On the dark web, threat actors actively plan nefarious crimes, discussing targets and tactics and pooling resources to carry out attacks. To understand and prepare an organization for these actions, threat hunters must also show up in these underground environments. The idea of engaging with threat hunters in the cybercriminal underground can raise stress and anxiety levels for any white hat defender. Questions arise, such as ‘How can I safely access the deep and dark web?’ and ‘How can I gain a threat actor’s trust?’
Navigating the underground requires dedication to creating and managing a dark web persona – or multiple personas – and setting up a safe and secure environment to ensure one does not expose oneself to malicious actors. Below I’ve outlined the necessary steps, including how to set up a secure environment (i.e., dirty machine) using Tails, how to find sources in the dark web, best practices when creating your first persona, how to communicate with threat actors, and of course, how to seek out threats once you gain access to the sources where threat actors plan, play, and profit.
To learn more, you can also watch my recent webinar Diving into the Underground: Persona Management and Threat Actor Engagement.
Let’s take a look.
What is the Underground?
People most often associate the cybercriminal underground with the dark web, defined as any site not indexed by search engines and that requires specific software, like Tor or Onion, to access it. But threat actors aren’t just hiding out in the dark web - they’re on clear websites like Reddit and X (formerly Twitter), leveraging messaging channels like Telegram and Discord, and are also engaging on deep websites, like invite-only forums and open and closed markets. In essence, cybercriminals are everywhere. Anyone approaching this type of investigative work must do so with caution, particularly when clicking on links. There are 2 important points to remember:
Don’t become a perpetrator – take precautions (outlined below) when engaging with a threat actor
You can easily click on a nefarious link and become a victim - and if you’re doing this work on a corporate computer, you can risk infecting the entire organization
Here are the steps to follow:
Set up the environment — You can set up a secure environment, isolated from all of your corporate and personal devices and data, using Tails, a lightweight OS that wipes itself clean after every use. (NOTE: Tails gives you the option to set up persistent storage, which I DO NOT recommend. See my webinar for more details.) You can also set up virtual machines to create an isolated environment — however, Tails is a super simple option. You can also use Tor or Onion to browse anonymously and access dark websites.
Finding sources – This is a challenging step because of the magnitude of underground sources. You want to find the clear, deep, and dark web sources where threat actors are the most active. For example, Crax Pro Forum is a clear web forum where a lot of cybercriminal activity takes place. Credit card markets are another place to look, as are marketplaces for narcotics and other illegitimate products, initial access broker markets, and messaging forums like Telegram. When it comes to dark websites, you can’t do a simple Google search to find them - you actually need the exact URL to reach them via Onion or Tor. In my webinar, I show you how to find underground sources, as well as how to access invite-only forums.
Some sites require you to participate or you’ll be kicked off. Of course, you want to limit your activity so you don’t stand out, and you must also be careful about engaging with any threat actors and potentially perpetrating a crime. One way around this is to occasionally post links to relevant news articles about the latest threats. Another hurdle you’ll need to overcome is language barriers, for example, when visiting Russian or Chinese language sources. You can use translation apps here, but this can delay your threat hunting.
Create your persona(s) – To do this properly and to keep your identity protected, I recommend a few steps:
Use a protonmail email account or a burner phone so that no activity associated with your persona can be tied back to you
Use a password manager to keep track of all passwords associated with your different personas for different underground sites. You can also take screenshots or print the pages showing your login credentials.
Be sure your personas are completely isolated from any personal information (Tails comes in handy here)
Set up modes of communication through one or more of the following*:
Private messages (PM) - can be a reliable way to communicate with threat actors, although it depends on the site or forum you’re in.
Jabber (XMPP) - instant messaging service used by threat actors for its encrypted connection. Also, messages are not logged.
Telegram - instant messaging platform
PGP key (Pretty Good Privacy) – a cryptographic method of communication that requires the exchange of public keys. While this method can be more time-consuming to set up and use, it may also be the most secure way to communicate with threat actors without compromising your identity. *In the webinar, I discuss in more detail the pros and cons of each option above and how to set them up
Start threat hunting
Threat hunting is a constant game of cat and mouse, finding threats before they find you or exploit you. The common threats you’ll find in the underground include:Initial access
Phishing
Supply chain compromise
Valid accounts for sale
Insider threats
Fraud
Data leaks and more
When executing a hunt, be sure your scope isn’t too broad - you want to focus on a specific topic or type of issue. Also, make sure you document all of your steps. Take screenshots of your findings and keep records of what you’ve done. Sites go up and down, and threat actors enact countermeasures that can throw you off and force you to start from scratch. If you don’t keep a record, all your investigative data can be lost.
The steps outlined above lay out a few problems with manual threat hunting:
You must search each source individually and manually – which is very time-consuming
You expose yourself to risk - creating personas helps
You add more risk by searching for specific threats within malicious sources
The combination of persona management, well-honed threat-hunting skills, and premium cybersecurity tools like Cybersixgill streamlines this process by automating intelligence gathering from malicious sources. Cybersixgill helps you access data from these sources, automatically downloads files that will be of interest, and helps you identify the threats you should be hunting for that pose the greatest risk to your organization and attack surface.
To view my on-demand webinar and learn more about persona management and threat hunting, visit https://cybersixgill.com/resources/diving-into-the-underground-persona-management-and-threat-actor-engagement/