The underground has long been providing a haven for the malicious activities of cyber threat actors. By creating a greenhouse for the obtaining of tools and affiliates for a cyber-attack, the underground platforms have practically become the 'go-to' places for hackers, whatever level of experience they may have. Yet in the past few years, successful convictions of dark web criminals and rumors regarding the presence of undercover law enforcement agents in these platforms have made some cybersecurity specialists skeptical regarding the plausibility of their future use for the purpose of major cyber-crimes. Nevertheless, I would argue that the underground's unique position as a convenient playground for threat actors is not coming to an end, but rather changing its face and nature. I would also submit that cybersecurity tools with the ability to detect this shifting trend will become essential for delivering real-time attack-mitigating threat intelligence.
The last few years have proven that governments worldwide are on the lookout for cyber-criminals. While the most discussed case of a successful police raid in a cyber-crime dark web market was Silk Road, there have been multiple examples of law enforcement successful takedowns of cyber attackers and criminals, all of whom were somewhat active on the underground. The truth must be said: this has proved that State backed intelligence and law enforcement agencies can certainly severely damage threat actors’ malicious intentions and can go as far as catching the man behind the keyboard.
Law enforcement agencies have partially declared war on underground threat actors and this can certainly be felt within underground forum discussions. The threat actors are being deterred; they are careful about what information they are sharing, as well as with whom they are speaking. The atmosphere in these discussion groups is sometimes strongly affected by the fear of a possible law enforcement penetration into the forum.
But the show must go on, even if you are a cyber threat actor who is seeking guidance or a working partnership. Therefore, some threat actors haven't stopped sharing their plans and discussing their intentions, but rather they have found ways to encrypt their messages with coded expressions. Others have just left the traditional platforms in which they used to be members and have started new ones in the dark web, deep web and IM platforms.
In other words, whenever a source is taken down for some reason or is being abandoned by its members, (whether due to police activity or just an unpaid web host service), another source is set up and quickly replaces it. Threat actors constantly migrate between platforms, based on their professional needs and their current exposure and risk level. If you don't manage to track them, you lose them, and you lose any insights into their activity.
The underground includes both dark and deep web sources. Threat intelligence tools try to monitor the underground by approaching it from different angles, yet not many people yet see it as it is -- a limitless dimension of eternal growth. In short, valuable threat intelligence tools have to be smart enough to understand the ever-changing environment and be dynamic enough to adjust themselves accordingly.
For more information on Sixgill's Deep and Dark Web Threat Intelligence Platform or to see a demo of the system, click here.