ThreatNG Security

View Original

OSINT Top Ten: Number 9 - Dark Web

Is it true that one can only find dark Elves on the dark web?

False, the dark elves we've seen are only in the Marvel Cinematic Universe. But there is information on the dark web that does not exist anywhere else. There are often new variants of malware, tactics, and techniques, in addition to sensitive personal information about individuals and companies.

Having this knowledge is priceless to any organization.

Setting the Stage for the Dark Web

Many people do not realize that there are three 'versions' of the internet that exist today; 

  • the clear or surface web,

  • the deep web and

  • the dark web.

Clear or Surface Web

The clear or surface web is the most popular among internet users as it is all the pages that are indexed and searchable. Popular services that offer this are Google, Bing, Wikipedia, or Yahoo.  

Deep Web

The deep web refers to the pages that are not indexed by search engines and often contain academic information, legal records, scientific reports, government databases, libraries, etc.  

Dark Web

The dark web also refers to the pages that are not indexed by the search engines, are only accessible through specific browsers, and is often home to illicit activities.

How to Connect to the Dark Web

Connect

Connecting to the dark web involves using a TOR or I2P and then navigating yourself to the desired sites.

Navigating

The dark web is not indexed and ranked like the 'clear web.' For example, if you type in a URL in Google on the clear web, Google aggregates results for you and displays them based on an algorithm. When you are on the dark web, you can still use Google, but your results may or may not include .onion URLs. Onion URLs are the URLs that identify dark web sites. An example of one of these URLs is the newly launched BBC mirror on the dark web, "www.bbcnewsv2vjtpsuy.onion." One can only access these URLs via TOR or I2P. Since the dark web is not indexed or easily searchable, you need to know where to browse to find what you are looking for, which helps mask illicit activities.

Onion URLs, domains with a .onion extension rather than the typical .com, .net, or .io are only routable through TOR or I2P. There are two standard formats for .onion URLs, V2 and V3. 

V2 URLs are 16 characters, combining letters a-z and numbers 2-7.
V3 URLs are 52 characters, combining letters a-z and numbers 2-7.

Without a place to start, navigating the dark web can be quite complicated. There are some places to find .onion links; Reddit is a great place to start.

Why is the Dark Web Important?

The dark web has become a key source of intelligence in more recent years.

Existing Dark Web Solutions

And there are now several vendors that specialize in Dark Web Analytics and Intelligence.

More Accessible Than What Most People Think, But with Risks

The dark web is not nearly as mysterious as some news outlets may portray. It is not without its risks and threats, though, as accessing the dark web requires the use of tools like TOR or I2P. TOR works by bouncing your connection off of several random computers, called TOR Nodes. Anyone can set up a TOR Node, which means anyone can place malware on the node to infect machines that use it or sniff the traffic to see what you are doing as you explore TOR. Other risks from the dark web are DDoS from TOR relay traffic and bandwidth consumption, employees actively bypassing security policies, reputation damage, and blacklisting from operating a TOR Node.

Why Is It Important

These risks often cause companies to forgo utilizing the dark web as a resource. Even with these dangers, organizations should be using the dark web as a resource. In the dark web, there is information that does not exist anywhere else. One can gain knowledge about new variants of malware, tactics, and techniques, in addition to sensitive personal information about individuals and companies. Having this knowledge is priceless to any organization. 

Traditional Dark Web Challenges

Using the dark web as a resource is difficult for companies as there are risks in

  • Connecting

  • navigating, and

  • staying on top of what is in there.


Connecting Requirements

Connecting to the dark web is simple. Download TOR, open TOR, find an onion link (or several), browse, and repeat. It would be best if you were on a VPN when connecting for your safety, though it is not required.

Connection Risks

Malware and Traffic Sniffing

TOR works by bouncing your connection off of several random computers, called TOR Nodes. Anyone can set up a TOR Node, which means anyone can place malware on the node to infect machines that use it or sniff the traffic to see what you are doing.

An individual using TOR exposes their assets to the dark web because they do not own the routes/hops they are taking.

DDoS

DDoS from TOR relay traffic and bandwidth consumption

Security Policy Violations, Reputation Damage, or even Blacklisted from Use

Connecting to the dark web may result in employees actively bypassing security policies, reputation damage, and blacklisting from operating a TOR Node.

Navigating Risks (Roadblocks and Unforeseen/Disturbing Content)

Navigating the dark web, in theory, is like browsing the internet as you do today, but with additional layers of complexity. The URLs to browse often make no sense, and contain numbers, which is by design for anonymity, and there is no Google to help you along. There are some search engines such as Torch that can help, but seeing as there are greater than 1 SEPTILLION V2 URLs and infinity more V3 URLs, using one of these services to find anything, in particular, is difficult. There are resources like Reddit and the Hidden Wiki that provide some links to .onion URLs, which are the best places to start. However, once you find some resources you may want to browse, you may find yourself needing to 'Sign Up' to view the content of a forum or a site. You may also encounter content that is 'disturbing,' and should report them or stay away if noted on a forum.

Keeping up with the Dark Web

Staying on top of .onion URLs is also a considerable challenge. Sites often go down and reappear under a different moniker. Some tools can scrape links and Reddit for user feedback, but it could be a while before something you like resurfaces.

Next, we'll talk about number eight on the OSINT Top Ten - "Archived Web Pages." Stay tuned.