Apurv Singh Gautam, profile picture
Uploaded byApurv Singh Gautam
PPTX, PDF981 views

Automating Threat Hunting on the Dark Web and other nitty-gritty things

The document discusses automating threat hunting on the dark web, emphasizing its importance for identifying and mitigating cyber threats. It covers methods for hunting, the potential for automation, and the need for operational security (opsec). The conclusion highlights the challenges and resources required for effective dark web threat hunting.

Embed presentation

Downloaded 33 times
Automating Threat Hunting on the Dark Web and other nitty-gritty things
$whoami ◎ Apurv Singh Gautam (@ASG_Sc0rpi0n) ◎ Security Researcher, Threat Intel/Hunting ◎ Cybersecurity @ Georgia Tech ◎ Prior: Research Intern at ICSI, UC Berkeley ◎ Hobbies ◎ Contributing to the security community ◎ Gaming/Streaming (Rainbow 6 Siege), Hiking, Lockpicking, etc. ◎ Social ◎ Twitter - @ASG_Sc0rpi0n ◎ Website – https://apurvsinghgautam.me 2
Agenda ◎ Introduction to the Dark Web ◎ Why hunting on the Dark Web? ◎ Methods to hunt on the Dark Web ◎ Can the Dark Web hunting be automated? ◎ Process after hunting? ◎ OpSec? What’s that? ◎ Conclusion 3
1. Introduction to the Dark Web 4
Clear Web? Deep Web? Dark Web? 5 Image Source: UC San Diego Library
Accessing the Dark Web ◎ Tor /I2P/ZeroNet ◎ .onion domains/.i2p domains ◎ Traffic through relays 6Image Sources: Hotspot Shield, Tor Project, I2P Project, ZeroNet
What’s all the Hype? ◎ Hype ○ Vast and mysterious part of the Internet ○ Place for cybercriminals only ○ Illegal to access the Dark Web ◎ Reality ○ Few reachable onion domains ○ Uptime isn’t ideal ○ Useful for free expression in few countries ○ Popular sites like Facebook, NYTimes, etc. ○ Legal to access the Dark Web 7
Relevant sites? ◎ General Markets ◎ PII & PHI ◎ Credit Cards ◎ Digital identities ◎ Information Trading ◎ Remote Access ◎ Personal Documents ◎ Electronic Wallets ◎ Insider Threats 8 Image Source: Intsights
Cost of products? ◎ SSN - $1 ◎ Fake FB with 15 friends - $1 ◎ DDoS Service - $7/hr ◎ Rent a Hacker - $12/hr ◎ Credit Card - $20+ ◎ Mobile Malware - $150 ◎ Bank Details - $1000+ ◎ Exploits or 0-days - $150,000+ ◎ Critical databases - $300,000+ 9
Product Listings 10
11 Image Source: Digital Shadows
12 Image Source: Digital Shadows
2. Why hunting on the Dark Web? 13
What is Threat Hunting? ◎ Practice of proactively searching for cyber threats ◎ Hypothesis-based approach ◎ Uses advanced analytics and machine learning investigations ◎ Proactive and iterative search 14
Why So Serious (Eh! Important)? ◎ Hacker forums, darknet markets, dump shops, etc. ◎ Criminals can learn, monetize, trade, and communicate ◎ Identification of compromised assets ◎ Can potentially identify attacks in earlier stages ◎ Direct impacts – PII (Personal Info), financial, EHRs (healthcare records), trade secrets ◎ Indirect impacts – reputation, revenue loss, legal penalties 15
Benefits of Threat Hunting ◎ Keep up with the latest trends of attacks ◎ Prepare SOCs/Incident Responders ◎ Get knowledge of TTPs (Tactics, Techniques, Procedures) to be used ◎ Reduce damage and risks to the organization 16
3. Methods to hunt on the Dark Web 17
Tools ◎ Python ◎ Scrapy ◎ Tor ◎ OnionScan ◎ Privoxy ◎ and many more… 18Image Sources: Tor Project, OnionScan, Python, Scrapy, Privoxy
How Scrapy Works? 19Image Source: Scrapy Docs
HUMINT ◎ Human Intelligence ◎ Most dangerous and difficult form ◎ Most valuable source ◎ Infiltrating forums, markets, etc. ◎ Become one of them ◎ How threat actors think ◎ Can be very risky ◎ Time consuming 20 Image Source: Intsights
4. Can dark web hunting be automated? 21
Setting up TH Lab ◎ Lab/VM ◎ Physical or Cloud ◎ Isolate the network ◎ Install relevant tools ○ Scrapy ○ Privoxy ○ Tor ○ ELK ○ Python libraries 22 Image Source: Hayden James
Automated Hunting Architecture 23
5. Process after hunting 24
Let’s talk about TI Lifecycle 25Image Source: Recorded Future
Threat Modelling ◎ “works to identify, communicate, and understand threats and mitigations within the context of protecting something of value” – OWASP ◎ Define critical assets ◎ Understand what attackers want ◎ Threat actor capability and intent ◎ Sources to target 26 Image Source: David Bianco
Data Collection/Processing ◎ Collecting data from clear web ○ Pastebin ○ Twitter ○ Reddit ◎ Collecting data from dark web ○ Forums ○ Markets 27 Image Source: Blueliv
Data Analysis ◎ NLP/ML/DL techniques ◎ Social network analysis ◎ Classification ◎ Clustering ◎ MITRE ATT&CK 28 Image Sources: DataCamp, MITRE ATT&CK
6. OpSec? What is that? 29
What is OpSec? ◎ Actions taken to ensure that information leakage doesn’t compromise you or your operations ◎ Derived from US military – Operational Security ◎ PII – Personally Identifiable Information ◎ Not just a process – a mindset ◎ OpSec is Hard 30
Maintaining OpSec in your lifestyle ◎ Hide your real identity ◎ Use VM/Lab or an isolated system ◎ Use Tor or Tor over VPN always ◎ Change Time zones ◎ Never talk about your work ◎ Maintain different persona ◎ Take extensive notes ◎ Use password manager 31
7. Conclusion 32
What we discussed so far? ◎ Little about the Dark Web ◎ Dark Web forums/marketplaces ◎ Dark Web threat hunting ◎ Scrapy ◎ HUMINT ◎ Automating the Dark Web hunting ◎ Little about threat intelligence lifecycle ◎ A little about OpSec 33
I don’t know how to conclude but.. ◎ Dark Web threat hunting is hard but worth the effort ◎ Keep OpSec in mind ◎ Look at more than one resource ◎ Takes a lot of resources and team effort ◎ Usage of MITRE ATT&CK framework 34
Resources ◎ Blogs & White papers by Recorded Future ◎ White papers by IntSights ◎ Blogs by Palo Alto’s Unit 42 ◎ Blogs by CrowdStrike ◎ Blogs by CloudSEK ◎ White papers by Digital Shadows ◎ Darkweb Cyber Threat Intelligence Mining by Cambridge University Press 35
Thanks! Any questions? You can contact me at: Twitter: @ASG_Sc0rpi0n LinkedIn: /in/apurvsinghgautam 36

More Related Content

PPTX
Osint {open source intelligence }
byAkshayJha40
 
PPT
Open source intelligence
bybalakumaran779
 
PPTX
Cyber threat intelligence: maturity and metrics
byMark Arena
 
PPTX
Cyber Threat Intelligence | Information to Insight
byDeep Shankar Yadav
 
PDF
Threat Intelligence Workshop
byPriyanka Aash
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
What is Threat Hunting? - Panda Security
byPanda Security
 
PDF
Offensive OSINT
byChristian Martorella
 
Osint {open source intelligence }
byAkshayJha40
 
Open source intelligence
bybalakumaran779
 
Cyber threat intelligence: maturity and metrics
byMark Arena
 
Cyber Threat Intelligence | Information to Insight
byDeep Shankar Yadav
 
Threat Intelligence Workshop
byPriyanka Aash
 
Cyber Threat Intelligence
bymohamed nasri
 
What is Threat Hunting? - Panda Security
byPanda Security
 
Offensive OSINT
byChristian Martorella
 

What's hot

PDF
Soc analyst course content
byShivamSharma909
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PPT
Honeypot honeynet
bySina Manavi
 
PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
PPTX
Cybersecurity Awareness Session by Adam
byMohammed Adam
 
PPTX
Threat hunting foundations: People, process and technology.pptx
byInfosec
 
PPTX
6 Steps for Operationalizing Threat Intelligence
bySirius
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PDF
Cyber Threat Intelligence
byZaiffiEhsan
 
PPTX
Cyber Threat Intelligence
bySyed Peer
 
PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
PDF
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
PPTX
Getting started with using the Dark Web for OSINT investigations
byOlakanmi Oluwole
 
PDF
OSINT with Practical: Real Life Examples
bySyedAmoz
 
PDF
Osint
byKamal Rathaur
 
ODP
The Deep and Dark Web
bySwecha | స్వేచ్ఛ
 
Soc analyst course content
byShivamSharma909
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
Honeypot honeynet
bySina Manavi
 
MITRE ATT&CK framework
byBhushan Gurav
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
Cybersecurity Awareness Session by Adam
byMohammed Adam
 
Threat hunting foundations: People, process and technology.pptx
byInfosec
 
6 Steps for Operationalizing Threat Intelligence
bySirius
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
Cyber Threat Intelligence
byZaiffiEhsan
 
Cyber Threat Intelligence
bySyed Peer
 
Threat Intelligence
byDeepak Kumar (D3)
 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
Getting started with using the Dark Web for OSINT investigations
byOlakanmi Oluwole
 
OSINT with Practical: Real Life Examples
bySyedAmoz
 
Osint
byKamal Rathaur
 
The Deep and Dark Web
bySwecha | స్వేచ్ఛ
 

Similar to Automating Threat Hunting on the Dark Web and other nitty-gritty things

PDF
Threat Hunting on the Dark Web
byApurv Singh Gautam
 
PDF
Dark Web and Threat Intelligence
byMarlabs
 
PPTX
Demystifying the Dark Web
byTom Kranz
 
PDF
Dark Web Forensics
byDeepak Kumar (D3)
 
PPTX
The-Dark-Web-Exploring-the-Internets-Underbelly.pptx
bySomuKoteswarareddy
 
PDF
Unveiling the Dark Web_ A Cloak of Secrecy, Crime, and Nefarious Activities.pdf
byjoneswaylon890
 
PPTX
Case Study on Dark Web:Insights, Risks & Security Measures
byBNAWAZALIHASHMI
 
PPTX
Threat hunting in cyber world
byAkash Sarode
 
PPT
Cyber Security - Dark Web by Dr.Purushottam Petare.ppt
byDr.Purushottam Petare
 
PPTX
Dark Web.pptx
byeliofatjon
 
PDF
Dark Web Site.pdf
byDarkWebLink1
 
PDF
CEH Module 2 Footprinting CEH V13, concepts
byammarhassan185568
 
PPTX
ppt.TECHNICALfffgvggfssdcvvvgggfddffg.pptx
byGeetha982072
 
PDF
Data Mining In The Dark Darknet Intelligence Automation Brian Nafziger
byjamararnet2i
 
PPTX
Investigating Using the Dark Web
byCase IQ
 
PDF
The Dark web - Why the hidden part of the web is even more dangerous?
byPierluigi Paganini
 
PDF
Cybercrime In The Deep Web
byTrend Micro
 
PDF
Cybercrime in the Deep Web (BHEU 2015)
byMarco Balduzzi
 
PDF
[Bucharest] #DontTrustTheDarkSide
byOWASP EEE
 
PDF
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
byMatthew Kurnava
 
Threat Hunting on the Dark Web
byApurv Singh Gautam
 
Dark Web and Threat Intelligence
byMarlabs
 
Demystifying the Dark Web
byTom Kranz
 
Dark Web Forensics
byDeepak Kumar (D3)
 
The-Dark-Web-Exploring-the-Internets-Underbelly.pptx
bySomuKoteswarareddy
 
Unveiling the Dark Web_ A Cloak of Secrecy, Crime, and Nefarious Activities.pdf
byjoneswaylon890
 
Case Study on Dark Web:Insights, Risks & Security Measures
byBNAWAZALIHASHMI
 
Threat hunting in cyber world
byAkash Sarode
 
Cyber Security - Dark Web by Dr.Purushottam Petare.ppt
byDr.Purushottam Petare
 
Dark Web.pptx
byeliofatjon
 
Dark Web Site.pdf
byDarkWebLink1
 
CEH Module 2 Footprinting CEH V13, concepts
byammarhassan185568
 
ppt.TECHNICALfffgvggfssdcvvvgggfddffg.pptx
byGeetha982072
 
Data Mining In The Dark Darknet Intelligence Automation Brian Nafziger
byjamararnet2i
 
Investigating Using the Dark Web
byCase IQ
 
The Dark web - Why the hidden part of the web is even more dangerous?
byPierluigi Paganini
 
Cybercrime In The Deep Web
byTrend Micro
 
Cybercrime in the Deep Web (BHEU 2015)
byMarco Balduzzi
 
[Bucharest] #DontTrustTheDarkSide
byOWASP EEE
 
On How the Darknet and its Access to SCADA is a Threat to National Critical I...
byMatthew Kurnava
 

More from Apurv Singh Gautam

PDF
All about Cyber Security - From the perspective of a MS student
byApurv Singh Gautam
 
PPTX
SIT Summer School (Cyber Security)
byApurv Singh Gautam
 
PPTX
Cyber Security Seminar Day 2
byApurv Singh Gautam
 
PPTX
Cyber Security Seminar Day 1
byApurv Singh Gautam
 
PPTX
Cyber Security Fundamentals
byApurv Singh Gautam
 
PPTX
Bitcoin Forensics
byApurv Singh Gautam
 
PDF
Log Out Cyber Awareness
byApurv Singh Gautam
 
PPTX
OSINT
byApurv Singh Gautam
 
PPTX
Intro to Network Vapt
byApurv Singh Gautam
 
PPTX
Security News Bytes (Aug Sept 2017)
byApurv Singh Gautam
 
PPTX
Anonymous traffic network
byApurv Singh Gautam
 
PPTX
Flexible Displays
byApurv Singh Gautam
 
PPTX
India against corruption
byApurv Singh Gautam
 
PPTX
Encrypted database management system
byApurv Singh Gautam
 
All about Cyber Security - From the perspective of a MS student
byApurv Singh Gautam
 
SIT Summer School (Cyber Security)
byApurv Singh Gautam
 
Cyber Security Seminar Day 2
byApurv Singh Gautam
 
Cyber Security Seminar Day 1
byApurv Singh Gautam
 
Cyber Security Fundamentals
byApurv Singh Gautam
 
Bitcoin Forensics
byApurv Singh Gautam
 
Log Out Cyber Awareness
byApurv Singh Gautam
 
OSINT
byApurv Singh Gautam
 
Intro to Network Vapt
byApurv Singh Gautam
 
Security News Bytes (Aug Sept 2017)
byApurv Singh Gautam
 
Anonymous traffic network
byApurv Singh Gautam
 
Flexible Displays
byApurv Singh Gautam
 
India against corruption
byApurv Singh Gautam
 
Encrypted database management system
byApurv Singh Gautam
 

Recently uploaded

PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
cybercrime in Information security .pptx
byismaeelsahib032
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 

Automating Threat Hunting on the Dark Web and other nitty-gritty things

  • 1.
    Automating Threat Hunting onthe Dark Web and other nitty-gritty things
  • 2.
    $whoami ◎ Apurv SinghGautam (@ASG_Sc0rpi0n) ◎ Security Researcher, Threat Intel/Hunting ◎ Cybersecurity @ Georgia Tech ◎ Prior: Research Intern at ICSI, UC Berkeley ◎ Hobbies ◎ Contributing to the security community ◎ Gaming/Streaming (Rainbow 6 Siege), Hiking, Lockpicking, etc. ◎ Social ◎ Twitter - @ASG_Sc0rpi0n ◎ Website – https://apurvsinghgautam.me 2
  • 3.
    Agenda ◎ Introduction tothe Dark Web ◎ Why hunting on the Dark Web? ◎ Methods to hunt on the Dark Web ◎ Can the Dark Web hunting be automated? ◎ Process after hunting? ◎ OpSec? What’s that? ◎ Conclusion 3
  • 4.
  • 5.
    Clear Web? DeepWeb? Dark Web? 5 Image Source: UC San Diego Library
  • 6.
    Accessing the DarkWeb ◎ Tor /I2P/ZeroNet ◎ .onion domains/.i2p domains ◎ Traffic through relays 6Image Sources: Hotspot Shield, Tor Project, I2P Project, ZeroNet
  • 7.
    What’s all theHype? ◎ Hype ○ Vast and mysterious part of the Internet ○ Place for cybercriminals only ○ Illegal to access the Dark Web ◎ Reality ○ Few reachable onion domains ○ Uptime isn’t ideal ○ Useful for free expression in few countries ○ Popular sites like Facebook, NYTimes, etc. ○ Legal to access the Dark Web 7
  • 8.
    Relevant sites? ◎ GeneralMarkets ◎ PII & PHI ◎ Credit Cards ◎ Digital identities ◎ Information Trading ◎ Remote Access ◎ Personal Documents ◎ Electronic Wallets ◎ Insider Threats 8 Image Source: Intsights
  • 9.
    Cost of products? ◎SSN - $1 ◎ Fake FB with 15 friends - $1 ◎ DDoS Service - $7/hr ◎ Rent a Hacker - $12/hr ◎ Credit Card - $20+ ◎ Mobile Malware - $150 ◎ Bank Details - $1000+ ◎ Exploits or 0-days - $150,000+ ◎ Critical databases - $300,000+ 9
  • 10.
  • 11.
  • 12.
  • 13.
    2. Why hunting onthe Dark Web? 13
  • 14.
    What is ThreatHunting? ◎ Practice of proactively searching for cyber threats ◎ Hypothesis-based approach ◎ Uses advanced analytics and machine learning investigations ◎ Proactive and iterative search 14
  • 15.
    Why So Serious(Eh! Important)? ◎ Hacker forums, darknet markets, dump shops, etc. ◎ Criminals can learn, monetize, trade, and communicate ◎ Identification of compromised assets ◎ Can potentially identify attacks in earlier stages ◎ Direct impacts – PII (Personal Info), financial, EHRs (healthcare records), trade secrets ◎ Indirect impacts – reputation, revenue loss, legal penalties 15
  • 16.
    Benefits of ThreatHunting ◎ Keep up with the latest trends of attacks ◎ Prepare SOCs/Incident Responders ◎ Get knowledge of TTPs (Tactics, Techniques, Procedures) to be used ◎ Reduce damage and risks to the organization 16
  • 17.
    3. Methods to hunton the Dark Web 17
  • 18.
    Tools ◎ Python ◎ Scrapy ◎Tor ◎ OnionScan ◎ Privoxy ◎ and many more… 18Image Sources: Tor Project, OnionScan, Python, Scrapy, Privoxy
  • 19.
    How Scrapy Works? 19ImageSource: Scrapy Docs
  • 20.
    HUMINT ◎ Human Intelligence ◎Most dangerous and difficult form ◎ Most valuable source ◎ Infiltrating forums, markets, etc. ◎ Become one of them ◎ How threat actors think ◎ Can be very risky ◎ Time consuming 20 Image Source: Intsights
  • 21.
    4. Can dark webhunting be automated? 21
  • 22.
    Setting up THLab ◎ Lab/VM ◎ Physical or Cloud ◎ Isolate the network ◎ Install relevant tools ○ Scrapy ○ Privoxy ○ Tor ○ ELK ○ Python libraries 22 Image Source: Hayden James
  • 23.
  • 24.
  • 25.
    Let’s talk aboutTI Lifecycle 25Image Source: Recorded Future
  • 26.
    Threat Modelling ◎ “worksto identify, communicate, and understand threats and mitigations within the context of protecting something of value” – OWASP ◎ Define critical assets ◎ Understand what attackers want ◎ Threat actor capability and intent ◎ Sources to target 26 Image Source: David Bianco
  • 27.
    Data Collection/Processing ◎ Collectingdata from clear web ○ Pastebin ○ Twitter ○ Reddit ◎ Collecting data from dark web ○ Forums ○ Markets 27 Image Source: Blueliv
  • 28.
    Data Analysis ◎ NLP/ML/DLtechniques ◎ Social network analysis ◎ Classification ◎ Clustering ◎ MITRE ATT&CK 28 Image Sources: DataCamp, MITRE ATT&CK
  • 29.
  • 30.
    What is OpSec? ◎Actions taken to ensure that information leakage doesn’t compromise you or your operations ◎ Derived from US military – Operational Security ◎ PII – Personally Identifiable Information ◎ Not just a process – a mindset ◎ OpSec is Hard 30
  • 31.
    Maintaining OpSec inyour lifestyle ◎ Hide your real identity ◎ Use VM/Lab or an isolated system ◎ Use Tor or Tor over VPN always ◎ Change Time zones ◎ Never talk about your work ◎ Maintain different persona ◎ Take extensive notes ◎ Use password manager 31
  • 32.
  • 33.
    What we discussedso far? ◎ Little about the Dark Web ◎ Dark Web forums/marketplaces ◎ Dark Web threat hunting ◎ Scrapy ◎ HUMINT ◎ Automating the Dark Web hunting ◎ Little about threat intelligence lifecycle ◎ A little about OpSec 33
  • 34.
    I don’t knowhow to conclude but.. ◎ Dark Web threat hunting is hard but worth the effort ◎ Keep OpSec in mind ◎ Look at more than one resource ◎ Takes a lot of resources and team effort ◎ Usage of MITRE ATT&CK framework 34
  • 35.
    Resources ◎ Blogs &White papers by Recorded Future ◎ White papers by IntSights ◎ Blogs by Palo Alto’s Unit 42 ◎ Blogs by CrowdStrike ◎ Blogs by CloudSEK ◎ White papers by Digital Shadows ◎ Darkweb Cyber Threat Intelligence Mining by Cambridge University Press 35
  • 36.
    Thanks! Any questions? You cancontact me at: Twitter: @ASG_Sc0rpi0n LinkedIn: /in/apurvsinghgautam 36

Editor's Notes

  • #6 Clear web: Sites that are indexed by search engines Deep web: Sites that are not indexed by search engines Dark web: Sites that require special software, configuration or authorization to access
  • #7 The Onion Router/Invisible Internet Project 16- or 56-character alphanumeric identifier strings anonymization Decentralized system 3-layer proxy Publicly listed entry node, middle relay and exit node (entry nodes doesn’t know the exit node) Original data encrypted in layers – onion analogy IP address is hidden Routes traffic through a series of interconnected volunteer systems called relays (about 6000 relays for Tor)
  • #8 Dark web is not equal to criminality Smaller than clear web if compared from availability perspective (uptime) Tor browser circumvents surveillance – free expression in some countries Whistleblowing or Activism, safe haven for journalists, access to literature & research Dark web is many things but not just the vast network of criminals Home to many other people who don’t want surveillance on them die to their nature of the work Legal to access dark web but illegal to participate in any illicit business
  • #9 Choose your target Threat Modelling
  • #10 Recent news 500,000 Zoom accounts sold on dark web 267 million FB User profiles for $540 And many other
  • #15 Logs, IOCs, textual data, etc. Nothing concrete about this process You take one use case and work on that then another and it goes on an on Choose your target sources – useful for your organization Threat Modelling
  • #16 Learn – criminals learn new methods and techniques Monetize – monetize their skills Trade – trade their exploits/tools, drugs, weapons Communicate – communicate with other criminals Can learn a lot on engaging with these communities The intelligence from dark web isn’t available anywhere else Identify attackers, vulnerability prioritization in planning and recon stages Takes a lot of time, If done properly, it can even identify attacks in planning and recon stages
  • #17 Brand protection New TTPs Identifying insider threats Discover data breaches
  • #19 Scrapy -  web-crawling framework - multithreading capability OnionScan - open source tool for investigating the Dark Web, scanning different onion sites for vulnerabilities, correlations between sites, etc Socks – Socket Secure – used SOCKS protocol – can’t read data http proxy vs socks proxy – lower level proxy Different ways of using socks proxy – tsocks, polipo, Privoxy, etc. Privoxy – web proxy – scrapy cannot use socks proxy so route through Privoxy (tor with socks – layer of protection) - to hide using tor from your ISP Use VPN + SOCKS for extra protection - hide your activity and get real safe access - can’t trust entry and exit nodes Scrapy Splash library – for javascript Torch Onion Wiki Search engines like Kilos, Recon
  • #20 1. The Engine gets the initial Requests to crawl from the Spider. 2. The Engine schedules the Requests in the Scheduler and asks for the next Requests to crawl. 3. The Scheduler returns the next Requests to the Engine. 4. The Engine sends the Requests to the Downloader, passing through the Downloader Middlewares 5. Once the page finishes downloading the Downloader generates a Response (with that page) and sends it to the Engine, passing through the Downloader Middlewares 6. The Engine receives the Response from the Downloader and sends it to the Spider for processing, passing through the Spider Middleware 7. The Spider processes the Response and returns scraped items and new Requests (to follow) to the Engine, passing through the Spider Middleware 8. The Engine sends processed items to Item Pipelines, then send processed Requests to the Scheduler and asks for possible next Requests to crawl. 9. The process repeats (from step 1) until there are no more requests from the Scheduler. Middlewares – ProxyMiddleware(relaying through Privoxy and tor), LoginMiddleware (using user_agent, cookies/bypassing captchas, checking login), Captcha solving websites - deathbycapthca, anticaptcha, etc
  • #21 Process of gathering intelligence through interpersonal contact and engagement, rather than by technical processes As attacks are human-driven, to anticipate, Identify and respond to attacks requires human skill and effort In The Art of War, Chinese military strategist Sun Tzu wrote: “To know your Enemy, you must become your Enemy.” Understanding the motives and tendencies behind your adversaries is a key to any type of warfare, including cyber warfare It’s the high-tech equivalent of what an undercover FBI agent does when he or she spends months or years working to infiltrate a criminal organization. Using HUMINT to bolster Threat Hunting – Post Attack Investigation, New Attack Vector Discovery, etc
  • #24 Dark web links – collect forum/DNMs links Socks proxies – run socks proxy script to collect several socks proxies to route tor through them Different crawlers for different forums Scrapy setup – setup login for each forum, setup several settings including headers, cookies, ignored links, captcha bypass, etc Talk about captcha bypass (captcha solving services like deathbycapthca, anticaptcha, etc.) Crawler - crawls html pages of the forums Parser – parses html pages (taking only relevant texts from the html) – post_id, post_content, post_author, author_status, reputation, item_price, etc. Analyzer – uses NLP techniques to evaluate the content that is relevant to the threat model and stores them into the ES database. Design/Train NLP model – design and train NLP model on the content that is relevant to your threat model and apply it on new data Egg and chicken problem (data gathering vs training on data) Many unsupervised learning models – lda, seeded lda, etc.
  • #26 Direction - identify dark web forums, acquire access Collection - establish anonymous access, collect raw data Processing - parsing raw HTML data, machine translation, extract topics and authors Analysis - infer relationships , link data sources, identify trends, hacks and leaks Dissemination - visualization in dashboards, alerts and reports
  • #27 Critical assets - databases holding customer data, payment processing systems, employee access systems, trading platforms or exchanges, or Enterprise Resource Planning (ERP) applications Threat actor capability & intent – define types of actors like hacktivists, insiders, criminal groups, etc. and know their capability. Consider why an attacker wants to target your organization? What do they hope to gain? What are their goals? Chose your target on dark web - which site do you want to go for – credit card markets, insider threats market, general markets, etc. Prioritize risks – use pyramid of pain for that - IOCs Chose on clear web – sites like pastebin, twitter, etc.
  • #28 Crawler and Parser
  • #29 NLP techniques – LDA, BERT, GPT, GPT-2, GPT-3 Social network analysis – analysis of the users Classification – binary or multi-class classification Clustering – clustering of products according to categories Services provided by different companies or code your system from ground up MITRE ATT&CK - knowledge base of adversary tactics and techniques (TTPs) based on real-world observations. Use ATT&CK matrix to map the intelligence you obtained to better understand the TTPs
  • #31 the practice of hiding yourself online by disassociating your online persona with your real self We are all humans We desire to be seen knowledgeable and to impress others Leads to gossip, brag, and overshare PII – personal information that can identify you – full name, SSN, driver’s license, bank account, email, passport number, etc.
  • #32 You have to do opsec from the beginning/proactivly because you can't do opsec "retroactively" Never store any personal information on the VM or the system you are accessing dark web from Clean/Wipe all the data before leaving the system and start fresh the other day Watch what you say to whom and where Think before you post Have different persona on different sites, don’t mix it., Have a back story for each personas Take notes so you don’t mess up the personas It’s a 24x7 thing to do and not during your job duration You can’t work 9-5 as that would be a tip off that you are not a threat actor. Develop appropriate language skills and slang skills
  • #35 You don’t get the intelligence from anywhere else Look at more forums