Tag Archives: DarkWeb

CTI does not mean Fraud Detection

Organizations invests more and more to security tools, breach statistics keep increasing. About ten years ago and more, attackers were mostly alone, and were using basic tools, so it was easier to block them. But with the advanced techniques and tools, and the groups that came together to attack, made these attacks more difficult to block. There was no such thing as intelligence on our agenda. Some basic blacklists and virus databases were enough against most of the attackers.

CTI (Cyber Threat Intelligence) has become indispensable nowadays. We need more and more information about attackers day by day to gain advantage in this fight. At the same time, we see that a lot of people confuse threat intelligence with fraud. People seem really confused about what to expect from threat intelligence. In this post, I try to mention the needs and usage for CTI.

IoCs: Of course, IoCs are one of the most important things that we are waiting from a CTI product. We are feeding our tools with IoCs and this is the simplest thing for our security intelligence. It is possible to find open source IoCs on many historical threats on the internet. Our expectation from a CTI product should be that it gives us the latest IOCs on threats. While evaluating a CTI tool, it should be observed how much IOC it gives compared to its competitors. Some CTI vendors are mostly using Open IoCs, so it is important to check this value before paying money. Meanwhile, the accuracy of the IOCs is also an issue that should not be overlooked. There will be no point in pushing so many wrong IoCs into our systems every day, even those false positive IoC will cause us to waste time. And time is the most important value in a battle.

TTPs: According to Pyramid of Pain – we discussed in the related post deeply – TTPs are the most valued information for defenders. Sun Tzu says that “if you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” Of course this is very meaningful. If you do not know what tools, techniques and tactics your enemies are using, it d be very difficult to win a battle. For a defender, the most valuable information are these TTPs and tools that the enemy is using. From a CTI vendor, this must be one of your most important expectations.

Threat Groups: As mentioned before, attackers now works together, they come together and join forces. And while a group is successful on technique with specific tools and malwares, they rarely change these TTPS and tools. So, it is very important to know who is targeting your geography, country and sector. With these information, organizations get really useful IOCs for themselves, and can design their defense according to these attackers’ TTPs. According to this, maybe tracking the threat groups are also the most important thing for the first two bullets (IoCs and TTPs). You can take random IOCs and install them on your systems, but this is never the same as working with the information of attackers you know who they are.

Vulnerabilities: are critical because attackers use these vulnerabilities to infiltrate. It is vital to be aware of vulnerabilities as quickly as possible after they appear. Meanwhile, the information whether these vulnerabilities are exploitable or not, and their criticality and knowledge of affected systems should also be among the things you expect from CTI. Of course, you need a proactive patch management to use these information in success.

Dark Web Tracking: Every day, a lot of information about companies is offered for sale on the dark web or different attackers and groups come together by communicating here. It is not possible to track all forums and portals in dark web continuously for a security team. One of the expectations from the CTI should be the constant monitoring of the dark web and access to information about threats to the organization.

CTI is not Fraud Detection: Fraud is an important subject to save customers our and users. There are many fraud techniques that fraud teams need to be aware of but CTI is not fraud. As mentioned at the beginning, people seem really confused about what CTI and fraud are. Some CTI vendors provide fraud data to their customer. It is undisputed very valuable. But a CTI product should not be evaluated solely on the fraud information obtained. For a good CTI investment, the above issues should be evaluated.

Log4j Vulnerable Hosts List on Sale

log4j persistently keeps its place on the agenda. Although it has been stated that it is very critical and many articles have been written about it, a list has been published and put up for sale that is including more than 500k potential and 220k vulnerable hosts. You can reach to repo for this sale with the link below;

https://github.com/razz0r/CVE-2021-44228-Mass-RCE

Log4j is highly critical because it does not require user permission to run the vulnerability, and very easy to exploit. It is highly recommended to implement the patches quickly.

TOR As A SOCKS Proxy

Almost all applications and web sites are trying to learn who we are and what we are looking for on the internet. These informations are being used for many different reasons like advertisements and to detect malicious attempts. Again, for many reasons, it is very important to surf internet anonymously. Tor is used for anonymous surfing all over the world. It is free to install and use in both Windows, Linux and OS X operating systems. 

It is very easy to install Tor and use as a browser in operating systems, however it will not be enough to use it as a browser only especially you want to use some other applications anonymously. For using other applications and command line tools anonymously, Tor SOCKS proxy needs to be installed. 

For installation, we need to add related software repositories, so we edit the sources.list file;

        # vim /etc/apt/sources.list

Then, we are adding the line below, to the bottom of the sources.list file. 

        deb http://deb.torproject.org/torproject.org wheezy main

We need to introduce the software repository’s key (gpg key) to the system;
# gpg –keyserver keys.gnupg.net –recv 886DDD89        # gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add –

Now, start Tor and check the service if it is running;
 # /etc/init.d/tor start        # service tor status

If the Tor service is running successfully, you need to see output as above. We need to enter one more command to start Tor service automatically after rebooting the machine. 
 # update-rc.d tor enable

After you enter this command, you can test it with rebooting the system. After reboot, check the status of the service;
 # service tor status

Now, this means we can use Tor for all applications that are supporting SOCKS proxy. For test, you can use Firefox. Change the proxy settings as localhost:9050 and check your IP address. Tor is using 9050 as default. 

Dark Web; Anonymity and Privacy

While talking on Dark Web, one is the most confused concepts with Dark Web is Deep Web. But first, I want to touch Surface Web. Surface Web is the indexable part of the internet. This includes all websites that you can find via search engines like Google, Yahoo, Bing, etc. Deep Web means everything else. It is everything on the internet that cannot be indexed. Deep Web is any system requires login credentials. Social media shares, personal data like credit card or medical information, company databases and more, create deep web.


Dark Web, is a part of the internet that cannot be indexable Only can be accessible via private softwares lie Tor (or the Onion Router). Tor is a distributed network where traffic is bounced between various routers (https://www.torproject.org/).
The poster below is showing the concepts of the internet (https://coar.risc.anl.gov/wp-content/uploads/2016/05/DarkNet_Poster_R8-622×1024.png)

Privacy
Privacy is the most important concern for people today, with the rise of internet and personal cloud usage. People want to feel safe and not monitored. With the sites visited or applications, these websites can collect some tracking actions of the user. Using the information collected with these tracking actions, simply, the websites can perform targeted advertising, moreover location based advertising to the user. Our internet usage is becoming a way for vendors, collecting information about us. Using Dark Web provide users making their online activities anonymously. Websites or applications cannot collect these type of data while using Dark Web.
Criminals
Since its anonymity and privacy, most people think that using Dark Web is illegal, because criminals use it to protect themselves. Criminals create online markets for selling their illegal materials. But also law enforcement agents such as police also uses Dark Web to capture these criminals.
Last Words
One of the most popular marketplace is Silk Road. Silk Road started for selling magic mushrooms at first, but then, grew to be used for other drugs also. Another popular marketplace is Wallstreet Market. Wallstreet Market offers goods like drugs, jewellery, malware, fraud information, stolen data, etc.  
Dark Web markets are not just buying or selling illegal goods. These markets can provide a better pricing since there is no anyone between the seller and the buyer, there is no taxes and advertisements, for also legal services, electronics, vegetables and etc. However, I think most people like to make shopping without receiving offers, based on the previous purchases, since the market does not collect any information about you.
People, mostly users away from these technologies think that Dark Web is a place where they need too much technical information to use it. However, there is not much difference between Surface Web and Dark Web. Only the softwares to reach there and the anonymity and privacy are the differences. Meanwhile, people have to be familiar with cryptocurrency technology tos hop from Dark Web.