Darknet: Cyberattackers marketplace

Picture: https://owlysec.com/cybercrime

With cyberattacks increasingly threatening businesses through ransomware attacks and data theft, executives need new tools, techniques, and approaches to protect their organisations.

Unfortunately, criminal innovation often outpaces their defensive efforts.

Wide-scale cyberattacks are becoming more common, too.

Cyberattackers always seem to be one or two steps ahead of the defenders. Are they more technically ad­ept, or do they have a magical recipe for in­novation that enables them to move more quickly?

If, as is commonly believed, hackers op­erated mainly as isolated individuals, they would need to be incredibly skilled and fast to create hacks at the frequency we’ve seen.

However, from research in darknet mar­ketplaces, reports on cyberattacks, and cybersecurity professionals’ feedback and opinions, it can be concluded that the prev­alence of the “fringe hacker” is a miscon­ception and a deception itself!

When business models are applied to cy­bercrime, it reveals that dark web market­places typically serve what academics call a value system.

That system includes a comprehensive cyberattack supply chain, which enables hackers and brokers to customise and sell the products and services needed to mount cyberattacks at scale.

Understanding how it works provides new, more effective avenues for combat­ing cyberattacks on companies, organisa­tions, and even nation states.

The darknet hosts various cyberattack-as-a-service (CAaaS) marketplaces and forums that cater to a criminal ilk of tech­nologists and businesspeople.

The organ­ised crime syndicates, hacktivists or even nation state sponsored groups buy these services and combine them to orchestrate attacks.

Why I’ve specifically mentioned these groups is that large amounts of financing is required initially so this generally rules out most lone or fringe hackers.

Artificial intelligence (AI) has been harnessed to create even more powerful CAaaS darknet offerings.

With the help of AI, personal information collected from Twitter, Facebook, and other social media sites can be used to automatically gener­ate phishing emails and posts with open rates as high as 80 per cent!

The emergence of CAaaS marketplaces is a game-changing development that dras­tically reduces barriers and challenges in cybercrime: Hackers and darknet brokers don’t need to perform cyberattacks to re­alise financial benefits from their innova­tions, and their customers don’t need to be hackers to mount cyberattacks.

The “as a service” model distances de­velopers from the cyberattacks enabled by their products and services as they don’t need to be directly involved in the specific cyberattack.

It helps them evade the grasp of authori­ties, as well, because many services in CAaaS marketplaces are not fundamen­tally illegal.

The services offered are not randomly chosen but, rather, purposefully designed, innovative responses to business opportunities — sometimes with the help of cutting-edge technologies.

Thus, we see cybercrime evolving from a nefarious hobby into a business ecosystem and value chain with a global scope.

No wonder it is difficult, if not impossible, for the cyber defence community to keep up.

The service providers use several differ­ent pricing models.

In many cases, their offerings are available for a onetime fee for unlimited use. For example, recently, a Mi­crosoft Office zero-day exploit was priced at $35,000 in Bitcoin in a darknet market.

Today’s cyberattacks are more often or­ganised crime business people or nation state sponsored groups using proven busi­ness models within a well-defined ecosys­tem governed by the dictates of supply and demand.

This CAaaS ecosystem makes mounting targeted, scalable cyberattacks quicker, cheaper, and more difficult to stop. But un­derstanding all that helps organisations refocus on how to combat cyberattacks.

Some ideas I would suggest:

2. Expand the focus of cyber-threat intelligence:

Many cyber-threat intelligence services collect data from enterprise IT environments to detect potential cyber threats. There is some in­vestigation of the darknet, but it is usu­ally limited to harvesting threat informa­tion and alerting potential targets. The emergence of new services on the darknet can alert defenders and potential targets to the kinds of attacks that may be brew­ing.

2. Pursue a good offense as the best defense:

Cyber strategy in most organisations is still mainly reac­tive. Companies defend themselves after cyberattacks have been launched. A val­ue-chain-based view of attacks enables a more proactive strategy: We can switch to playing offence by disrupting the CAaaS ecosystem. For example, defenders can flood the cyberattack ecosystem with de­ceptive services, making the dark web less attractive for cybercriminals seeking to purchase services. Another offensive strat­egy is to disrupt select services that are frequently used to create attack vectors, thereby making it difficult and risky to or­chestrate an attack. For example, by mon­itoring and infiltrating botnet services as they did with Emotet, law enforcement agencies can anticipate and prevent at­tacks that use them. Likewise, infiltrating cryptocurrency-based money-laundering services could deter attackers by making it difficult for them to access their illegal gains.

3. Create a cyber-defence service value chain:

If cybercriminals can create a value chain that makes it eas­ier and more profitable to launch attacks, why can’t we build a defensive value chain? Cyber defence cannot be relegated to law enforcement agencies alone. Instead, it re­quires an ecosystem aimed at combating cybercrime that includes many actors – cybersecurity experts, corporations, soft­ware and hardware providers, infrastruc­ture operators, financial systems, and governments — working together. Ideally, we should see governments supporting the creation of a defensive value chain with policies and regulations.

Infrastructure operators, such as Telco’s and the internet service providers, would use their advantaged monitoring position to disrupt the delivery of cyberattacks. Fi­nancial institutions would act to block the monetary activities of cybercriminals, in­cluding their money-laundering networks and cryptocurrency monetisation activi­ties.

Granted, bringing together such dispa­rate parties with so many interests is an enormous task, and it’s not entirely clear how it should be approached. One possi­bility is to better align the capabilities needed to combat cybercrime with finan­cial incentives to act. For Fiji and the re­gion this is already being started through financial assistance provided by Australia, New Zealand and other donor agencies, but more tangible results has to be seen at ground level.

No matter how it is accomplished, how­ever, collecting defence services into a value chain would likely motivate more service providers to create and sell as-a-service cyber-defence offerings, expand­ing the menu of activities that could be assembled by defenders to thwart attacks. Fighting fire with fire would be far more effective than today’s splintered reactive efforts.

4. Approach defence as a business problem first, not a technology problem:

When business leaders ask, “How can we prepare for unknown cyberattacks?” They often assume that attackers are using new and perhaps unknown technologies. Al­though this is sometimes true, frequently the attackers and defenders use the same technologies — a top 10 list of cyber attack vectors has not changed much in the past 10 years, only the ranking has changed and sophistication with the use of AI, and the very fact that more business process are fully digital now. Today’s cyberattacks are often orchestrated by clever business people who target organisations with something of value to steal or disrupt. So they should be treated like other business threats.

Risk management tools and techniques can usually help identify vulnerabilities that attackers may prey upon, and enable potential targets to anticipate next moves. Protecting the business and detecting, re­sponding to, and recovering from attacks is not solely the responsibility of technol­ogy experts or the IT department.

As cyberattacks are becoming more frequent, dynamic, and damaging, it is clear that the current defensive mindset is not adequate to stem the tide.

We need to shift our view of cyberattacks and cy­bercrime from that of a chaotic, random set of events to that of a structured, often predictable set of business engagements and processes.

Understanding most cy­bercrime as an orchestration of services available on the dark web offers new in­sights into potential threats and effective ways of fighting them.

Heeding once again sage advice from Sun Tzu: “Thus, what is of supreme impor­tance in war is to attack the enemy’s strat­egy.”

Have a blessed weekend, stay safe and well in both digital and physical worlds.


  • Ilaitia B. Tuisawau is a private cyber­security consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com

More Stories