The Dark Web Is Nothing Fancy; It’s Really Just A Different Series Of Protocols

Commonly when surfing the web, Transport Layer Security (TLS) is the cryptographic protocol that provides confidentiality for your communication with the server. The green lock on your URL bar is an assurance, but not a guarantee, that you’re communicating confidentially with who you think you are. While TLS is designed to provide confidentiality and identity, dark web protocols are designed to provide confidentiality and anonymity. There are many of these dark net protocols, but Tor is by far the most common, likely because of its use of exit nodes to allow a user to obtain anonymity on the public internet by routing traffic across the Tor network.

On Anonymous Networks, Reputation Is Everything

The quality of your collection strategy dictates how confident you can be in your analysis. Garbage in, garbage out. This is an often-ignored part of dark web marketing. Anonymous networks help segment your actual identity from the persona (or avatar) you develop on these dark nets. Because of this, the reputation of your developed persona is the only currency you truly have. Also remember that there’s no guarantee the person behind the persona you are interacting with isn’t a criminal, a threat intel company, or possibly even law enforcement! The story of the Besa Mafia is a great example of criminals scamming criminals, getting hacked themselves, and then law enforcement arresting people who were trying to hire these fake hitmen. It’s also not uncommon when law enforcement takes control of a hidden site only for them to continue hosting it in hopes of deanonymizing the users of the site. Basically, trust nothing.

I Registered For Access, And All I Got Was This Low-Confidence Assessment

Developing personas to obtain and, more importantly, maintain access is time-consuming and most of the work involved with good tradecraft on the dark web. Be wary that some “dark web intelligence” offerings skip the hard part and are just using technical collection to scrape information from essentially public markets and forums. To say this is a commodity capability would be a major understatement, as the ability to automate the scraping of websites is as old as the internet, and as we’ve established, dark networks really just reflect a difference in protocol selection. The use of the iceberg metaphor is a clever bit of psychological warfare . . . ahem, marketing . . . to remind you that they have access to all this stuff under the surface that you don’t. As someone who evaluates these vendors, many of them don’t either.

Any Company Selling You On “Dark Web Intelligence” Is Only Talking About Its Collection Strategy . . . And There’s Big Problems With That

After collection, the next challenge would be processing and exploitation. Processing is frequently discussed as stripping out things like HTML tags from the raw data that’s been collected. If you think that is a big deal, I have a regular expression (regex) to sell you. Where things get interesting is trying to exploit this data to get something useful on an analyst’s desk. Here’s a few examples:

  • Very few, if any, public sector vendors have swaths of analysts translating everything on the dark web on a daily basis from languages such as Arabic, Farsi, Spanish, Russian, and Mandarin. How is this being done at the same scale as collection?
  • How does your translation software handle slang? Without specific knowledge of a particular group, you would have no idea they are using the code name “Iowa” when describing a target in Iran. Keep this in mind if someone mentions they are going to Iowa next month; it might be a lot more exciting than it sounds.
  • Then there’s something I call “the Target problem.” Target is a retail chain with stores in the United States, Canada, and India — many of you may be familiar with the brand. Now, imagine the data problem created in attempting to parse out relevant chatter about the Target brand from the rest of the noise on the internet. Incidentally, the string “target” appears five times in this blog post and only three times in the context of the retailer.

A vendor cannot have an appreciation of these problems and not talk about their solution to them. If they are just trying to sell you on their ability to collect data from the dark web and then show you their platform, you don’t need to see the platform.

Finally, There’s Some Really Bad Stuff On Dark Nets, But They Also Are A Critical Resource For The Oppressed

I’m going to wrap this blog with a bit of a personal appeal. Anonymous networks are critical to journalists, whistleblowers, survivors of domestic abuse, people with sensitive medical conditions, the politically oppressed, and more. Please consider supporting projects such as the Tor Project or Tails — and if you’re in a decision-making position at an organization where people might assemble or seek to obtain information, please ensure that your site is usable when coming from a Tor exit node with JavaScript turned off. Unlike so much that we do in the cyberdomain, this can actually save lives.

(Photo credit: Michael Himbeault)