Looking back at DOJ guidance on best practices for leveraging the dark web in cyberthreat intel research
For cyber investigators, obtaining the complete picture for analysis is increasingly important. Openly available information, commercial data sets, and cyber intelligence feeds may form important components of an investigation, but an additional source is often omitted: the dark web.
The dark web can be a valuable place to look when investigating cyberthreats. Illicit forums, or dark markets, are a haven for criminals to discuss targets, share tactics, and even sell vulnerabilities (such as malware) and data breach information. Companies may also find their own customer data or internal login credentials available to the highest bidder.
Referring to websites and content that require special software and protocols to access, the dark web is a general term that includes sites accessible via TOR, Freenet, I2P and other methods. Analysts may face impediments to access including additional IT security burdens, especially if accessing via an organization’s primary network or on a dedicated standalone network used for research.
For many organizations, visibility into cyberthreats exchanged on dark web forums provides a critical advantage to information security practitioners who need to stay ahead of malicious actors and understand the threat landscape.
While the value of dark web intelligence to infosec practitioners is clear, their employer may see it as a risky and potentially costly endeavor. Understandably so — the dark web is unfamiliar territory, and there are reasonable legal and cybersecurity concerns about employees accessing criminal marketplaces to gather intelligence and defend company networks.
Last year, the Department of Justice’s Cybersecurity Unit issued a memo addressing concerns from private sector organizations about the legality of gathering cyber threat intelligence on dark web forums. The memo discusses common threat intelligence gathering scenarios and the legal implications practitioners and their employers should take into account before engaging in such activities.
“As the [Cybersecurity Unit] has learned during its outreach about active defense to industry, many cybersecurity organizations consider gathering cyber threat intelligence to be among the most fruitful of cybersecurity activities.”
Below are some highlights from the DOJ guidance that information security practitioners should keep in mind to help your organization safely access the Dark Web to gather critical cyber threat intelligence.
The memo and following discussion does not constitute legal advice. Authentic8 is prohibited from offering you legal advice. Please consult your attorney or your organization’s attorney for legal advice before undertaking the activities considered here.
“Practice Good Cybersecurity: In the situations discussed in this document, information is exchanged with cybercriminals. There is no such thing as being 'too suspicious' in those circumstances. Practice good cybersecurity at all times and use systems that are not connected to your company network and are properly secured when communicating with cybercriminals.”
With Dark Web Add-On: Silo for Research, all of your activity takes place in a secure, isolated browser environment. There’s no need to set up a separate network to conduct your intelligence gathering. You can efficiently hunt for online threats without ever compromising your company’s network infrastructure.
“... a practitioner and his or her employer should maintain records that document the practitioner’s actions on the forums and the legitimate business purpose for the practitioner’s activities so they can establish a legitimate motive and the steps taken to avoid furthering illegal activities.”
Utilizing a tool like the Dark Web Add-On makes record keeping easier. All web activity is logged so information security teams can be sure that the tools are being used appropriately, an accurate record of web activity is kept and that the data collected is stored securely.
Seeking out cyberthreat data and security vulnerabilities is certainly not without risk, but it shouldn’t be dismissed out of hand by C-suite executives. With the proper technical means and training, the ability to access dark markets can be a valuable asset for any information security team.