An analyst from DarkOwl joins us to discuss dark web research and all its facets. From AI and other trends on the dark web to operational security, learn how to turn on the light beneath the surface of the internet.
Steph Shample is a Senior Analyst at DarkOwl, the leading darknet data provider. She specializes in dark web intelligence, ransomware, and criminal investigations. She has publicly appeared and been published in nine countries. For the past 17 years, her career has focused on analyzing Iran in various capacities, including its tense relationships with Middle Eastern countries as well as their bordering states, and countering Iranian roles in terrorism, proliferation, and narcotics. She was a Non-Resident Fellow at the Middle East Institute from 2019 - 2023. During her military career, Steph gained operational experience across the Middle East, Levant, and Central and South Asia. She also completed two deployments to Afghanistan, one military and one as a civilian.
Steph: [00:00:00] Absolutely. Yeah. It's just like you said, everyone's like, I want AI, but they don't really know what AI is, but they want it. So actors have embraced it and, and are successfully using it. So one use case that we are seeing constantly right now, phishing templates, right? Um, AI is enabling them to write a little cleaner.
So there's not as many English mistakes, grammar mistakes.
Jeff: Welcome to Needlestack. I'm your host, Jeff Phillips.
Shannon: And I'm Shannon Reagan. Today, we are talking to Steph S., Senior Intelligence Analyst at DarkOwl. Steph, thanks for joining us.
Steph: Hi, Shannon. Hi, Jeff. Thank you so much for having me and for having DarkOwl. We're so excited to be here.
Jeff: Well, let's start with that, Steph. Um, to kick things off, can you tell us a little bit about, uh, DarkOwl for those that don't know?
Steph: Absolutely, we are the world leading data provider [00:01:00] of the dark web, deep and dark web as well as dark web adjacent technology. So think telegram discord those chat platforms. Also, the markets and forums that you see frequently in the news ransomware victim blogs where they advertise. Other general markets that sell malware, drugs, animals on the dark web.
So, we have a mixed manual and automated collection to safely get that, scrape that information, and then put it in a very friendly user interface or an API if you need. That way you can enrich that information with ClearNet, information from social media, all kinds of different enrichment that you can do to best paint the picture of where your exposure is on What precautions and mitigations you need to take.
So it's just a fascinating company. Truly. It's really cool.
Shannon: It is very cool. I think Jeff and I are pretty jazzed about dark owl. This might seem like a silly question to you. Um, but what is your perspective of why? Companies, you know, need dark web [00:02:00] intelligence, if not maybe going into the dark web directly.
Steph: Yeah, I get that. And no, I truly stand by no silly, no stupid questions. A lot of people really only know the dark web as it pertains to ransomware, right? They see, okay, ransomware is being announced on here, but there is so much more and there always has been so much more on there. So the dark web is not indexable, right?
You can't Google on it. So you really do have to know a little bit more navigation of where you're going, what you're looking for. Why you should have it is because everybody these days is very, very concerned about privacy. So we all want to be online and be connected and have that social aspect. But we also want to try to reduce, you know, what we're leaking, what we're exposing.
Unfortunately, with everything these days, um, you know, phishing, Ransomware social engineering. There are so many ways that malicious actors infiltrate an organization or an entity and then sell or monetize that information, or they do it for their own notoriety. You as an organization have got to be aware of what's out there.
You can't [00:03:00] just Google yourself or your organization and find all of the threats. When you're caught up in data breaches that are sold online and then cross sold on a market, right? To maximize profit, you've got to take a look at what actors are doing with their IP addresses, how they're innovating and just making their operations more quick, more quick, uh, more efficient.
They're streamlining them. You've got to have the dark web piece of information because they're very open and talk a lot on there. They train on another. They share in addition to saying. Yeah. I'm going to move my C2 from this provider to that, right? Or don't message me on this platform anymore. I view it as unsecure.
Let's all move to telegram discord. You've got to keep yourself informed on the dark web. I respect and realize it is not for everybody, but if you do have a presence on there, if you have an incident, you really do need that piece of information or you're seriously lacking a part of the picture. Follow
Shannon: up to that for those that companies that aren't, um, kind of I'm going to be chatting more about that.
Um, either they may be put into a dedicated effort to understanding the information that is out there on the dark Web, [00:04:00] either they don't aren't staffed with the right people to do it. They maybe don't have the right tools to do it. What advice do you have for people that think this isn't for me?
Steph: Sure, yeah, I would say, take a look, right?
Take a look at any dark Web service provider. Start a trial, start a conversation, go install tour, right? It's really easy to do that. Tour is open source. You can download it and just self teach, right? So many people these days want to spend so much time on social media or posting pictures or what have you.
Great. But there is a way for self empowerment to go educate yourself, type, uh, type something into a tour browser, take a look at what. People are using the dark web for, and educate yourself, you know, and if you don't want to do that, then maybe look on LinkedIn or other social media, or just contact a company who does have dark web coverage and truly educate yourself before you make that final decision of, meh, I don't need this.
Jeff: By the way, for some of our audience, I like to, I don't know if I like to do this stuff, but TTPs, right? Tactics, techniques, and procedures. [00:05:00]
Steph: Yeah, call me out. I'm former. I'm going to throw every acronym in the book at you tactics, techniques, and procedures. So, for instance, I'm an Iran analyst by trade and Iran was really big about using European VPNs in their malicious operations.
So they would use namely Germany and the Netherlands constantly abuse when the European Union started to crack down on that. They moved to. Japanese infrastructure. That is a tactic technique and procedure that I observed. And then we put out in the researcher community, like, Hey, be aware, you know, you're going to start to shift.
Jeff: Thank you for that. Um, of course, uh, pretty hot topic these days on the OSINT front, um, is AI. I guess AI is a hot topic on every front, but in specific to us, can you tell us a little bit about any AI trends you're seeing on the, on the dark web when it comes to AI?
Steph: Absolutely. Yeah. It's just like you said, everyone's like, I want AI, but they don't really know what AI is, but they want it.[00:06:00]
Actors have embraced it and are successfully using it. So 1 use case that we are seeing constantly right now, fishing templates, right? Um, AI is enabling them to write a little cleaner. So there's not as many English mistakes, grammar mistakes, what have you. And then previously, you know, you can code and you can automate and do all the things to really streamline your operation.
So previously actors would only be able to get those templates to maybe tens or hundreds of companies or organizations that they were trying to infiltrate. Now with AI, you're getting up to. Thousands, if not tens of thousands, so they can work faster, get more. And it's harder to tell who wrote this. You know, usually.
The joke is, of course, the Nigerian prince, or you get this email that's riddled with so many grammatical mistakes. You're like, really? But now that's no longer the case. It's not as easy to tell. And that's probably the forefront of AI right now and how malicious actors are using them. It's increasing their operation space.
Shannon: When we were talking ahead of the call, you mentioned that you have a linguistics background, [00:07:00] maybe related to, you know, the AI space, you know, that there is such an element of writing and language as part of that. How, uh, Does linguistics play a role in OSINT or, you know, threat intelligence?
Steph: Of course.
I'm so glad that there's a space for that, right? So I think in tech, in AI, whatever you wanna call it, cyber tech, what have you, there is this misconception that you have to be a hardcore programmer, ones and zeros, coding, all the things, right? That there's no space for other people. And I want to dispel that myth so, so, so much.
Linguistics, especially. So, I started translating, you know, of course, and then French and Spanish and saying, you know, this is what they're doing, et cetera, et cetera. That is happening online, right? Yes. Technology and the Internet. A lot of is in English 80%. I'll give you guys that. But think of now, if you have kids or little cousins, little nieces and nephews, right?
Number one, how can you even understand what they're saying in the tech jargon and neologism now take that and try to translate from a Spanish little kid or a [00:08:00] Persian little kid, right? Or even a Persian actor. So, you have to really be able to understand the nuance of language. If they're circum locating around an operation, you know, if they say, hey, I'm going to buy this video game from you on steam or a gaming platform.
It's 1400 dollars. Are you good with that? And you're like, yeah, What kind of video game is 1400 right now? There's someone malware, right? Gotta pick out the nuance of the language. Translation will never go away. Yes, automation will help it. We'll streamline it, make it faster. But humans always need that niche and always have to analyze the language, analyze the sentiment.
Those very, very fine things that You've got to have a background of, and you've got to understand with AI, it's coming into tune as well. So, you know, word clouds, for instance, it's a really great way to capture. We have so much data from AI word clouds come out. And let's say it's a protest, right?
Protests are taking place. So the word cloud comes back, and Berlin is in huge letters, whereas Munich and other cities are smaller. So, you know, it's like, okay, well, [00:09:00] how is this represented? Does this mean I should pay attention to it? Does this mean it's an anomaly? Should I throw it out? There are so many different ways to involve linguistics translation and just divergent translation.
Thinking into this field. So whatever your background is, welcome come and also learn another language because cognitively speaking, I can't even espouse the benefits enough. I will nerd out with you on a separate podcast.
Shannon: As a former creative writing major, I will welcome you into those.
Steph: Foreign language, linguistics for life.
Jeff: That's funny. Can I just be a wannabe? Cause you know, I don't know. It's a little late to learn a new language
Shannon: anytime.
Jeff: Well, you have, um, a lot of passion about shining a light on the dark web. Um, obviously it's, so it's great that you're a dark owl. Um, do you think shining that light and, and putting out more dark web education can actually start to have an impact or mitigate some of the threats or the particular threat actors?
Steph: It's a [00:10:00] great question. Uh, we are seeing reflections of security and clampdowns shape actors and where they're moving what they're doing, how they're communicating. So I do think that if we keep this up. Yes, absolutely. And public education for cyber cybersecurity, you know, your 2 year old has an iPad.
Your grandmother's on Facebook. The entire spectrum of humanity is tech enabled. We need to protect them. They don't know if they're exposing themselves. Then you've got the people who use the same password for their corporate account versus again, personal accounts. There's a lot of education to do. And I say all that because passwords are sold on the dark web, right?
Repeatedly passwords are then put to paste sites and, and put monetized that data, They'll just put it on a free pay site for other people to use in their operations. I do think it's a slow process. It's slower than we would want. And that is tough because tech is so dynamic and move so quickly, but we cannot stop trying to educate and elucidate and really raise the problems of, Hey, this is not going to [00:11:00] stop.
This is happening in the background and you've got to pay attention.
Jeff: You know, follow up when we were talking earlier, you mentioned, I believe the way you portrayed it was that with all that focus and attention on the dark web that you're seeing them start to migrate to other platforms and other venues.
Can you talk a little bit about that?
Steph: Absolutely. Yeah. So, you know, dark web, the. onion sites are markets and forums, and you can basically go on. I'll use dread as an example. Dread is basically the reddit of the dark web, right? It's the same thing threads, forums, advice, communities, like minded people. So, dread, you can go on there and just find something that, you know, I want to sell malware.
I am, I'm looking for this. I'm having trouble developing this part of it of my malware operation or this code or whatever. Um, so it's really just essential to. Follow that and follow the actors and they have openly stated, you know, think of alpha Bay and Silk Road, those markets that went down. Think of recent ransomware groups have also gone down, right?
You've been arrested, [00:12:00] taken offline. Those groups are talking, they are sharing in telegram in discord. And then, of course, on talks, which is primarily used for ransomware comms, but it is growing in popularity. Talks is just a peer to peer messaging system. Direct messaging. They are using more opsec. They are saying, do not post on this forum.
We think there's a law enforcement presence. Contact me on telegram. They are using more controls on Telegram. So you can shape a channel that only you, the admin can post and nobody else can. So we're definitely seeing them paying attention to what's happening in the security and law enforcement world and applying that to where they're moving more secure messaging platforms, direct messages versus public.
Yes, absolutely.
Shannon: It is tough to, you know, it feels like an arms race, like that. You're always, you know, we're all just chasing each other around the internet. Um,
Jeff: I like that we're all just chasing each other around the,
Steph: it was awesome.
Shannon: I do wanna talk about tools in a minute, but with [00:13:00] the constant changes in technology and uh, keeping up with threat actors. Is there any advice that you have, particularly for training or, um, you know, recommended forums and platforms that, you know, like dread on the dark web for threat actors?
Like, where do you find the kind of, um, threat intelligence folks getting the most value out of information sharing among other professionals?
Steph: Absolutely. So the two main ones that have really emerged are task forces and trust groups, honestly. So let's start with task forces. We realize that it's got to be Government, private and academia has to all participate to best shape and fight the threats we're facing.
So find someone who's in your geographical area of interest, right? If you have an interest in China, if you have an interest in Russia, find groups there, use LinkedIn, use all of those and then it's usually private signal groups, or maybe a private WhatsApp group and there's a lot of, you know, just that are shared in their talk amongst practitioners and the task [00:14:00] forces really bring all 3 perspectives of those industries that are necessary.
Trust groups are. I know this won't be popular, but analysts are skeptical by nature. Hi. Um, you know, we don't trust anybody, but when you have a trust group that starts up, so for instance, when Afghanistan fell in 2021 and they were using Snapchat as well as some other hidden, um, underground communications to avoid the Taliban, to get people out of country who were very much in danger, a trust group started up with that for, you know, Operations, getting people to safe houses, monitoring what the Taliban were doing on Twitter, as well as other places.
It was similar with when Russia invaded Ukraine. Okay, find analysts, you know, who has on the ground experience, who has language experience, who has tech experience, especially, you know. What are the Russians using? What are they going after? So task forces and trust groups are one thing. GitHub. I would suggest combing that left and right.
Then I also really want to highlight. There are quite a few really great open source organizations out there. You know, I follow China, so I need to understand how to get behind the [00:15:00] firewall. If I can, how do I pick up information or open source information on WeChat, QQ, et cetera, um, the digital Sherlock program handled that.
They have a by area, um, by area of operation, AOR, uh, program that you can do for free. All you have to do is apply, state why you need it. So there's a lot of free open source training. You can never go wrong with the SANS course. They just do it. Started a cybercrime one, which I'm super excited to take.
It's to 500 level, so I'm gonna wait on that. But yeah, , um, the tech. And then also, I'm not gonna shy away from things like Coursera or Udemi. There's plenty of baseline foundational classes that you can do on there. You don't need to say, be a coder yourself, but maybe you wanna understand why your malicious actor is doing what they're doing on the dark web.
Take a while, one, understand what's happening, an object versus a whatever. Right. Immerse yourself and use those free resources, YouTube, Coursera, Udemy, work training, trust groups to really flesh out an area and flesh out expertise and share [00:16:00] information.
Shannon: That's great. Okay. Aside from groups, what are, uh, some of the tools with the right know how that you think are really valuable to, you know, dark web threat intelligence understanding?
Steph: Big that, uh, when I first got started years and years and years ago, and it's still around dark dot fail, type that in your, in your tour browser, honestly. This is a, I give anybody who's like, I'm curious about the dark web, but I'm also afraid, right? Understood. There are risks. Dark. fail is, is like a how to, it's like lower than a one on one course, right?
Basically it gives you every listing of, okay, here's a popular market. This is its onion site because onion sites are now at 57 characters. If I'm not mistaken, they used to be 22. We can memorize that. And it's not like a google. com or it's not like a authenticate. com. The URL doesn't make sense. The onion ones are obfuscated for a reason.
Dark. fail lists them, lists if they're up and down, lists if they're temporarily [00:17:00] unavailable, gives you the mirrors or the clear net site equivalents. And then another one I really love is ransomlook. io. That's, of course, for ransomware, but that site also is amazing. Open source, type that in your browser.
It gives you every single ransomware group that's out there, right? What their blog looks like, what are some of their latest victims is their server up and running. In some cases, where do they host their server? So there's no perfect way to index the dark web. But there are starting points. Those 2 that I just named to really get you started.
And then that curiosity will take
Shannon: over. I think that's great to just recognize, you know, even like a tool like dark L is that, you know, a lot of the work can be done for you, but you can still utilize, you know, the intelligence and the information.
Steph: Yeah. And go, you know, whatever your provider is. We like analysts love writing and blogging and be like, this is what I discovered, right?
Go check out blogs from any company that has a dark web focused. If you're curious, if you're curious, they have wonderful insight, wonderful how to's. And then generally they keep it short and sweet, [00:18:00] right? Because we're all busy. We don't have enough hours in the day. So we're not going to give you a PhD level thesis of this dark web actor.
We're going to give you the nitty gritty. Here's some IOCs, here's some mitigation, Good luck, right? That's what we're going to try to do. So
Jeff: yeah, IOC indicator of compromise.
There's my value. Acronym value. That's my value. You're a cyber security linguist, Jeff.
Or a linguist. Well, Steph, thank you for joining us today. And thank you to dark owl for letting you join us today. That was great. Much appreciated. Uh, and thank you to our audience for joining us. You can view transcripts and episode info on our website, authenticate. com slash needle stack. That's authentic with the number eight and be sure to let us know your thoughts on social at needle [00:19:00] stack pod and to like, and subscribe wherever you're listening today and please tune in again next time for needle stack.
Steph: Thank you guys
so much.