CSO Perspectives (Pro) 5.4.20
Ep 5 | 5.4.20

Dark web and TOR: what kind of intelligence can you find there?


Rick Howard: [00:00:04] OK. Is this on? Great. Test, test. I'm pulling up to the corner of Kingman Road in Fairfax County Parkway, just outside of Fort Belvoir. 

Rick Howard: [00:00:34]  All right. Richmond is about 90 minutes due south of us. The Lincoln Memorial in Washington, D.C., that's about 15 minutes north of here. Just up Kingman Road is the Defense Logistics Agency that manages the global supply chain for the Army, the Marine Corps, the Navy, the Air Force, the Coast Guard, the new Space Force and 11 combatant commands. And just past that is the gate guard facility passing cars into Fort Belvoir. There's not too many people out here. It's pretty early this morning. 

Rick Howard: [00:01:09]  And just to the right of that is the Army's Intelligence and Security Command building, or INSCOM for short. That is where I transitioned from being an IT guy to being an Army security guy. From about 2002 to 2006, I was the commander of the Army's Computer Emergency Response Team, or ACERT. That was right when the internet was really getting started as more than a nerd hangout. It was becoming useful for business operations in the commercial sector, the government and academic institutions. It was also the time that the network defender community started to get serious about defending those operations. 

Rick Howard: [00:01:53]  I worked in a place called the Army's Information Dominance Center inside that INSCOM building because, back then, nobody was using phrases like security operations centers, or SOCs, to describe where they worked. Back then, we had a vague notion that cyberwarfare was possible. We all thought that we would fight it independently of a physical war, that there would be a purely digital cyberwar between nation-states. That notion did not last too long, but that was the current thinking at the time. 

Rick Howard: [00:02:37]  My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This episode, we go to the mysterious, the scary and - some would even say - criminal to talk about that big, impenetrable internet portal called the dark web. I want to see just how it works and to learn if there is any useful intelligence there. 

Rick Howard: [00:03:13]  Because of that perceived threat, that threat of cyberwarfare, one of my Army responsibilities as the ACERT commander was to supervise counterintelligence operations against the known set of nation-state hackers. At the time, we were mostly worried about China. The dark web wasn't a thing yet, so hackers were hanging out in their own digital communities. The landscape was a free-for-all. And what I learned from that experience is that counterintelligence operations, they're really hard to do. The intelligence gleaned from that kind of activity could be valuable, but it was expensive to do in terms of time and human capital. 

Rick Howard: [00:03:54]  Twenty years later, the Onion Router Network, or Tor for short, is the de facto location of the dark web. There are other places, but if you are trying to hide your internet location from prying eyes - whether you are a good guy or a bad guy - Tor is the first place that people try. And 20 years later, commercial intelligence firms offer services by conducting counterintelligence operations in the dark web for their clients. I thought it was time to review what the dark web actually is and the kinds of intelligence you can get out of it if you pay for a server. 

Rick Howard: [00:04:31]  Experienced network defenders already know this, but even though the dark web sounds mysterious and scary, it really isn't. Bad guys hang out there, for sure, but so do the good guys. They hang out there because it provides an imperfect but elevated level of operational security compared to what the general purpose standard internet provides. People that don't like to be tracked on the internet use the dark web to camouflage their movement. 

Rick Howard: [00:04:56]  Naturally, criminals and spies and hacktivists use it to disguise their activity, but so do journalists, activists, whistleblowers and anybody that has an aversion to other people, especially governments, watching their online activity. The dark web is essentially a great marketing name for Tor. And get this - it wasn't built by the Russians or the Chinese or the First Order or even the Cardassians. The original concept came from the U.S. Navy. 

Rick Howard: [00:05:25]  Back in the early 1990s, three guys from the United States Naval Research Laboratory - Paul Syverson, Michael Reed and David Goldschlag - were playing around with the idea of onion routing. The basic concept was that if you wanted to hide your internet location from prying eyes while exchanging messages with a second party, the originator would send the message into this onion network. The onion network would consist of thousands of onion routers. According to WIRED magazine as of February of last year, the Tor network had some 6,500 routers. 

Rick Howard: [00:06:01]  The system, then, would send the message randomly to a handful of the routers. Each time a node sent the message to another onion router, it would wrap a layer of encryption around the message. By the time the message popped out of the onion network to be received by the intended destination, nobody could tell where it came from. The intended destination and all of the intermediary onion routers only knew about the router that sent them the message, but none of the others in the circuit. The message path was hidden in the layers of encryption. 

Rick Howard: [00:06:33]  It is pretty easy to try this out yourself, too. Just download and install the Tor browser for your laptop, and then go to YouTube and search for something. Since the message originator does not know which country the Tor exit node is located in, you might get some interesting results. When I just did this test about 10 minutes ago, my DuckDuckGo search responses were coming back in German, not the traditional English than I'm used to while I'm not using Tor. 

Rick Howard: [00:07:02]  The commercial services provided by the dark web intelligence companies mostly rely on their ability to monitor hidden services within the Tor network. In the message exchange example I just talked about, the two parties sat outside the onion network and passed messages through it. But people can establish other onion nodes that, in addition to routing, also provide other kinds of services. There's nothing mysterious here, either. They're mostly retail websites and chatrooms that cater to a specific clientele. They are hidden because you can't find them with a general purpose internet search engine like Google or Bing, and nobody knows the location because they are protected by the layers of onion encryption. 

Rick Howard: [00:07:49]  If I'm a cybercriminal selling credit card numbers to other black hats or a journalist setting up a drop site for a potential source, I might set up a website as a hidden service within the onion network. By some means outside of the onion network, I would tell my customer the hidden service onion's address - essentially, the public key - and through some Tor routing magic, using introductory nodes and rendezvous nodes, allow my customer to request access to it. If they have the right password, they get in. 

Rick Howard: [00:08:24]  So Syverson, Reed and Goldschlag developed the onion router idea for the United States Naval Research Laboratory in the 1990s. And then two MIT graduates, Roger Dingledine and Nick Mathewson, deployed the first alpha implementation in 2002. Later, the Electronic Frontier Foundation, or the EFF, recognized the value of the work and provided initial funding. The Tor project became a nonprofit in 2006 in order to maintain development progress. And today, according to Adiya Tiwari over at the web magazine called Fossbytes, Tor is funded by the U.S., Sweden, different NGOs and individual sponsors. It is, by far, the largest known onion routing network. There are even Linux distributions, like Tails and Subgraph OS, that provide built-in Tor support. But there are other onion routing networks, too, like Freenet and I2P and Hornet. 

Rick Howard: [00:09:22]  According to Andy Greenberg at WIRED, as of 2017, there were about 3,000 live hidden services active in Tor. But according to a report published by Terbium Labs just this month, these are the types of information that bad guys are selling in the dark web marketplaces - fraud guides, about 49%. These are criminals selling how-to guides to other criminals. It's a lucrative market. Personal data - about 15% percent. This is PII information, or personally identifiable information. Nonfinancial accounts and credentials make up about 12% - these are user IDs and passwords. Financial accounts and credentials make up about 8% - these are also user IDs and passwords. Fraud tools and templates - these are bad guy tools - make up about 8%. Payment cards or credit cards make up about 7%. 

Rick Howard: [00:10:18]  Dark web intelligence companies monitor these hidden services by conducting counterintelligence operations against them. This involves creating and developing personas to use with each hidden service. Many hidden service operators have additional vetting procedures other than just providing access to the dark web servers. In many cases, you can't write code to sign up for the service. It involves a human interacting with the dark web service operators and, once in, engaging with the clientele on the site. Conducting counterintelligence operations in these environments involves maintaining a stable of vetted personas so that if any one of them gets burned by the dark web operator or the clientele, the team can still pursue its counterintelligence mission. 

Rick Howard: [00:11:05]  There are a handful of companies that sell this kind of service, like Recorded Future, Flashpoint, Intel 471, iSIGHT, Terbium Labs, Deloitte and SENSEI. Some of their employees are former government specialists with current and expired government credentials. These folks cut their teeth by chasing bad guys in cyberspace, and they are very good at what they do. 

Rick Howard: [00:11:32]  And I admit it - my inner cyber nerd gets excited at the prospect of telling my boss that I have counterintelligence agents monitoring the dark web on behalf of the company. How many times do you get to say that in your career? But I think that these kinds of services target a special niche of experts in the network defender community and may not be for everybody. By looking at Greenberg's list of dark web marketplaces, you can see that law enforcement, banking and possibly government intelligence groups would find these services attractive, especially if these customers could customize their information requirements. 

Rick Howard: [00:12:11]  You might make the case that discovering employee PII on a dark web hidden service is valuable for the general purpose network defender. Getting that intelligence in a timely manner would be a trigger for you to change that employee's credential settings and prevent a compromise. That could be true. My counter to that scenario is that there are probably a hundred other things you should do first before you implement that kind of counterintelligence scheme. A hundred other things that would more robustly reduce the probability of a material cyber event in your organization. Your situation might be different, but as a general purpose network defender, I would pursue basic Zero Trust, intrusion kill chain and resilience strategies before I did this. 

Rick Howard: [00:12:57]  You might also make the case that discovering your company's proprietary information - like, say, the secret ingredients to the Coca-Cola recipe - is sitting on some dark web hidden service web server is important intelligence, and you might be right. But I would challenge you by asking, what decision do you make with that knowledge after you find out about it? I'm willing to bet that anything you do at that point would not be that impactful. As they say, that horse had already left the barn. That situation may get you funding for your next pet security project, but it will not change the fact that the information is gone. 

Rick Howard: [00:13:35]  The world and history of the dark web in general and Tor specifically is fascinating. The show notes will include links to further reading on the subject. Counterintelligence operations targeting that murky internet corner could yield interesting results for the right kinds of organizations. So double-check yourself to validate if you watch over that right kind of organization and to judge if this is a high priority for you. If so, then celebrate your inner nerd and, by all means, have fun in there. 

Rick Howard: [00:14:08]  That's a wrap. If you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Engineering and music design is done by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.