Prior to the Russian invasion of Ukraine, recent developments revealed that the U.S. Department of Justice had been collaborating with the Russian government to track down cybercriminals and ransomware operators who previously found a relatively safe haven in Eastern-European countries. The U.S. Cyber Command – the military’s hacking unit – had also taken offensive action to target criminal gangs that hold the computer systems of U.S. businesses hostage.
Following the REvil ransomware group takedown, evidence suggests that cybercriminals remain concerned about law enforcement departments cracking down on them in light of joint international efforts. In Dark Web conversations monitored by Trustwave SpiderLabs, cybercriminals have been discussing secret negotiations on cybercrime between the Russian Federation and the U.S., lamenting that they “don’t know everything” about the offensives being staged against them. The status of this collaboration post-war is in flux.
A Deeper Look: The Structure of the Dark Web
Surprisingly, the Dark Web is structured much like the corporate world. Criminal “start-ups” compete and collaborate, and big-name players seek to unite criminal interests across Europe, Africa, Asia and the Americas under centralized leadership. The Dark Web even engages in a pseudo court system wherein players are held accountable for offenses within the world of cybercrime itself.
Every organization with an online presence inherently has an attack surface vulnerable to cybercrime, and different industries experience different susceptibilities — but especially those in manufacturing, critical infrastructure, finance and healthcare. Organizations need a trusted partner to help with real-time threat monitoring not only to help protect against increasingly common ransomware attacks but also to protect against threats that target their individual network. This line of defense should involve Dark Web monitoring, ransomware response plans and Penetration Testing, among other, more individualized approaches for each organization.
Today, security providers can utilize the Dark Web chat forums to gain valuable threat intelligence on the latest sophisticated attack methods and cybercriminal plans. Through this, organizations can also derive valuable insight. There may even be potential to use the pseudo court system against key cybercriminals once more is understood about this system.
While industries and governments work together to unveil Tor Browser and larger Dark Web structures and keep up with bad actors, the following are three examples of what to look for in a reputable third-party provider to help prevent your company’s data from getting ensnared in malicious activity on the Dark Web:
Maintaining Awareness and Gathering Intel
Providers must continually make an active effort to learn about what cybercriminals do, consistently tracking trends and activity on the Dark Web — and off of it, on the Open Web. Effective cybersecurity vendors should monitor information across the board, including company domain names, email addresses, facility references and the names and information of executives. By keeping tabs on this information, providers can note best practices for automation where applicable.
Dark Web users must be vetted and trusted among other forum members, so an effective provider will know how to navigate Tor Browser, how to utilize forums and how not to appear suspicious as a user (i.e. reading posts but not making posts).
Going Past the Basics of Antivirus Protection
Reputable vendors should also work closely with in-house cyber teams to ensure that there are systems in place to test security through social engineering, which can expose weak links down to the employee level. Providers must create tools to detect exploits and block attacks where they start, going beyond the firewall and past the basics of antivirus protection. By routinely testing environments according to current trends in cybercrime and anticipation of future trends, providers will be able to hone their understanding of weaknesses within individual organizations. organizations.
This testing takes the shape of the approaches of bad actors themselves— a simulated attack executed on your computer systems or on-premise security posture, called a pen-test, can hunt for and uncover vulnerabilities. These simulated attack methods can help to identify weak spots in security posture before an organization’s adversaries do. This provides intel on how to block access to phishing domains, preventing unintended compromises from happening in areas where organizations might be particularly susceptible.
Sharing Their Findings
To keep businesses more informed, reputable providers should share intelligence through advisories, strengthening the whole security community. A successful breach or discovered vulnerability mandates responsible disclosure. This process should begin with private outreach to the vendor associated with the compromised attack surface. Third-party vendors must work closely with their partner organization to help identify the nature of the security shortfall.
The organization and the security provider will then work together to develop a patch for the gap in protection. After its implementation, the security provider should be called upon to re-test the security gap and offer insights about the efficacy of the patch. This process may be repeated to ensure proper protection.
As a final step, security providers should publicly post findings of newly discovered malware, ransomware, or other attacks to substantiate the strength of the broader network of preventative efforts. Collaboration across organizations and industries is key to combating cyberattacks and spreading awareness of the latest patch updates needed.
These internationally operated malicious schemes require internationally operated action plans. Governments and law enforcement officials in conjunction with private sector organizations must also continue to bolster their relationships and act on Dark Web insights. These groups amplify the guidance shared by security experts and take actions to create counter-response strategies to Dark Web activity. As long as the tactics of security providers are adaptable, reliable and forward-thinking, the growing cybersecurity coalition between the U.S. and Russia lays a formidable foundation. Providers have the power not only to continue to affect change on the level of discrete organizations but also on a global scale.
Ziv Mador is the VP of Security Research at Trustwave Spider Labs. Ziv manages the global security research team at Trustwave, covering research areas such as vulnerability assessment and scanning, analysis of attacks against Web servers and Web clients, malware reverse engineering, IDS/IPS research, SIEM correlation and reporting, spam and phishing research, Threat Intelligence and database security research. Ziv is a primary spokesperson for the company on aspects related to malware and cybercrime.
