Why I Go To The Dark Web Every Day - Alex Holden

Thank you and it's a pleasure to be here. I'm going to be presiding over this uh after lunch snap and uh hopefully will tell you something new interesting about uh the dark web and why it's a fascinating place. Um I uh been in cyber security for too many years. I do consider myself a modern caveman because uh when I started working with technology there was no uh dark web. was nothing like people were trying to keep their computers up from rebooting 10 times a day. Uh now we actually uh do lots of interesting things but the 2000s from um uh February of uh 2000 until February of 2010 I've done uh corporate work in cyber

security. I was a chief information security officer for a large financial company and when I was uh building the defenses I never considered in a decade doing cyber security in financial world um I never considered who is who are the bad guys and why they're attacking us and then when I went into consulting world I started getting questions who what are the bad guys doing why they doing these things why they took my data what they going to do with this and I start thinking about it and I actually spent spent uh several years uh trying to consider that uh thing going from incident to incident and in 2013 I started my own cyber consultancy uh firm

uh that uh right now is a global company and um you know the closest u actually our European headquarters in Pilson Czech Republic um just 2 and a half hours from here and uh it's absolutely interesting how we figure out uh how to deal was the bad guys. Ultimately, uh we go out on the dark web and we are not only experts of technology. Uh we also experts in cyber security and we are experts in the bad guys. Think about how often the technology changes today and how little we change as human beings and the bad guys also don't evolve much. So today I'm going to be talking about um uh the dark web and components of it,

why I think it's fascinating. Uh I had a pleasure speaking at besides uh Frankfurt a couple months ago and I told the story about uh how we use cyber threat intelligence understanding of dark web to stop group called Kilnet that's a Russian collective of uh activists that had more than 100,000 individuals among their ranks. And to summarize the way we got into that, we figure out their connection to uh Russian illegal drug uh trade and drug markets. And to highlight this uh we were able to show connection between the activism and illegal uh Russian drug drug trade which blew up that whole uh thing into uh really Russian government disseminating uh destroying their own activist uh group. But the way we got

into uh the uh illegal Russian drug trade uh is not specifically because we care about much about Russians using illegal drugs, but we actually figure out that uh the best way to track uh uh cyber threat actors, the bad guys. Uh we can also track them by their bad drug habits. So they usually buy the drugs not that far from their house. So if you know where they buy their drugs and the geolocation stuff like that, you know where they live. So that that's a cool thing. But the the technology use of technology uh of how they use it. How do you get into um infrastructure that's secured from uh Russian law enforcement, from Russian hackers themselves because

they want to get free drugs. U so how do you get in? Uh for years we've been um actually going on the dark web creating really tens of thousands of personas in order to build a reputation to build a rapport with the bad guys. So uh our threat uh actor um alias uh we which in turn we number them uh from one to right now we are over 40,000 but this was Mr. 9211 uh that actually talked to uh guy who was uh just building up in 2018 uh that particular marketplace and uh on that marketplace he run into some issues with PHP code. So he reached out to us hoping that we will fix his PHP code because he

he was recommended by another moniker that we are experts in PHP. So he reached out to us and instead of trying to verify who we are that you know we are really bad guys we start asking him questions like who the heck you are are you why you talking to us you know are you really like you know uh uh the bad guy or you just trying to get information from us he's like no no I'm really bad guy thank you um so he never asked us a question about who we are because we asked too many questions of him um this uh multiple like MFA really works when you keep asking these questions but the The the cool thing is

that he's like, you know, please help us like, you know, do you have a uh development system? He's like, no. Okay. Can can you show us things on production? He's like, yeah, here he has a root password. Thank you. Uh so we got the root password. Um and then, you know, just to make sure that everything is legal. We asking him uh you know, so we can access, of course, like you know, can we you know, we don't want to score anything up. Do you have a backup? He's like, why don't you make a backup copy? Okay, we'll make a backup copy. we should probably store it offsite because if something happens to the server he's

like of course so we got the copy of the server on our system backups important then we said uh you know what if something happens and uh we cannot get back in the system so can we install like uh way back to get back in he said of course so we installed the back door we forgot to disable it when we left so for years we had access to his system because uh he invited us in asked us to install the back door got backups and stuff like that he didn't change passwords very often But the infrastructure is huge. The infrastructure is enormous because uh the operation grew. They operated uh over 1,000 specialty drug stores around

uh Russia and um uh so we have access to a single server. Um so you know do we hack around? No. Uh we go in onto a system and selling technology found uh that u that SSH directory with authorization keys got into uh well it's secure but not for for administrators. So we were able to move around the infrastructure but not everywhere like the most uh important things are super super secure. So uh we then um you know but we realized that one of the servers that had SSH access uh also run anible and automation does wonderful things. You can execute any script you want on remote system to get access to it. So we

use anible to get into the rest of the systems. uh and uh then uh we couldn't get um into really really really secure systems because it we're not supposed to get in uh but anible ran uh a lot of automations on their Zamb server and Zamb server needed to have access to everything. So we got into Zamb server ran the scripts we got access to everything. The end result was uh to be able to highlight connections uh between the Russian organized crime with um to Russian activism and uh this is a benefit the real benefit of uh cyber threat intelligence and how we can get information actionable and uh make the world a little bit better place uh

because uh the bad guys in Kilnet were uh attacking hospitals in Germany. They were trying to take out uh uh banking system. they were trying to attack the infrastructure transportation government in many other places and not only here in Germany but all over the world. So this is important and the value of cyber threat intelligence and the information that we're getting is not only disruption but also anticipation and knowing how to uh deal with information. Uh cyber threat intelligence is uh about context and signals. It's not only this IP address is bad, this DNS name is bad. It's part of it but it's not a huge huge deal um that we need to uh concern that much

about. It's about intelligence deriving the intelligence which is a key factor and making sure that we are tracking the threats emerging threats the really big things and also the threat actors themselves because their motivation their skills their direction their connections is what we can stop or deter to make uh things more difficult for them and to get us uh into better defensive position. The key component of um getting things from the dark web from cyber threat intelligence is about actionable threat intelligence to be able to take actions. some things that uh we can generally discuss would not be actionable and there is nothing you can do about certain components but when we talk about taking actions getting

deriving from the dark web the next steps that's what the cool thing is that we can say okay this is a threat uh bad guys are selling this type of data they didn't take it from us this time next time is maybe coming from our systems why don't we make sure that this data is protected within our environment and And it's about preventing breaches. One basic basic thing that uh I I usually talk about when I talk about incident response is that within your infrastructure if you work with a large corporate environment, you probably have cyber uh liability insurance, some kind of insurance if you get breached. Uh so my my basic suggestion is to hide one

single document within your infrastructure and this deals with cyber uh liability insurance. It's your policy. Hide it, protect it. um you know as your topest secret because when uh the cyber threat actors break into your network they one of the first documents they're going to be looking your insurance policy why because your insurance limit is going to be listed there and if your uh insurance for cyber liability is 5 million they're going to ask you for ransom for 5 million eur you know you're good for it and they don't need a year euro more or eur less they know exact numbers but that's understanding what they're after and what they can uh doing but preventing

breachers for stopping them from doing bad things in the first place. That's the most important thing. I'm going to be uh explaining the dark web and the dark web is not a place. Anybody who tells you it's just a tour network within domains, they don't understand the dark web. The dark web is not a place. It's collection of locations where things are determined to be hidden. the bad guys who broke into US company the target brands in 2013. Uh they um breached and stole the record number at the time of records. 70 million records 40 million credit cards to decimate um US economy and this company just around Christmas time uh 12 years ago. But the idea of the dark web

is that the bad guys didn't only sit on the dark web uh onion network. They actually talk on Skype with each other. They walking down up and down uh Arbat Street in Moscow uh discussing their next steps and understanding that the dark web is everywhere. It's not only Telegram. It's not only jobber. It's uh any kind of components where the bad guys can communicate. This is a key way to understand that they are everywhere. Um video games Second Life and other um uh multiplayer games online. This is some places where the bad guys actually congregate to talk to each other where they can uh have fun, interact, play games and uh actually commit cyber crimes. Casinos where the bad guys can

play sit uh behind uh poker table and spend stolen money uh for fun. They also discuss cyber crime. So the dark web is not a single place. It's locations where the bad guys actually uh conjugate and doing uh bad things and understanding the adversaries where the adversaries are and what they do how they function. We got nation state uh bad guys. Nation state bad guys are u not uh normal hackers that sit in a hoodie hoodie in uh their mom's basement. Uh they're not they are actually very suit and tie. They go to work every day. They go into government buildings. They sit in a cubicle and they actually work. And that's what they do. They there are no

communications among major nation states threat actors on the dark web or anywhere. They have internal servers that dedicated uh to this. They use uh commercial tools. If they want to have a meeting, they go to conference room, sit down and talk. So this is an important when somebody says well you know can you infiltrate the nation state uh group not virtually physically obviously but uh that's a different way to do this. So nation states work a little bit differently and there are some intricacies. Uh activists work also in a different way. Activists are driven by idea by uh notion. It can be politics, it can be a religion, it can be a social agenda. Activists are driven by

different things. Both groups that I'm listed here, they are not motivated by money except like North Koreans which are weird anyways. Uh but uh think about anytime that somebody says that nation state or Russian uh nation state threat actors broke into a system and deployed ransomware you have to shake your head and say why you know why would Russians uh government want to steal money and how much money would they steal to make a difference they unfortunately have a lot of money and they're not interested in uh stealing money. These are not nation states threat actors. Activists maybe activists uh you know they they scream for their cause until they find money and they change their mind uh

saying well you know we uh nationalize this or they privatize these this money because uh they not supposed to have it. For profit groups are huge. This is most common uh vocation for the bad guys and they sit in places where we don't have extradition. They sit in places where uh far away from um the law enforcement and they hide uh in uh sometimes plain side. There is also a group called the comm groups. Uh it's not really um a single group. It's a community and we see different names. The comm the comms uh uh and we got um um the uh different uh names for this. Uh some of you guys heard of scattered spiders was a great

talk uh about this today. Uh but um uh shiny hunters uh also uh French group um uh there. But this is a new movement of uh young men usually between 14 and 29 years old who are uh coming from uh western uh communities. They are coming from Western Europe. They're coming from um like um France, UK, they're coming from um uh United States, uh Canada. They are part of our society. They understand how we think, how we work. They're not coming like from Russia or China. Even though the members of these groups actually learn learn from ransomware and other uh types of threat actors but they are actually understanding how things function so they can do social engineering better.

They understand different things. But this also in my mind the comms is evolution of normal street gangs that no longer walking around the streets and uh roughing up people but they doing it in cyerspace. The come group not only stealing money, they have the physical racket thing. They have um commissioned murders, rapes, assaults and that's because they feel no uh compulsion to the uh follow the law. They don't understand what the law is. They don't understand the value of money. They don't uh respect any of our laws and uh systems. And this is important to see that um this is new generation of attacks from within our society against ourselves by organized uh crime organized cyber crime nowadays. But to

understand the mind of hackers that not only looking at the worst examples that hit uh the biggest systems, I also want to tell you a short story about um dumb ransor um dumb uh uh for profofit hackers. Uh number of years ago um we noticed a conversation on one of the dark web forums where a young threat actor was just asking stupid questions. He was asking really stupid questions like you know he's like I got into RDP on this system. What do I do next? And it's a live chat. So uh some people making fun of him but um some of them giving him practical things say hey click on this click on that. So he's you

know we are watching live um cyber crime occurring where he is being walked step by step u um figuring out what's on that Windows system that he got into. And uh this was um large uh apparel company in Texas uh United States. and he was um being taugh told told how to go step by step on that particular server there was a SQL server with 2 million customer records of that company about uh 10,000 employee records as well and u for some reason whole bunch of unencrypted credit cards so he was showing the Microsoft SQL server um uh interface and he was like okay what do I do now what do I know now step by step he's being

actually fed how to dump uh the SQL database and how to get everything prepared. So he prepares it on the server on the desktop as administrator and last thing he says in the channel he says well now the transfer going to take too long and I don't have enough uh room on my uh flash drive. I'm going to abort and uh leave. Uh so he actually breaks down the connection and leaves. Now that's funny. I I understand he he is not uh he's a dumb criminal. Now let's talk about ourselves um cyber security professionals who come in and do incident response. So let's imagine the administrators of uh systems administrator of that company log into a

server and they see on the desktop um basically a bull in China shop a person who went through whole bunch of uh different options and systems and um um dumped the entire SQL database and uh you have to assume the worst you have to assume you don't know this person was dumped you have to assume that uh he took the database he was inside your system and you didn't notice work of cyber threat intelligence seeing this information bringing this to a company and then forensically prove that uh he did all these steps but never transferred the data from the server to his system actually minimize the breach otherwise if you can't quantify the damage you have to assume total loss.

This is the practical side of um cyber threat intelligence and the dark web monitoring because if we did not see this conversation, if we did not bring this to attention of the company and we were calling them as conversation was ongoing, this would have been a total loss. The big thing about um the bad guys, they tried to get into corporate data because it's extremely well organized, it's massive, uh it's uh has technical connections to other companies and it's extremely valuable and value of the data. For example, within our companies is not only on the dark web markets, but the highest value is to the victims themselves, to the company, to its stakeholders, to its supply chain.

So the rents were exist right now because we are willing to pay much more than data is worth to prevent it from being encrypted or prevent it from being uh put publicly on the dark web. And this is not only our environment, it's also our supply chain. And it's important that bit by piece bit by bit everything that we have in our uh control we give away to third parties whether it's to a hosting uh solution or whether it's a SAS and um um uh publicly hosted or internet hosted applications we give it to our partners and uh and because our data is everywhere our threats are everywhere and it's not always our responsibility to safeguard

that data so we need uh partners and uh our partners um also have our data. In some cases, we reach out to them and we uh provide them with assistance because we need make need to make sure that our entire habitat is secure. And this is about um uh information from the dark web that we can be using say hey our partner is about to get breached or our partner is being targeted. We also understand that um the breaches within third parties may be affecting us. You have no idea how anxious some companies get when uh their partner gets breached until they get good news or bad news that their data was impacted or what was

it not. We also live in the age of AI and AI threats. And it's not only about fishing, but fishing is also open because a number of years ago, we were just telling our end users to be very vigilant. If you see a typing uh error in um an email, if it's um u miss um uh not not formatted well, it's a fishing email. Now, AI writes fishing emails much better than our marketing groups write real emails. Um and it does a great job. But I also want to explain how ransomware works uh in age of AI. Uh one example is that the Russian uh ransomware group Quillin uh they are um uh deploying uh a single person within

Russia with a little bit of legal experience and access to AI to provide uh assistance in classifying the data stolen from the victims from the legal framework. So they actually give a lawyer perspective about uh the stolen data and also a lawyer perspective uh from um um how to negotiate for that data payment. But I'm going to give you another story uh I'm going to give you an um probably most fascinating story about a ransomware group uh that uh became active about a year ago then disappeared from site called funksac fu n ks c fun. This was a ransomware group that uh from Algeria that was completely unremarkable. In fact, they were stupid. Uh they were cheesy. Um if you never

heard of Funkac um it's a group that made everything in their um u ransover gang uh sound like a very bad commercial. So they were talking about music. They were saying, "Hey, now we got your files. Your files are dancing to a different tune. time to pay DJ or your systems are in funk. Um we will fix it uh for you or something like that. So even ransom notes were that bad and absolutely memorable. I I remember them because of this and like okay this just bad. It's it's not funny. It's not punny. It's just bad. Um but uh they were impactful. They had membership program. Well, um the Russian uh ransomware group Lock Bet asked for

$200,000 US deposit uh to become a affiliate of a group. Uh the funk asked for 100 bucks lifetime membership. So they were doing like really cheap stuff. Um they were selling stolen data if the victims didn't uh uh pay for 100 bucks, a thousand bucks and they offer 12 20% discount if you buy that uh lifetime membership. So they they were just diff different. What they were remarkable for that uh they were actually very resilient and they had three versions of their crypto um that was written in Rust and was uh very uh it's okay written. It was actually AI touches all over the place. AI wrote that locker uh for them. Um and uh it was well obiscated uh and

when uh the 1.0 old version uh got uh broken in only two days they had the new version because AI wrote it. But the interesting thing about um the funks was not that I I can tell you with uh much certainty that uh people who run funks have no idea about cyber security. They have no idea about ransomware. They had nothing to do with cyber security. They were exceptionally good at writing prompts for AI. In fact, AI ran the entire ransomware gang. They were just operating prompts and uh providing uh feedback. Why? Well, very simple. That whole musical thing theme was not to make it cheesy. It was for one interesting reason. It was a game that

the bad guys played with AI to make AI complicit with uh them. So entire game was played with AI and somebody wrote a prompt saying hey you know we're going to be writing a m we we got musical empire and we're going to be doing this this and ransomware. Oh that's cool. I will help you. So that's what AI did. AI fully built the ransomware platform. It wrote um extortion emails. It negotiated for the bad guys. It wrote the locker. It uh wrote everything. And this was a year ago. Think about our adversaries on the dark web. Fooling AI to become a full accomplice in their plans for ransomware. This not as funny as it sounded. Um and that's uh not to

mention deep fakes and uh everything else that bad guys are doing from nation states to uh extortions to different attacks. The value of cyber threat intelligence, the value of seeing the dark web is not about just seeing and telling you funny stories. It's about uh proactive defenses. How to build out defenses against the bad guys who are uh constantly changing their techniques, constantly evolving and making next steps. But we want to put defenses based on their uh recent advancements. The dark web would give you these clues and it will also tell you what your nemesis doing, how they advancing and what their new targets are. Knowing the threats, knowing the tools, knowing how to use

the tools that the bad guys on have dark web, this is what we can get in order to get ahead of the bad guys. because if they got new tools to find vulnerabilities, we can use the same tools to find these vulnerabilities within our infrastructure. Before they do this, I do a lot of talks. I talk uh to uh cyber security uh professionals to people who work with uh cyber security and many different things. My topic is always my last point is about winning. And the winning is big because we have to do our job 100% right. And the bad guys need to find one mistake that we made in order to emphasize it. Winning

is not being celebrated as much in our community as much as um uh what being frowned upon one mistake that we make. So winning is about going out on dark web for me every day and finding new things uh that the bad guys are up to so we can uh proactively stop them from doing bad things. That's my time for now. Any questions? I think we got >> Hello. >> All right, we have time for one question. Does anyone have a question for Alex?

Bold person in the aisle. Mike, can you Oh, you're going to throw. No.

Um yeah uh I just want to know uh if there's any specific communication medium that you have not actually seen any threat actors in any one secure space. Uh we we see them absolutely using everything because they talk to each other and everything that we do to communicate with each other they use it uh there. Uh they use um uh open uh components like Yapmail for example which is absolutely putting everything out publicly but Yapmail is a great place to monitor them even though they know everything going to be out there. We we see them absolutely in everything. I can't think of any single protocol where they're not. I can tell you where they more likely to be like jobber,

telegram, and uh signal, but um they they're everywhere unfortunately. Thank you. >> All right. Thank you so much, Alex. If you have more questions for him, catch him out in the hall. Uh and let's get ready for our next talk. Give a big round of applause for Alex, please.