The enterprise is in an arm's race with cybercriminals

The deep web, dwell time, and the balance of power in cybersecurity

It is always easier to destroy than it is to build, easier to harm than to heal. It will always be easier for attackers to burrow themselves into the criminal underground and from there carefully and precisely worm their way past enterprise defenses, ultimately taking root next to data stores and syphoning off valuable information until they grow fat with the financial benefits of their labors.

The enterprise is in an arms race with cyber criminals. Organizations must constantly build up defenses in an attempt to maintain the status quo if not shift the balance of power in their favor.

CSO explores the deep web, dwell time, and their roles in the balance of power in cybersecurity, pointing up defensive moves such as employing hackers and improving the effectiveness of employee education about social engineering / phishing in order to better arm personnel.

The realm and purpose of the darker side of the deep web

Owners of sites in the deep web do not index their web properties in directories and search engines for any of a number of reasons including security or privacy. Criminal hackers with forums on the deep web avoid web crawling bots and spiders in order to minimize awareness of their nefarious operations. (People often ambiguously refer to this portion of the deep web as the dark web. This can create confusion as the dark web typically refers to darknets.)

[ ALSO ON CSO: How to surf the Dark Web for fun and profit ]

Criminal hackers use the deep web to enable hidden conversations and to conduct trade in defensible malware. “Attackers use the deep web for anonymized communications that they encrypt over web protocols and for trade in rootkits that they use for nuisance attacks to serve as smoke screens that cover real attacks,” says Professor James Hendler, Director of the Institute for Data Exploration and Applications, Rensselaer Polytechnic Institute (RPI).

Cyber hoodlums orchestrate the real attacks using threats such as the latest exploits, APT approaches, and zero-days, which they keep close to their chest while enterprises still have no defense against them. “The current state-of-the-art happens off the deep web because attackers are not willing to share that information. Ransomware for example is extremely sophisticated and these criminals go to great lengths to obscure its source,” says Hendler.

The deep web is also a place for attackers to shop for compromised information about people including their routines and credentials. “Criminal hackers conduct trade in data about who uses what bank, for example, and how their emails typically appear so they can spoof that person not only at that bank but wherever they use the same username and password,” explains Hendler.

Professor James Hendler, Director of the Institute for Data Exploration and Applications, Rensselaer Polytechnic Institute

In addition to the deep web, criminal hackers are using any encrypted mechanism to communicate such as encrypted phone calls, instant messaging/OTR (off the record), and secret codes. “Secret codes may be in plain text but they don’t refer directly to who was hacked or when. The target/victims and the type of payload used in the attack will have code names. Criminal hackers will communicate using these cryptic codes,” says Charles Tendell, CEO, Azorian Cyber Security.

Attackers also communicate with each other by flooding communications channels with an exorbitant amount of information, far too much for any one person to weed through. “Unless you know what you’re looking for, you’re not going to find the legitimate conversation in all of it,” says Tendell.

How attackers achieve dwell time

The cybercrime underground has already made so much compromised information available that any cyber thug can easily avail himself of a variety of PII and login credentials, gain access to more systems, steal many additional credentials, and retrieve saleable data from some new enterprise victim.

“Criminal hackers can go to a large data dump site, enter a name, and find out whether that person was in a compromised database or was part of some breach. Since people reuse the same password many times, if that victim hasn’t changed their password, attackers can use those credentials to gain more access at other sites and get more information,” explains Tendell.

In addition to vulnerable information, attackers can easily find vulnerabilities in the internet of things that they can use to eventually gain access to the enterprise. Criminal hackers use search engines such as Shodan, which people use to find internet connected devices, to search geographical locations and IP addresses in order to see what may already be vulnerable, says Tendell.

With vulnerabilities galore in hand, attackers apply zero-days, rootkits, malware, cryptic communications, and compromised credentials using one of two models to maintain dwell time and exfiltrate the most data possible before someone stops them. “Criminal hackers either move a little data out at a time so as to go unnoticed or they cache the data somewhere inside the enterprise over an extended period and broadcast it out all at once with stealth and low visibility,” says Hendler. Either of these approaches is fruitful for an attacker.

Shifting the balance of power in cybersecurity

The balance of power between criminal hackers and security pros is decidedly slanted in favor of the attackers. New vulnerabilities crop up every time new software or software updates are added. “While an attacker has only to find one flaw to gain entry, the security pros must know, close, and protect every vulnerability,” says Hendler.

Most attacks start as successful phishing exploits or other social engineering, suggesting that enterprises need to find ways to make employee education more precise, clear, and effective, producing far-reaching results. “Some companies set up systems for IT departments to launch faux phishing attacks from inside, report successful attacks back to employees and bosses, and educate people that if they are not 100-percent sure that an email is legit, it could end up in their performance review,” says Hendler. Enterprises that use approaches like this to reinforce what the signals are that flag phishing and why it is so important to avoid falling for it will go a long way toward enlisting employees in the fight against cybercrime and keeping attackers out.

Organizations need to incentivize employees to immediately alert IT when they do click on a phishing email so that IT/security can contain the attack as early as possible. This is a positive alternative to simply punishing employees for clicking the wrong link.

On the offensive, the enterprise needs to apply experienced, capable, and informed hacker minds to cybersecurity challenges. According to Tendell, these professionals can focus on sources of attack data such as conversations in the criminal hacker community and real-time monitoring of outbound traffic based on knowledge of ports criminal hackers frequently use such as port 31337 and the ploys they use with them.

These white hat hackers can then help organizations to close the loop on vulnerabilities, respond to and contain attacks, and remain proactive in the ongoing war against cybercrime.

It won’t be easy

It isn’t easy to close the gaps that make social engineering possible or to entrust good guy hackers with cybersecurity. But it is the job that cyber thugs have thrust upon us.

Join the CSO newsletter!

Error: Please check your email address.

More about APTCSORensselaer Polytechnic Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts