The New (Inverted) Everest of Cybercrime

Gert Frobe as Auric Goldfinger in “Goldfinger”

Auric Goldfinger, the classic Bond villain, once complained, “Man has climbed Mount Everest, split the atom. Achieved miracles in every field of human endeavor… except crime!” If only he could see today’s “Dark Web.” It’s veritable Everest of cybercrime.

Well, at the very least, it’s the great cybercrime e-shopping experience of our era. John Shier, Senior Security Advisor at Sophos, offered me some insights into the Dark Web at Black Hat 2018. It was a topic worth exploring, in his view, because defenders need to understand how their attackers are actually functioning.

Misconceptions about hackers can distort our thinking. It’s tempting to think of every hacker as some sort of evil genius who fiendishly plots his or her way into your network. The more likely scenario, per Shier, is that the hacker bought access to your environment on an open market on the Dark Web.

The Dark Web is a massive bazaar for a range of illegal items and services, including drugs and weapons as well as a huge variety of cybercrime “products.” “You can buy user credentials for servers,” Shier shared. Or, for example, it’s possible to buy “Ransomware as a service” on the dark web. In this scenario, the hacker gets free software and tools to conduct ransomware attacks, but gives the Dark Web seller a cut of the ill-gotten gains.

The Dark Web’s cyber aisles also contain ready-made threats, malware kits and “spam services.” “You can see offers to target hundreds of thousands or even millions of email addresses for your scam or phishing attack, with guaranteed inbox reach,” said Shier.

The Dark Web explains some of the scale and pervasiveness of cybercrime. It leverages the talents of malware writers and others into a much larger phenomenon. It allows less-able attackers to buy what they need instead of making their own attack tools.

Knowing how the Dark Web works also informs assessments of cyber incidents. “We often see attacks where nothing seems to have happened,” Shier said. “The attackers enter your network and then go away. Is that bad or good? Well, if you understand that the initial break in was for the purpose of stealing—and then selling—your credentials, you will be hopefully be prepared for the real attack that’s on its way.”

John Shier of Sophos

What can you do about the Dark Web? Law enforcement is on the job, but in the meantime, and it may be a very long meantime, it’s critical to be rigorous on patching and security basics. Also, as Shier noted, you can get solutions that isolate potential attack vectors from excessive, risky access.

As an example, Shier used the case of an HR department that receives and stores thousands of resume files. With Microsoft Office documents now commonly used to execute attacks, a resume repository could be full of malware. “Why not use a single, quarantined VM to handled inbound resumes,” Shier suggested. “That’s more secure than letting all the documents stay in an open access network volume or on a work PC.” Sophos offers tools to implement these types of controls.