they target any company that can

bring some revenue for them, some profits. So I would say

there are different types of cyber criminals, and some of

them are only attacking companies to further sell this

information to other cyber criminals. So they are acting as

part of supply chain, it can be due to many reasons. For

example, they aren't sophisticated enough to conduct

a full scale attack. Maybe some of them are experts in one

niche, some just prefer to have stable income, and to sell what

they have instead of figuring out how to monetize this data

independently. For example, one actor can use phishing tactics

to steal personal data, just sell them and receive his money,

or he can use this data to conduct identity fraud, which

will require more skills and knowledge. For example,

unemployment fraud in the US requires an actor to try

multiple personal information records, to find the ones that

will work for this type of fraud and match the targeted state,

file an unemployment claim, bypass identity service, and so

on and so on. So logically, the actors who conduct full scale

attacks can earn more, since they're stealing money directly

from affected individuals or companies or blackmailing them.

So I would say that, for the first type of actors, it doesn't

really matter, usually, what is the company because all they

want is just to gain something and then to sell it to other

more skilled cyber criminals. But when we are talking about

cyber criminals who conduct the attacks till the end, and they

receive money from the victim, for them, it's really important

to know the revenue of the company, the sector of the

company, and how it can be abused.

That's very useful. In fact, if for

clarifications sake, you mentioned about a type of threat

actor. I think the term might be Initial Access Brokers, but

please correct me. These are the folks who are able to compromise

networks and sell credentials to other threat actors, such as

ransomware operators. Am I correct in using that term

Initial Access Brokers?

Yes, that's totally correct.

Okay. So again, from a organization

standpoint, that is trying to protect themselves from getting

hurt, from getting attacked, how is the relationship between the

Initial Access Brokers and say the ransomware attackers, how is

that significant?

So it's very significant because Initial

Access Brokers play a crucial role in the ransomware economy,

and especially in the ransomware-as-a-service economy,

which is a model that enables cyber criminals, also known as

affiliates, to use ransomware to execute attacks and get share of

ransom if the company pays the ransom in the end. So as you've

mentioned, Initial Access Brokers sell remote access to a

computer in a compromised organization, which is called

initial network access. How does it work? First, the broker needs

to find an initial infection vector, for example, compromise

RDP (Remote Desktop Protocol), or VPN (Virtual Private Network)

credentials, then he needs to research an organization, if

it's worth the effort, if it's even a company, if it's big

enough, if it's interesting? And then he needs to transform it

into a wider compromise. For example, achieve higher

privileges and then all he needs is to supply access to a buyer,

for example, in the form of RDP credentials. So, if this buyer

is related to a ransomware operation, he can use it to

enter the network, move laterally, and deploy ransomware

in all the environment. And initial access phase is already

taken care of by Initial Access Broker and it really

significantly eases the process and scales the attacks. So of

course, ransom operators have other ways of getting access,

they rely on phishing campaigns, botnets and more. And likewise,

Initial Access Brokers can sell network access to any actor, not

only to ransomware actors, they can sell it to financially

motivated APTs, which are Advanced Persistent Threat

actors usually state-backed, they can sell it to data brokers

and any threat actor that has a way to monetize the said access.

But as we've seen, Initial Access Brokers and ransomware

actors have an established corporation. And that is why

essential Initial Access Brokers are an essential part of supply

chain for many ransomware operations. That's why it's

important to track their offers.

Wow, that is so interesting and

enlightening. You touched upon the profile of of top targets.

If we get more specific and think in terms of ransomware

attacks. What is the profile of an ideal ransomware target? Is

it different from top targets of initial access brokers?

Yeah, that's great question because

really, it is a little different. So for Initial Access

Brokers usually list some properties of a compromised

company, which help other threat actors to understand if this

victim is valuable. These properties can include revenue,

size (which is number for employees), industry and

description of the company. And usually, the bigger the revenue,

the more the access costs. But for Initial Access Brokers, it's

important only to sell the access. So they do not need to

pay a lot of attention to countries and sectors.

Essentially, every company that is vulnerable is good for them

because they will find a buyer most likely, even if it's not a

ransomware attack and then sell it to another criminal. We see

that initial access brokers offer a lot of access to

universities, but they tend to cost less. And we also seen

ransomware actors discuss that the universities, especially not

the major ones do not tend to pay ransom. So that's one

difference. The same about healthcare institutions. When

the pandemic started with some ransomware, the actors said they

will not attack medical institutions, but it didn't stop

initial access brokers from offering them for sale. So,

ransomware actors are more focused, and based on the

conditions that they state on various cybercrime forums, we

found that an ideal victim ransomware victim is: based in

the US, has more than $60 million in revenue, and most

likely it's not from education, government and nonprofit sector

because it's just not valuable for them. These victims won't

pay money, most likely. And we also seen a confirmation of that

by a representative of the Lockbit ransomware operation. He

said that the insurance in the ransomware sphere is more

developed in the US and in Europe, and the largest number

of the world's wealthiest companies is concentrated there.

So he explained why they are targeting mostly these

countries. Interestingly, the actors define not only the

desired revenue and country, but also type of access, and it can

be very beneficial for enterprise defenders. So first

of all, you can understand if your company is a potential

target, but I know it sounds too wide, because essentially, any

medium sized or big profitable company is a target. So what is

more interesting is the type of access which sheds light at some

TTPs (Tactics, Techniques, and Procedures) of ransomware

attackers as desired type of access, they state is RDP and

VPN, and it should trigger enterprise defenders to pay more

attention to these solutions and securing them. For example,

enabling two factor authentication for VPN

connections. Also, the actors name, specific products they are

targeting to ease their attack. Some names that we've seen --

Citrix, Fortinet, Cisco, Pulse Secure VPNs and other solutions.

When seeing this requirements, any defender can identify the

threat more correctly, and pay attention if these products are

used in the environment, and if they should pay more attention

to patching them and securing them. And what is the most

interesting that when studying Initial Access Brokers and

ransomware attackers, we can understand specific

vulnerabilities used by actors. For example, we've seen one

actor sharing his entire process of getting into the network. And

he mentioned the use of an automated script -- a program

which weaponizes one of the vulnerabilities in Pulse Connect

Secure VPNs. And if not patched, this flaw can be used by

different actors to attack the network and cause different

separate attacks. And it can be not only one actor, if someone

attacked you using one flaw, now the actor can also find this and

use it for a separate attack. So you can become a double victim.

Very interesting. Now, as you talk

about ransomware attackers and victims, my thought goes to

organizations that are often double victims. And my research

finds that these are the organizations who have paid

once. And so there's the intelligence out there that

they'll probably pay again, that's one way of thinking about

double victims. Another way of thinking about double victims is

the attackers, the ransomware attackers these days, they not

only steal your data and encrypt your network your systems, but

they're also selling the data. So even if you regain access to

your network, that is not a guarantee that your data is not

already out there in one of the Dark Web resources being sold to

some other threat actor. So what advice do you have for

organizations from the standpoint of avoiding becoming

double victims?

So I would say that the most important

point is to properly investigate the incidents because a company

can become a double victim if different actors use one entry

vector that wasn't secured after the first attack. So proper

investigation and acting using the results of the investigation

is essential. And of course, the company should have some

established practice. For example, cybersecurity awareness

and training for all key stakeholders and employees. All

key individuals should know how to safely use their credentials

and personal information online. Also, there should be of course,

an established process of vulnerability monitoring and

patching because you should continually protect all the

network infrastructure and prevent any unauthorized access

either by Initial Access Brokers or other cyber criminals. And of

course, the automated and targeted monitoring of key

assets in cybercrime ecosystem can help to immediately detect

threats emerging from the cybercrime system. I just want

maybe to show an example of two attacks that started in Dark Web

and then evolved into full scale attack. For example, in June

2021, the hack of Electronic Arts, a video game company, it

began with hackers who purchased stolen cookies sold online for

just $10 on Genesis market, which is a market of information

stolen via information stealing malware. So, cookie is something

that can save the login details of particular users, and

potentially allowed hackers to log into services as that

person. And this is what these specific hackers did. They use

these credentials to gain access to a Slack channel used in

Electronic Arts. Once in the Slack channel, they tricked one

of their employees to provide a multi factor authentication

token, they just messaged their IT support members. And they

said that they lost their phone and the party. And that's why

they need another certification token. And once they received

this token they logged into into a corporate network. And then

they found the service for developers that they use to

compile games. And then they just stole game source code,

which is, of course very valuable for the video gaming

company. And they said they had almost 800 gigabytes of data.

And they were advertising it for sale on various underground

forums. So if this cookie had not been bought from this

underground market, maybe the attack would not have happened.

And of course, as we were talking about Initial Access

Brokers and ransomware attacks, we have also seen a lot of

examples of an attack that started from network access, and

continued into full scale ransom attack. From what we've seen,

one of the examples is very interesting, because it was

confirmed by the company's investigation. We saw the

Initial Access Broker offering data offering initial network

access to the company, we were identified as Gyrodata. It's a

US based energy company. He offered the access on January

16. Two days later, the actor declared the access was sold.

And one month later on February 20, the operators of Darkside

ransomware published a blog post claiming to have compromised the

same company. So logically, we assumed it's one attack. And

then we saw the Gyrodata data investigation. And it confirmed

our findings because they said that the unauthorized actor

gained access to certain systems and related data within the

company's environment from approximately January 16 to

February 22. So this is the same timeline. And we have seen a lot

of examples. And we have identified at least five

ransomware operations, most of them managed by Russian speaking

actors who are buying accesses from initial access brokers and

using this access in their attacks. For example, LockBit,

Avaddon Darkside, Conti, BlackByte. So you can ask me,

Why is it even valuable? Why should we follow this this

information? Because, as we've seen, from the moment the access

is listed on sale, it takes on average one month to attack the

company to try to have negotiations and then to publish

its name on the ransomware blog, if the negotiations fail. So it

means that a network access victim has a few days, sometimes

even weeks to understand that it's compromised and to secure

the access to find this unauthorized access, and to

prevent a future attack.

Very interesting. Thank you for

providing us with these great examples. Now, let me present

you with a scenario. An attacker approaches an organization and

they say that they have the organization's data. And

obviously they're asking for money. What kinds of checks

should the organization engage in to verify if the threat is a

real one?

It's an excellent question, because we

do see a lot of actors that try to pretend they're skilled

actors. But in reality, they are just some beginners that trying

to gain easy profits. So, it is really important to first

understand context. And second, ask for proof, for example,

someone approaches you and says your vendor was attacked, and

your data was stolen. So there is a lot of actors that just

prey on data breaches that already that already happened,

and they can use them to intimidate you and ask for

ransom without having any data. So in this case, it is important

to understand if such email is even in TTPs of a specific

group, do they really inform clients of an attacked company

about the breach? We had such case with a-Clop ransomware and

we confirmed that this is a genuine email that they really

send emails to all the vendors, partners and clients to

intimidate the company, but easily it could be another

ransomware gang that doesn't have it in its TTPs. And then

you need to go further. What do I mean by going further is to

understand what proof do you have because I have an excellent

example with Conti that you mentioned -- the ransom

operation which made a lot of headlines. We have visibility in

their TTPs, thanks to recent leak of their internal

information. So as a response to the Conti's runs support of the

Russian invasion of Ukraine, a suspected Ukrainian researcher

just leaked internal conversations of its members.

And it gave us a lot of valuable informations. For example, we

found that Conti, respected known operation frequently lies

to victims about the stolen data, they insist they have more

than what's actually stolen. I've seen an example that they

discussed some company from Canada, and one of the Conti

workers complained to a high profile member of Conti, that he

could not find files requested by the victim. And he claimed

that the team that was attacking the network didn't download all

the files from the file tree. So they demonstrated this file tree

to the victim. And it was a huge file tree. And the victim, of

course, was persuaded that they have a lot of data. But it

wasn't true. It was another example, we've seen, the same

actor said that only eight gigabytes of data were stolen

from the network. Of course, in negotiations, they said it was a

lot more. And in the end, this victim paid ransom, and it was

over $1 million. So over $1 million for 8 gigabytes of

files, and they didn't know it. And, as you've said, the

ransomware actors usually say that, of course, after receiving

the money, we will delete all information that we have. So

what they did, they didn't send any any proof after being paid.

They just said that we deleted all the data, all the logs. And

that's it. So the proof is very important. Second step after

trying to understand what's the context, what is the background

of the attacker, if you have an opportunity to interact with the

attacker, you need to ask for proofs. First of all, these

proofs can help you to understand what data was taken.

And if it even was taken. And second, maybe it will give you

some insights about what tools were used to compromise your

network, maybe what specific software was compromised,

because when the actor sends proof, they can accidentally

leave some information that will lead you to securing your

environment and find the unauthorized access that the

attackers have.

Very insightful. Thank you. Again,

this is very, very useful information that I know many

organizations can benefit from. So you talked about the Conti

Group, I'm sure there are many players out there. And you are

the expert in this area. Is it important that organizations

make a concerted focused effort to learn about each of these

groups? Because I see this as a never ending proposition because

these groups are are evolving, they're appearing maybe some

disappear, it almost seems that an organization needs to have a

team that solely focuses on monitoring this ecosystem

monitoring these new players, existing players, that's a lot

of activity. What are your thoughts? What is your advice,

how best to try and get your hands around all that's going

on, in as you call it, the cybercrime ecosystem?

So of course, each company should have

a team that is focused on securing the company's assets.

Of course, studying the ecosystem is another step, which

provides a lot of valuable information. But I understand

that some companies doesn't have resources for that. So there is

a lot of companies that publish open source, open research that

you can access. And this is something that you need to

follow, because, as you've said, the groups are appearing and

disappearing. And maybe the name is not important, so much for

enterprise defenders, but TTPs, and what tools they're using,

that is really important. And as I mentioned, with the Conti

leak, sometimes it happens that accidentally or thanks to

efforts of researchers, we get our hands on information that

can be very valuable. And that is, if we're speaking, for

example, about ransomware-as-a-service, that is

a flaw in their operation because they have a lot of

people in the team. Of course, it raises so called insider

threat, something happens, an affiliate is not happy with the

conditions that he got. And he can just reveal all the manuals

of the ransomware operation on one of the forums. And that is

why following on this news is very important, because you can

just receive a tutorial how ransomware attacker could breach

into your network from the beginning what tools they can

use, even what infrastructure. Because we spoke a lot about

Conti, I cannot not to mention that they allegedly shut down

their operations. And they separated into smaller units. So

we can expect a lot of new gangs using these old methods. And of

course, they can also use new methods because even among

different teams in one ransomware groups, the TTPs may

differ. So it's crucial to track it since they can use both new

methods and all successful tricks which includes

infrastructure, which includes supply chain, the same Initial

Access Brokers that we've seen, being used by Conti in this

internal leaks. They said, they found them on forums, they were

actually exchanging messages like, "Hey, I've seen this guy

on the forum, I think we should work with him." So it means that

new groups can also leverage the same Initial Access Brokers. And

even if attackers tried to hide their identity and not to

contact the sellers directly, for example, we can still see

these suppliers in cybercrime sources. And we can still

evaluate how specific company looks in the eyes of attackers

and what he can use to attack. So unlucky for us, the

cybercrime ecosystem will unlikely disappear. But luckily

for us, we can have almost the same visibility into these

threats as potential attackers.

That is so true. And as you were, you were

discussing so many different topics in the context of how to

leverage the intelligence from these dark groups, if I may, if

I had to summarize some of my takeaways from this discussion.

First and foremost, organizations can't afford to

ignore these very valuable resources. As we have discussed

previously, during our planning meetings, it may not be easy for

organizations to gain access to these resources. So they may

have to deploy intermediaries who can gain access on their

behalf, and keep them posted on a regular basis on all kinds of

intelligence, whether that organization is a target or not,

what are the types of attacks that they should be prepared

for. So it's a constant exercise that a company needs to engage

in, they need to have the right teams in place, who are

monitoring the intelligence who are sharing reporting the

intelligence, and they're also people in place who are

reviewing it, and responding to the intelligence as soon as

possible. Because, you can gather all the intelligence in

the world, but if you don't act on it, then what's the point,

which is unfortunately, the case, in many, many

organizations, it happens quite a lot. So this is a lot of great

information, Victoria. Really enjoyed this conversation. But

I'd like to give you the final opportunity to conclude with

some some final thoughts, some final takeaways for the

audience. Yeah, so

All that you said, is totally great

summarizing what I've been telling about. I would like just

to add that, as you mentioned, it is really important to

document all of the investigations and threat

intelligence. And I would also say it's really important to

filter the noise because there is a lot of threats that seem to

be threats. But in the end, you understand that it's not that

it's not something that is dangerous for your organization.

And if you document it, maybe the next time you don't need to

dedicate all this time and effort on the second time to try

to understand if it's something dangerous. And summarizing why

why the cybercrime ecosystem is so important. It's because

nowadays the typical cyber criminal does not work on his

own. Even the most basic criminal business requires

different tools, services, and all of them are available for

purchase on the cybercrime forums. Also, the cybercrime

ecosystem shifted towards something we call

everything-as-a-service model, meaning instead of just

purchasing tools, and then conducting attacks, any threat

actor can employ any number of services to receive needed

information. For example, if a threat actor wants to conduct

some form of identity fraud, meaning to impersonate a person

to receive profits, they can easily purchase personal

information, protected health information, and identification

documents instead of trying to receive it by themselves. So

such automation has two primary consequences. Firstly, it lowers

the level of sophistication and technical knowledge required by

typical cyber criminals, which of course, raises the number of

attacks. And secondly, it resulted in hundreds of

organized cyber criminal groups, which specialize and provide

services to other cyber criminals. So this is the whole

ecsystem that you can find anything in it, and most likely

you will find something connected to a company. And then

it is up to you. And this is your next step. To build a

proper process of reacting to this raw data and turning it

into threat intelligence into actionable threat intelligence

can be used to secure your organization.

Thank you so much, Victoria. It has been

such a pleasure.

Pleasure for me too. Thank you.

A special thanks to Victoria Kivilevich

for her time and insights. If you like what you heard, please

leave the podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.