SlideShare a Scribd company logo

Automating Threat Hunting on the Dark Web and other nitty-gritty things

Download as PPTX, PDF
Apurv Singh Gautam
Apurv Singh Gautam

What's the hype with the dark web? Why are security researchers focusing more on the dark web? How to perform threat hunting on the dark web? Can it be automated? If you are curious about the answers to these questions, then this talk is for you. Dark web hosts several sites where criminals buy, sell, and trade goods and services like drugs, weapons, exploits, etc. Hunting on the dark web can help identify, profile, and mitigate any organization risks if done timely and appropriately. This is why threat intelligence obtained from the dark web can be crucial for any organization. In this presentation, you will learn why threat hunting on the dark web is necessary, different methodologies to perform hunting, the process after hunting, and how hunted data is analyzed. The main focus of this talk will be automating the threat hunting on the dark web. You will also get to know what operational security (OpSec) is and why it is essential while performing hunting on the dark web and how you can employ it in your daily life.

Technology
1 of 36
Automating Threat Hunting on the Dark Web and other nitty-gritty things
$whoami ◎ Apurv Singh Gautam (@ASG_Sc0rpi0n) ◎ Security Researcher, Threat Intel/Hunting ◎ Cybersecurity @ Georgia Tech ◎ Prior: Research Intern at ICSI, UC Berkeley ◎ Hobbies ◎ Contributing to the security community ◎ Gaming/Streaming (Rainbow 6 Siege), Hiking, Lockpicking, etc. ◎ Social ◎ Twitter - @ASG_Sc0rpi0n ◎ Website – https://apurvsinghgautam.me 2
Agenda ◎ Introduction to the Dark Web ◎ Why hunting on the Dark Web? ◎ Methods to hunt on the Dark Web ◎ Can the Dark Web hunting be automated? ◎ Process after hunting? ◎ OpSec? What’s that? ◎ Conclusion 3
1. Introduction to the Dark Web 4
Clear Web? Deep Web? Dark Web? 5 Image Source: UC San Diego Library
Accessing the Dark Web ◎ Tor /I2P/ZeroNet ◎ .onion domains/.i2p domains ◎ Traffic through relays 6Image Sources: Hotspot Shield, Tor Project, I2P Project, ZeroNet
What’s all the Hype? ◎ Hype ○ Vast and mysterious part of the Internet ○ Place for cybercriminals only ○ Illegal to access the Dark Web ◎ Reality ○ Few reachable onion domains ○ Uptime isn’t ideal ○ Useful for free expression in few countries ○ Popular sites like Facebook, NYTimes, etc. ○ Legal to access the Dark Web 7
Relevant sites? ◎ General Markets ◎ PII & PHI ◎ Credit Cards ◎ Digital identities ◎ Information Trading ◎ Remote Access ◎ Personal Documents ◎ Electronic Wallets ◎ Insider Threats 8 Image Source: Intsights
Cost of products? ◎ SSN - $1 ◎ Fake FB with 15 friends - $1 ◎ DDoS Service - $7/hr ◎ Rent a Hacker - $12/hr ◎ Credit Card - $20+ ◎ Mobile Malware - $150 ◎ Bank Details - $1000+ ◎ Exploits or 0-days - $150,000+ ◎ Critical databases - $300,000+ 9
Product Listings 10
11 Image Source: Digital Shadows
12 Image Source: Digital Shadows
2. Why hunting on the Dark Web? 13
What is Threat Hunting? ◎ Practice of proactively searching for cyber threats ◎ Hypothesis-based approach ◎ Uses advanced analytics and machine learning investigations ◎ Proactive and iterative search 14
Why So Serious (Eh! Important)? ◎ Hacker forums, darknet markets, dump shops, etc. ◎ Criminals can learn, monetize, trade, and communicate ◎ Identification of compromised assets ◎ Can potentially identify attacks in earlier stages ◎ Direct impacts – PII (Personal Info), financial, EHRs (healthcare records), trade secrets ◎ Indirect impacts – reputation, revenue loss, legal penalties 15
Benefits of Threat Hunting ◎ Keep up with the latest trends of attacks ◎ Prepare SOCs/Incident Responders ◎ Get knowledge of TTPs (Tactics, Techniques, Procedures) to be used ◎ Reduce damage and risks to the organization 16
3. Methods to hunt on the Dark Web 17
Tools ◎ Python ◎ Scrapy ◎ Tor ◎ OnionScan ◎ Privoxy ◎ and many more… 18Image Sources: Tor Project, OnionScan, Python, Scrapy, Privoxy
How Scrapy Works? 19Image Source: Scrapy Docs
HUMINT ◎ Human Intelligence ◎ Most dangerous and difficult form ◎ Most valuable source ◎ Infiltrating forums, markets, etc. ◎ Become one of them ◎ How threat actors think ◎ Can be very risky ◎ Time consuming 20 Image Source: Intsights
4. Can dark web hunting be automated? 21
Setting up TH Lab ◎ Lab/VM ◎ Physical or Cloud ◎ Isolate the network ◎ Install relevant tools ○ Scrapy ○ Privoxy ○ Tor ○ ELK ○ Python libraries 22 Image Source: Hayden James
Automated Hunting Architecture 23
5. Process after hunting 24
Let’s talk about TI Lifecycle 25Image Source: Recorded Future
Threat Modelling ◎ “works to identify, communicate, and understand threats and mitigations within the context of protecting something of value” – OWASP ◎ Define critical assets ◎ Understand what attackers want ◎ Threat actor capability and intent ◎ Sources to target 26 Image Source: David Bianco
Data Collection/Processing ◎ Collecting data from clear web ○ Pastebin ○ Twitter ○ Reddit ◎ Collecting data from dark web ○ Forums ○ Markets 27 Image Source: Blueliv
Data Analysis ◎ NLP/ML/DL techniques ◎ Social network analysis ◎ Classification ◎ Clustering ◎ MITRE ATT&CK 28 Image Sources: DataCamp, MITRE ATT&CK
6. OpSec? What is that? 29
What is OpSec? ◎ Actions taken to ensure that information leakage doesn’t compromise you or your operations ◎ Derived from US military – Operational Security ◎ PII – Personally Identifiable Information ◎ Not just a process – a mindset ◎ OpSec is Hard 30
Maintaining OpSec in your lifestyle ◎ Hide your real identity ◎ Use VM/Lab or an isolated system ◎ Use Tor or Tor over VPN always ◎ Change Time zones ◎ Never talk about your work ◎ Maintain different persona ◎ Take extensive notes ◎ Use password manager 31
7. Conclusion 32
What we discussed so far? ◎ Little about the Dark Web ◎ Dark Web forums/marketplaces ◎ Dark Web threat hunting ◎ Scrapy ◎ HUMINT ◎ Automating the Dark Web hunting ◎ Little about threat intelligence lifecycle ◎ A little about OpSec 33
I don’t know how to conclude but.. ◎ Dark Web threat hunting is hard but worth the effort ◎ Keep OpSec in mind ◎ Look at more than one resource ◎ Takes a lot of resources and team effort ◎ Usage of MITRE ATT&CK framework 34
Resources ◎ Blogs & White papers by Recorded Future ◎ White papers by IntSights ◎ Blogs by Palo Alto’s Unit 42 ◎ Blogs by CrowdStrike ◎ Blogs by CloudSEK ◎ White papers by Digital Shadows ◎ Darkweb Cyber Threat Intelligence Mining by Cambridge University Press 35
Thanks! Any questions? You can contact me at: Twitter: @ASG_Sc0rpi0n LinkedIn: /in/apurvsinghgautam 36

Recommended

Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 

Recommended

Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
EC-Council
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
slametarrokhim1
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Introduction to Snort
Introduction to SnortIntroduction to Snort
Introduction to Snort
Hossein Yavari
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
Arpit Mittal
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
Windows Hacking
Windows HackingWindows Hacking
Windows HackingMayur Sutariya
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
arohan6
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
Threat Hunting on the Dark Web
Threat Hunting on the Dark WebThreat Hunting on the Dark Web
Threat Hunting on the Dark Web
Apurv Singh Gautam
 
AMW_RAT_2022-04-28 (2).pptx
AMW_RAT_2022-04-28 (2).pptxAMW_RAT_2022-04-28 (2).pptx
AMW_RAT_2022-04-28 (2).pptx
SaraJayneTerp
 

More Related Content

What's hot

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
Arpit Mittal
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Ramiro Cid
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
SKMohamedKasim
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
arohan6
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 

What's hot (20)

Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Malware & Anti-Malware
Malware & Anti-MalwareMalware & Anti-Malware
Malware & Anti-Malware
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Footprinting
FootprintingFootprinting
Footprinting
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Windows Hacking
Windows HackingWindows Hacking
Windows Hacking
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 

Similar to Automating Threat Hunting on the Dark Web and other nitty-gritty things

Threat Hunting on the Dark Web
Threat Hunting on the Dark WebThreat Hunting on the Dark Web
Threat Hunting on the Dark Web
Apurv Singh Gautam
 
AMW_RAT_2022-04-28 (2).pptx
AMW_RAT_2022-04-28 (2).pptxAMW_RAT_2022-04-28 (2).pptx
AMW_RAT_2022-04-28 (2).pptx
SaraJayneTerp
 
talk-ta3m-crypto-tools-workshop
talk-ta3m-crypto-tools-workshoptalk-ta3m-crypto-tools-workshop
talk-ta3m-crypto-tools-workshopSteve Phillips
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
Vladyslav Radetsky
 
PKI: Overpromising and Underdelivering
PKI: Overpromising and UnderdeliveringPKI: Overpromising and Underdelivering
PKI: Overpromising and Underdelivering
John ILIADIS
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
Marco Balduzzi
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
Trend Micro
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World
Career Communications Group
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
David Busby, CISSP
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malware
Positive Hack Days
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
Kalpesh Doru
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
sixdub
 
Sharing Session Internal : Computer Security
Sharing Session Internal : Computer SecuritySharing Session Internal : Computer Security
Sharing Session Internal : Computer Security
pmgdscunsri
 
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Codero
 
Dark Web What it is & How Does it Work
Dark Web What it is & How Does it WorkDark Web What it is & How Does it Work
Dark Web What it is & How Does it Work
Onsite Helper
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
SaraJayneTerp
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!
F _
 

Similar to Automating Threat Hunting on the Dark Web and other nitty-gritty things (20)

Threat Hunting on the Dark Web
Threat Hunting on the Dark WebThreat Hunting on the Dark Web
Threat Hunting on the Dark Web
 
AMW_RAT_2022-04-28 (2).pptx
AMW_RAT_2022-04-28 (2).pptxAMW_RAT_2022-04-28 (2).pptx
AMW_RAT_2022-04-28 (2).pptx
 
talk-ta3m-crypto-tools-workshop
talk-ta3m-crypto-tools-workshoptalk-ta3m-crypto-tools-workshop
talk-ta3m-crypto-tools-workshop
 
ShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attackShadyRAT: Anatomy of targeted attack
ShadyRAT: Anatomy of targeted attack
 
PKI: Overpromising and Underdelivering
PKI: Overpromising and UnderdeliveringPKI: Overpromising and Underdelivering
PKI: Overpromising and Underdelivering
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experience
 
1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World1427 Women in Cybersecurity-Taking Charge and Protecting the World
1427 Women in Cybersecurity-Taking Charge and Protecting the World
 
Ple18 web-security-david-busby
Ple18 web-security-david-busbyPle18 web-security-david-busby
Ple18 web-security-david-busby
 
Why we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malwareWhy we are getting better at catching nation-state sponsored malware
Why we are getting better at catching nation-state sponsored malware
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
 
Sharing Session Internal : Computer Security
Sharing Session Internal : Computer SecuritySharing Session Internal : Computer Security
Sharing Session Internal : Computer Security
 
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
Cybersecurity: Do Your Have a Plan to Address Threats and Prevent Liability?
 
Dark Web What it is & How Does it Work
Dark Web What it is & How Does it WorkDark Web What it is & How Does it Work
Dark Web What it is & How Does it Work
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
 
HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!HITB2013AMS Defenting the enterprise, a russian way!
HITB2013AMS Defenting the enterprise, a russian way!
 

More from Apurv Singh Gautam

All about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS studentAll about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS student
Apurv Singh Gautam
 
SIT Summer School (Cyber Security)
SIT Summer School (Cyber Security)SIT Summer School (Cyber Security)
SIT Summer School (Cyber Security)
Apurv Singh Gautam
 
Cyber Security Seminar Day 2
Cyber Security Seminar Day 2Cyber Security Seminar Day 2
Cyber Security Seminar Day 2
Apurv Singh Gautam
 
Cyber Security Seminar Day 1
Cyber Security Seminar Day 1Cyber Security Seminar Day 1
Cyber Security Seminar Day 1
Apurv Singh Gautam
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security Fundamentals
Apurv Singh Gautam
 
Bitcoin Forensics
Bitcoin ForensicsBitcoin Forensics
Bitcoin Forensics
Apurv Singh Gautam
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
Apurv Singh Gautam
 
OSINT
OSINTOSINT
OSINT
Apurv Singh Gautam
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)
Apurv Singh Gautam
 
Anonymous traffic network
Anonymous traffic networkAnonymous traffic network
Anonymous traffic network
Apurv Singh Gautam
 
Flexible Displays
Flexible DisplaysFlexible Displays
Flexible Displays
Apurv Singh Gautam
 
India against corruption
India against corruptionIndia against corruption
India against corruption
Apurv Singh Gautam
 
Encrypted database management system
Encrypted database management systemEncrypted database management system
Encrypted database management system
Apurv Singh Gautam
 

More from Apurv Singh Gautam (14)

All about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS studentAll about Cyber Security - From the perspective of a MS student
All about Cyber Security - From the perspective of a MS student
 
SIT Summer School (Cyber Security)
SIT Summer School (Cyber Security)SIT Summer School (Cyber Security)
SIT Summer School (Cyber Security)
 
Cyber Security Seminar Day 2
Cyber Security Seminar Day 2Cyber Security Seminar Day 2
Cyber Security Seminar Day 2
 
Cyber Security Seminar Day 1
Cyber Security Seminar Day 1Cyber Security Seminar Day 1
Cyber Security Seminar Day 1
 
Cyber Security Fundamentals
Cyber Security FundamentalsCyber Security Fundamentals
Cyber Security Fundamentals
 
Bitcoin Forensics
Bitcoin ForensicsBitcoin Forensics
Bitcoin Forensics
 
Log Out Cyber Awareness
Log Out Cyber AwarenessLog Out Cyber Awareness
Log Out Cyber Awareness
 
OSINT
OSINTOSINT
OSINT
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)
 
Anonymous traffic network
Anonymous traffic networkAnonymous traffic network
Anonymous traffic network
 
Flexible Displays
Flexible DisplaysFlexible Displays
Flexible Displays
 
India against corruption
India against corruptionIndia against corruption
India against corruption
 
Encrypted database management system
Encrypted database management systemEncrypted database management system
Encrypted database management system
 

Recently uploaded

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

Recently uploaded (20)

PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 

Automating Threat Hunting on the Dark Web and other nitty-gritty things

  • 1. Automating Threat Hunting on the Dark Web and other nitty-gritty things
  • 2. $whoami ◎ Apurv Singh Gautam (@ASG_Sc0rpi0n) ◎ Security Researcher, Threat Intel/Hunting ◎ Cybersecurity @ Georgia Tech ◎ Prior: Research Intern at ICSI, UC Berkeley ◎ Hobbies ◎ Contributing to the security community ◎ Gaming/Streaming (Rainbow 6 Siege), Hiking, Lockpicking, etc. ◎ Social ◎ Twitter - @ASG_Sc0rpi0n ◎ Website – https://apurvsinghgautam.me 2
  • 3. Agenda ◎ Introduction to the Dark Web ◎ Why hunting on the Dark Web? ◎ Methods to hunt on the Dark Web ◎ Can the Dark Web hunting be automated? ◎ Process after hunting? ◎ OpSec? What’s that? ◎ Conclusion 3
  • 5. Clear Web? Deep Web? Dark Web? 5 Image Source: UC San Diego Library
  • 6. Accessing the Dark Web ◎ Tor /I2P/ZeroNet ◎ .onion domains/.i2p domains ◎ Traffic through relays 6Image Sources: Hotspot Shield, Tor Project, I2P Project, ZeroNet
  • 7. What’s all the Hype? ◎ Hype ○ Vast and mysterious part of the Internet ○ Place for cybercriminals only ○ Illegal to access the Dark Web ◎ Reality ○ Few reachable onion domains ○ Uptime isn’t ideal ○ Useful for free expression in few countries ○ Popular sites like Facebook, NYTimes, etc. ○ Legal to access the Dark Web 7
  • 8. Relevant sites? ◎ General Markets ◎ PII & PHI ◎ Credit Cards ◎ Digital identities ◎ Information Trading ◎ Remote Access ◎ Personal Documents ◎ Electronic Wallets ◎ Insider Threats 8 Image Source: Intsights
  • 9. Cost of products? ◎ SSN - $1 ◎ Fake FB with 15 friends - $1 ◎ DDoS Service - $7/hr ◎ Rent a Hacker - $12/hr ◎ Credit Card - $20+ ◎ Mobile Malware - $150 ◎ Bank Details - $1000+ ◎ Exploits or 0-days - $150,000+ ◎ Critical databases - $300,000+ 9
  • 13. 2. Why hunting on the Dark Web? 13
  • 14. What is Threat Hunting? ◎ Practice of proactively searching for cyber threats ◎ Hypothesis-based approach ◎ Uses advanced analytics and machine learning investigations ◎ Proactive and iterative search 14
  • 15. Why So Serious (Eh! Important)? ◎ Hacker forums, darknet markets, dump shops, etc. ◎ Criminals can learn, monetize, trade, and communicate ◎ Identification of compromised assets ◎ Can potentially identify attacks in earlier stages ◎ Direct impacts – PII (Personal Info), financial, EHRs (healthcare records), trade secrets ◎ Indirect impacts – reputation, revenue loss, legal penalties 15
  • 16. Benefits of Threat Hunting ◎ Keep up with the latest trends of attacks ◎ Prepare SOCs/Incident Responders ◎ Get knowledge of TTPs (Tactics, Techniques, Procedures) to be used ◎ Reduce damage and risks to the organization 16
  • 17. 3. Methods to hunt on the Dark Web 17
  • 18. Tools ◎ Python ◎ Scrapy ◎ Tor ◎ OnionScan ◎ Privoxy ◎ and many more… 18Image Sources: Tor Project, OnionScan, Python, Scrapy, Privoxy
  • 19. How Scrapy Works? 19Image Source: Scrapy Docs
  • 20. HUMINT ◎ Human Intelligence ◎ Most dangerous and difficult form ◎ Most valuable source ◎ Infiltrating forums, markets, etc. ◎ Become one of them ◎ How threat actors think ◎ Can be very risky ◎ Time consuming 20 Image Source: Intsights
  • 21. 4. Can dark web hunting be automated? 21
  • 22. Setting up TH Lab ◎ Lab/VM ◎ Physical or Cloud ◎ Isolate the network ◎ Install relevant tools ○ Scrapy ○ Privoxy ○ Tor ○ ELK ○ Python libraries 22 Image Source: Hayden James
  • 25. Let’s talk about TI Lifecycle 25Image Source: Recorded Future
  • 26. Threat Modelling ◎ “works to identify, communicate, and understand threats and mitigations within the context of protecting something of value” – OWASP ◎ Define critical assets ◎ Understand what attackers want ◎ Threat actor capability and intent ◎ Sources to target 26 Image Source: David Bianco
  • 27. Data Collection/Processing ◎ Collecting data from clear web ○ Pastebin ○ Twitter ○ Reddit ◎ Collecting data from dark web ○ Forums ○ Markets 27 Image Source: Blueliv
  • 28. Data Analysis ◎ NLP/ML/DL techniques ◎ Social network analysis ◎ Classification ◎ Clustering ◎ MITRE ATT&CK 28 Image Sources: DataCamp, MITRE ATT&CK
  • 30. What is OpSec? ◎ Actions taken to ensure that information leakage doesn’t compromise you or your operations ◎ Derived from US military – Operational Security ◎ PII – Personally Identifiable Information ◎ Not just a process – a mindset ◎ OpSec is Hard 30
  • 31. Maintaining OpSec in your lifestyle ◎ Hide your real identity ◎ Use VM/Lab or an isolated system ◎ Use Tor or Tor over VPN always ◎ Change Time zones ◎ Never talk about your work ◎ Maintain different persona ◎ Take extensive notes ◎ Use password manager 31
  • 33. What we discussed so far? ◎ Little about the Dark Web ◎ Dark Web forums/marketplaces ◎ Dark Web threat hunting ◎ Scrapy ◎ HUMINT ◎ Automating the Dark Web hunting ◎ Little about threat intelligence lifecycle ◎ A little about OpSec 33
  • 34. I don’t know how to conclude but.. ◎ Dark Web threat hunting is hard but worth the effort ◎ Keep OpSec in mind ◎ Look at more than one resource ◎ Takes a lot of resources and team effort ◎ Usage of MITRE ATT&CK framework 34
  • 35. Resources ◎ Blogs & White papers by Recorded Future ◎ White papers by IntSights ◎ Blogs by Palo Alto’s Unit 42 ◎ Blogs by CrowdStrike ◎ Blogs by CloudSEK ◎ White papers by Digital Shadows ◎ Darkweb Cyber Threat Intelligence Mining by Cambridge University Press 35
  • 36. Thanks! Any questions? You can contact me at: Twitter: @ASG_Sc0rpi0n LinkedIn: /in/apurvsinghgautam 36

Editor's Notes

  1. Clear web: Sites that are indexed by search engines Deep web: Sites that are not indexed by search engines Dark web: Sites that require special software, configuration or authorization to access
  2. The Onion Router/Invisible Internet Project 16- or 56-character alphanumeric identifier strings anonymization Decentralized system 3-layer proxy Publicly listed entry node, middle relay and exit node (entry nodes doesn’t know the exit node) Original data encrypted in layers – onion analogy IP address is hidden Routes traffic through a series of interconnected volunteer systems called relays (about 6000 relays for Tor)
  3. Dark web is not equal to criminality Smaller than clear web if compared from availability perspective (uptime) Tor browser circumvents surveillance – free expression in some countries Whistleblowing or Activism, safe haven for journalists, access to literature & research Dark web is many things but not just the vast network of criminals Home to many other people who don’t want surveillance on them die to their nature of the work Legal to access dark web but illegal to participate in any illicit business
  4. Choose your target Threat Modelling
  5. Recent news 500,000 Zoom accounts sold on dark web 267 million FB User profiles for $540 And many other
  6. Logs, IOCs, textual data, etc. Nothing concrete about this process You take one use case and work on that then another and it goes on an on Choose your target sources – useful for your organization Threat Modelling
  7. Learn – criminals learn new methods and techniques Monetize – monetize their skills Trade – trade their exploits/tools, drugs, weapons Communicate – communicate with other criminals Can learn a lot on engaging with these communities The intelligence from dark web isn’t available anywhere else Identify attackers, vulnerability prioritization in planning and recon stages Takes a lot of time, If done properly, it can even identify attacks in planning and recon stages
  8. Brand protection New TTPs Identifying insider threats Discover data breaches
  9. Scrapy -  web-crawling framework - multithreading capability OnionScan - open source tool for investigating the Dark Web, scanning different onion sites for vulnerabilities, correlations between sites, etc Socks – Socket Secure – used SOCKS protocol – can’t read data http proxy vs socks proxy – lower level proxy Different ways of using socks proxy – tsocks, polipo, Privoxy, etc. Privoxy – web proxy – scrapy cannot use socks proxy so route through Privoxy (tor with socks – layer of protection) - to hide using tor from your ISP Use VPN + SOCKS for extra protection - hide your activity and get real safe access - can’t trust entry and exit nodes Scrapy Splash library – for javascript Torch Onion Wiki Search engines like Kilos, Recon
  10. 1. The Engine gets the initial Requests to crawl from the Spider. 2. The Engine schedules the Requests in the Scheduler and asks for the next Requests to crawl. 3. The Scheduler returns the next Requests to the Engine. 4. The Engine sends the Requests to the Downloader, passing through the Downloader Middlewares 5. Once the page finishes downloading the Downloader generates a Response (with that page) and sends it to the Engine, passing through the Downloader Middlewares 6. The Engine receives the Response from the Downloader and sends it to the Spider for processing, passing through the Spider Middleware 7. The Spider processes the Response and returns scraped items and new Requests (to follow) to the Engine, passing through the Spider Middleware 8. The Engine sends processed items to Item Pipelines, then send processed Requests to the Scheduler and asks for possible next Requests to crawl. 9. The process repeats (from step 1) until there are no more requests from the Scheduler. Middlewares – ProxyMiddleware(relaying through Privoxy and tor), LoginMiddleware (using user_agent, cookies/bypassing captchas, checking login), Captcha solving websites - deathbycapthca, anticaptcha, etc
  11. Process of gathering intelligence through interpersonal contact and engagement, rather than by technical processes As attacks are human-driven, to anticipate, Identify and respond to attacks requires human skill and effort In The Art of War, Chinese military strategist Sun Tzu wrote: “To know your Enemy, you must become your Enemy.” Understanding the motives and tendencies behind your adversaries is a key to any type of warfare, including cyber warfare It’s the high-tech equivalent of what an undercover FBI agent does when he or she spends months or years working to infiltrate a criminal organization. Using HUMINT to bolster Threat Hunting – Post Attack Investigation, New Attack Vector Discovery, etc
  12. Dark web links – collect forum/DNMs links Socks proxies – run socks proxy script to collect several socks proxies to route tor through them Different crawlers for different forums Scrapy setup – setup login for each forum, setup several settings including headers, cookies, ignored links, captcha bypass, etc Talk about captcha bypass (captcha solving services like deathbycapthca, anticaptcha, etc.) Crawler - crawls html pages of the forums Parser – parses html pages (taking only relevant texts from the html) – post_id, post_content, post_author, author_status, reputation, item_price, etc. Analyzer – uses NLP techniques to evaluate the content that is relevant to the threat model and stores them into the ES database. Design/Train NLP model – design and train NLP model on the content that is relevant to your threat model and apply it on new data Egg and chicken problem (data gathering vs training on data) Many unsupervised learning models – lda, seeded lda, etc.
  13. Direction - identify dark web forums, acquire access Collection - establish anonymous access, collect raw data Processing - parsing raw HTML data, machine translation, extract topics and authors Analysis - infer relationships , link data sources, identify trends, hacks and leaks Dissemination - visualization in dashboards, alerts and reports
  14. Critical assets - databases holding customer data, payment processing systems, employee access systems, trading platforms or exchanges, or Enterprise Resource Planning (ERP) applications Threat actor capability & intent – define types of actors like hacktivists, insiders, criminal groups, etc. and know their capability. Consider why an attacker wants to target your organization? What do they hope to gain? What are their goals? Chose your target on dark web - which site do you want to go for – credit card markets, insider threats market, general markets, etc. Prioritize risks – use pyramid of pain for that - IOCs Chose on clear web – sites like pastebin, twitter, etc.
  15. Crawler and Parser
  16. NLP techniques – LDA, BERT, GPT, GPT-2, GPT-3 Social network analysis – analysis of the users Classification – binary or multi-class classification Clustering – clustering of products according to categories Services provided by different companies or code your system from ground up MITRE ATT&CK - knowledge base of adversary tactics and techniques (TTPs) based on real-world observations. Use ATT&CK matrix to map the intelligence you obtained to better understand the TTPs
  17. the practice of hiding yourself online by disassociating your online persona with your real self We are all humans We desire to be seen knowledgeable and to impress others Leads to gossip, brag, and overshare PII – personal information that can identify you – full name, SSN, driver’s license, bank account, email, passport number, etc.
  18. You have to do opsec from the beginning/proactivly because you can't do opsec "retroactively" Never store any personal information on the VM or the system you are accessing dark web from Clean/Wipe all the data before leaving the system and start fresh the other day Watch what you say to whom and where Think before you post Have different persona on different sites, don’t mix it., Have a back story for each personas Take notes so you don’t mess up the personas It’s a 24x7 thing to do and not during your job duration You can’t work 9-5 as that would be a tip off that you are not a threat actor. Develop appropriate language skills and slang skills
  19. You don’t get the intelligence from anywhere else Look at more forums