The enterprise is in an arm's race with cybercriminals

The deep web, dwell time, and the balance of power in cybersecurity

rockets warplane
Credit: Marco Cortese

It is always easier to destroy than it is to build, easier to harm than to heal. It will always be easier for attackers to burrow themselves into the criminal underground and from there carefully and precisely worm their way past enterprise defenses, ultimately taking root next to data stores and syphoning off valuable information until they grow fat with the financial benefits of their labors.

The enterprise is in an arms race with cyber criminals. Organizations must constantly build up defenses in an attempt to maintain the status quo if not shift the balance of power in their favor.

CSO explores the deep web, dwell time, and their roles in the balance of power in cybersecurity, pointing up defensive moves such as employing hackers and improving the effectiveness of employee education about social engineering / phishing in order to better arm personnel.

The realm and purpose of the darker side of the deep web

Owners of sites in the deep web do not index their web properties in directories and search engines for any of a number of reasons including security or privacy. Criminal hackers with forums on the deep web avoid web crawling bots and spiders in order to minimize awareness of their nefarious operations. (People often ambiguously refer to this portion of the deep web as the dark web. This can create confusion as the dark web typically refers to darknets.)

[ ALSO ON CSO: How to surf the Dark Web for fun and profit ]

Criminal hackers use the deep web to enable hidden conversations and to conduct trade in defensible malware. “Attackers use the deep web for anonymized communications that they encrypt over web protocols and for trade in rootkits that they use for nuisance attacks to serve as smoke screens that cover real attacks,” says Professor James Hendler, Director of the Institute for Data Exploration and Applications, Rensselaer Polytechnic Institute (RPI).

Cyber hoodlums orchestrate the real attacks using threats such as the latest exploits, APT approaches, and zero-days, which they keep close to their chest while enterprises still have no defense against them. “The current state-of-the-art happens off the deep web because attackers are not willing to share that information. Ransomware for example is extremely sophisticated and these criminals go to great lengths to obscure its source,” says Hendler.

The deep web is also a place for attackers to shop for compromised information about people including their routines and credentials. “Criminal hackers conduct trade in data about who uses what bank, for example, and how their emails typically appear so they can spoof that person not only at that bank but wherever they use the same username and password,” explains Hendler.

Professor James Hendler, Director of the Institute for Data Exploration and Applications, Rensselaer Polytechnic Institute

In addition to the deep web, criminal hackers are using any encrypted mechanism to communicate such as encrypted phone calls, instant messaging/OTR (off the record), and secret codes. “Secret codes may be in plain text but they don’t refer directly to who was hacked or when. The target/victims and the type of payload used in the attack will have code names. Criminal hackers will communicate using these cryptic codes,” says Charles Tendell, CEO, Azorian Cyber Security.

Attackers also communicate with each other by flooding communications channels with an exorbitant amount of information, far too much for any one person to weed through. “Unless you know what you’re looking for, you’re not going to find the legitimate conversation in all of it,” says Tendell.

How attackers achieve dwell time

The cybercrime underground has already made so much compromised information available that any cyber thug can easily avail himself of a variety of PII and login credentials, gain access to more systems, steal many additional credentials, and retrieve saleable data from some new enterprise victim.

“Criminal hackers can go to a large data dump site, enter a name, and find out whether that person was in a compromised database or was part of some breach. Since people reuse the same password many times, if that victim hasn’t changed their password, attackers can use those credentials to gain more access at other sites and get more information,” explains Tendell.

In addition to vulnerable information, attackers can easily find vulnerabilities in the internet of things that they can use to eventually gain access to the enterprise. Criminal hackers use search engines such as Shodan, which people use to find internet connected devices, to search geographical locations and IP addresses in order to see what may already be vulnerable, says Tendell.

With vulnerabilities galore in hand, attackers apply zero-days, rootkits, malware, cryptic communications, and compromised credentials using one of two models to maintain dwell time and exfiltrate the most data possible before someone stops them. “Criminal hackers either move a little data out at a time so as to go unnoticed or they cache the data somewhere inside the enterprise over an extended period and broadcast it out all at once with stealth and low visibility,” says Hendler. Either of these approaches is fruitful for an attacker.

Shifting the balance of power in cybersecurity

The balance of power between criminal hackers and security pros is decidedly slanted in favor of the attackers. New vulnerabilities crop up every time new software or software updates are added. “While an attacker has only to find one flaw to gain entry, the security pros must know, close, and protect every vulnerability,” says Hendler.

Most attacks start as successful phishing exploits or other social engineering, suggesting that enterprises need to find ways to make employee education more precise, clear, and effective, producing far-reaching results. “Some companies set up systems for IT departments to launch faux phishing attacks from inside, report successful attacks back to employees and bosses, and educate people that if they are not 100-percent sure that an email is legit, it could end up in their performance review,” says Hendler. Enterprises that use approaches like this to reinforce what the signals are that flag phishing and why it is so important to avoid falling for it will go a long way toward enlisting employees in the fight against cybercrime and keeping attackers out.

Organizations need to incentivize employees to immediately alert IT when they do click on a phishing email so that IT/security can contain the attack as early as possible. This is a positive alternative to simply punishing employees for clicking the wrong link.

On the offensive, the enterprise needs to apply experienced, capable, and informed hacker minds to cybersecurity challenges. According to Tendell, these professionals can focus on sources of attack data such as conversations in the criminal hacker community and real-time monitoring of outbound traffic based on knowledge of ports criminal hackers frequently use such as port 31337 and the ploys they use with them.

These white hat hackers can then help organizations to close the loop on vulnerabilities, respond to and contain attacks, and remain proactive in the ongoing war against cybercrime.

It won’t be easy

It isn’t easy to close the gaps that make social engineering possible or to entrust good guy hackers with cybersecurity. But it is the job that cyber thugs have thrust upon us.

This story, "The enterprise is in an arm's race with cybercriminals" was originally published by CSO.