Tuesday, 1 March 2016

Peeling Back the Onion Part 1: Mapping the #DarkWeb


Guest Blogger: Stuart Peck Pre-Sales Manager at ZeroDayLab Ltd
The Dark Web is no longer a place for criminals and cyber criminals to hide, with the launch of the first dark web map powered by a ZeroDayLab key partner, and threat intelligence service Intelliagg.

The dark web is officially defined as 'websites that cannot be accessed or reached without the use of specialised software', the most widely-used and common of which is the TOR browser (The Onion Router).

The core principle of Tor, 'onion routing', was developed in the mid-1990s by the US Naval Research Lab with the purpose of protecting U.S. Intelligence communications online. In 2006, the TOR project was founded and made free for all to use. This initially led to a rise in use by journalists to protect their identity in countries without freedom of speech, then a rise in whistle-blower sites such as Wikileaks.

However the privacy benefits of TOR have led to a unchecked rise in illegal activities, where criminals use Tor to create and run hidden online marketplaces from child pornography to drugs, leaked data, credit cards, fake documentation and weapons; all can be purchased using normal currency or Bitcoins.


Finally the growth of TOR usage is from Cyber Criminals and Hackers, where leaked data, zeroday vulnerabilities/malware are traded on private marketplaces or through brokers for huge profits.

What I have noticed through own research conducted at ZeroDayLab, is that over the past couple of years there has been a huge rise in Malware-as-a-Service/Crime-as-a-Service marketplaces, leading to a rise in attacks such as Ransomware, where now the technical barrier to entry is all but removed for criminals to enter the Cyber Crime Market.


ZeroDayLab's partner Intelliagg, released today a whitepaper on the Dark Web, which over a sample period monitored over 30,000 top level sites or .onion (Hidden Services).

Through compiling the hidden service address list from different sources, such as spidering, private link lists and monitoring the Tor network itself, Intelliagg interrogated hidden services over port 80 and 443 using a mixture of human and machine-learning information gathering techniques.

Key findings from the research include:

  • 46% of the 30,000 hidden services analysed were active at the time of the assessment (the other 54% of sites could be attributed to C2 servers, or other temporary uses such as onion shares, ricochet chat)
  • 76% of the sites were in English, unsurprisingly Chinese and German as second and third languages
  • 48% of the sites were classified as illegal 
  • Via manual classification of over 1,000 sites, it was deemed 68% of the content was illegal according to US and UK law.
  • File sharing (29%), leaked data (28%), and financial fraud (12%), were the top classification of hidden marketplaces. Surprisingly hacking only made up 3% of the sites interrogated .
  • Interestingly, 39% of sites interrogated were unlinked, meaning they were extremely difficult to find. 

In addition to the research conducted, Intelliagg has provided a interactive map, found here which I highly recommend viewing and exploring the vast ,and now visible dark web (30,000-odd sites at least).

But this brings me to my previous point, why is this map so important? Until recently it had been difficult to understand the relationships between hidden services and more importantly the classification of these sites.

As a security researcher, understanding hidden services such as private chat forums and closed sites,  and how these are used to plan and discuss potential campaigns such as DDoS, ransom attacks, kidnapping, hacking, and trading of vulnerabilities and leaked data; is key to protecting our clients through proactive threat intelligence.

Mapping these sites back to Threat Actors (groups), is even more crucial as this helps us build a database on the Capability, Infrastructure, and Motivations of the adversary.

The more we understand about the dark web, and the criminals that use TOR and hidden services to publish and trade threats, the more we as a community can flush out the undesirable services and market places, making what made TOR great in the first place, protecting privacy for good, not evil.

No comments:

Post a comment