Life is tough if you're a criminal.
Sure, one big score can set you up for life. If you're smart and disciplined, you can retire early. But the flip side of that is that the smart and disciplined cybercriminals cash out and retire early, leaving you with an increasingly undisciplined and dumb selection of partners to work with.
Then, if you're in the business of selling malware, botnets, and other illegal goods and services, you've got to do some sales and marketing, to make it easier for your customers to find you. The flip side of that, of course, is that the easier it is for your customers to find you, the easier it is for the authorities as well.
Yes, you've got your anonymity to protect you. On the Dark Web, nobody knows who you are. The flip side of that, however, is that you also don't know who your business partners are. Worst case -- your customers, suppliers or business partners are cops building a case against you. Best case -- your customers, suppliers or business partners are criminals who rob and cheat people for a living.
Even the double-secret invitation-only criminal mastermind forum you finally got access to might be a front run by the cops, set up specifically for the purpose of gathering intel on you and all your most trusted confederates.
Maintaining anonymity and security requires constant vigilance. You can't afford a single mistake. A single loose threat is enough for authorities to pull apart your entire operation. And it's not just the authorities you have to watch out for -- according to TrendMicro, when competing criminal groups have a falling out, it's common for one group to try to unmask -- "dox" -- their rivals.
If you make a mistake, and you're lucky, you'll have time to run and hide, spending the rest of your life in the shrinking part of the world with no extradition. If you're unlucky, you'll spend a few years in prison. If you're really unlucky, one of your drug trafficking or money laundering business partners will have you killed.
Sonatype's crown jewels is its database of descriptions of over 1.2 million open source packages.
"If that is lost, it could be an existential outcome," said Wayne Jackson, CEO of the Fulton, Maryland-based software supply chain management company.
To shut down any such leak quickly, Sonatype has decided to start monitoring the Web for any indications that this data has been stolen and is now being shared on line.
That monitoring will include the Dark Web, as well.
The Internet's dark side isn't actually all that big. Media accounts frequently overestimate the size of the Dark Web by lumping in everything that's not accessible by search engines, and that includes corporate intranets and password-protected sites like online forums, bank websites, and email platforms.
But according to the FBI, there are only about 800 criminal Internet forums worldwide, and while their impact might be large, the number of people using them often isn't.
For example, last week law enforcement agencies from 20 countries worked together to shut down Darkode, a major computer hacking forum with about 300 users. Authorities infiltrated the invitation-only group and arrested 63 members.
One of them, Johan Anders Gudmunds, also known as "Mafi aka Crim," operated a botnet that stole data from innocent on approximately 200,000,000 occasions, according to the FBI.
A scan of TOR earlier this summer by the PunkSpider Web vulnerability scanner found around 7,000 TOR sites -- only 2,000 of which were active. And not all of these sites are run by criminals, of course. Dissidents who live under repressive regimes, security-conscious agencies and companies, and individuals very concerned about privacy also use TOR, Freenet, and the Invisible Internet Project, or I2P.
And when it comes to criminally-oriented Dark Web sites, not all of them are of interest to enterprise infosec professionals.
A TrendMicro scan last month found approximately 8,000 suspicious sites on the Dark Web, of which about a third were connected to malware download pages on the public web, just under a third were proxy avoidance sites that help users get around school, company, or government filters, and a quarter were related to child pornography. Just 5 percent were related to hacking.
TrendMicro also analyzed commerce on the Dark Web, and found that only 5 percent of sellers and 6 percent of buyers wanted to trade in user account credentials, a similar number were trading in video games, and the almost all of the rest were all about the drugs. Other services available included fake documents and beatings and murder for hire.
So, while the Dark Web is typically illustrated by an iceberg where the small tip that's showing is the public Web -- in fact the part of it that's of particular interest to security researchers is fairly small and manageable.
A company can set up a Dark Web data mining operation and start being productive in about a day, said Jason Polancich, founder and chief architect of SurfWatch Labs, Inc.
"Most businesses already have all the tools on hand for starting a low-cost, high-return Dark Web intelligence operations, within their own existing IT and cybersecurity teams," he said. "And most large enterprises are either starting this, or already have it in place."
According to Terbium Labs, there are a "few dozen" forums, mainly on TOR, that traffic in stolen information such as bank account numbers.
To make the Dark Web even more accessible to enterprise security researchers, several vendors -- including SurfWatch and Terbium -- are offering monitoring, indexing or alerting services, helping companies react to, or stay ahead of, Dark Web threats.
That could be someone posting sensitive company records, or discussing a planned attack, or selling a vulnerability in software a company uses.
Old sites do go down, or get taken down, and new ones pop up, said Terbium Labs CEO Danny Rogers.
"But they're typically discussed on other forums, so our crawler will naturally discover them," he said. "It changes more on a monthly pace rather than a weekly or daily pace. It's actually not too hard to keep up with it."
Rogers declined to explain how his company accessed members-only forums, but did say that they're able to automatically collect the information shared on these sites.
More than that, Terbium offers a search service Matchlight that allows enterprise customers to search for proprietary information via a fingerprint.
"It's a blind search technology," said Rogers. "We give clients the ability to search this index in an automated way without revealing to us what they're searching for."
The core feature of Matchlight allow enterprises to set up alerts for data that they want to monitor for, such as customer lists, or trade secrets.
"The faster they can find out that there's a data leak, the faster they can kick off their response, and the less damage will occur," he said.
For example, if the scan shows that the data is being distributed on a legitimate, law-abiding site, the enterprise can request that it be taken down. If the data is credit card numbers, they can be canceled quickly, before criminals can make fraudulent charges.
And if a company is aware that there's a leak, they can find it and shut it down before more damage is done.
One of the customers using Matchlight is Sonatype, which will be using the service to keep and eye out for any sign of its open source software database.
"The golden asset for us is our metadata which describes the attributes of open source code," said Sonatype's Jackson. "Our plan is to use Matchlight to make sure that this metadata doesn't show up on either the dark or light web."
Another vendor, Somerville, Mass.-based Recorded Future, Inc., can create a fingerprint based on the hardware and software that an enterprise has deployed, then search the Dark Web for new vulnerabilities identified in those systems as well as also looking for mentions of the company or its employees, IP addresses, or email addresses.
"We also help people look at industry-level trends," said Nick Espinoza, the company's product engineer.
Recorded Future senior analyst Scott Donnelly added that cybercriminals don't just limit themselves to forums on the Dark Web.
"Bad guys have to stick their heads out if they want to sell what they stole," he said. They're even on Twitter, he added. "They love their hashtags."
Starting points for exploring the Dark Web:
The Reddit DarkNetMarkets Superlist: https://www.reddit.com/r/DarkNetMarkets/wiki/superlist
DarkNet Stats: https://dnstats.net/
Deep.Dot.Web List of Dark Net Markets: https://www.deepdotweb.com/2013/10/28/updated-llist-of-hidden-marketplaces-tor-i2p/
Gwern Branwen's Dark Net Market archives: http://www.gwern.net/Black-market%20archives
The Onion subreddit: https://www.reddit.com/r/onions/
Tor Hidden Wiki: http://torhiddenwiki.com/
The Hidden Wiki: http://the-hidden-wiki.com/
Another Hidden Wiki: http://thehiddenwiki.org/
Yet another Hidden Wiki: http://www.thehiddenwiki.net/
Grams search engine: https://grams7enufi7jmdl.onion.to
Ahmia search engine: https://ahmia.fi
Vendors offering Dark Web monitoring or investigation services:
Digital Shadows: https://www.digitalshadows.com/
Recorded Future: https://www.recordedfuture.com/