Darknet Chronicles Pt 2: How Insiders Use the Darknet
This article is a continuation of the Darknet Chronicles, a series brought to you by Teramind. This collection of eight articles will focus on bridging the gap between stolen information, insider threats, and the darknet. You can expect to learn about the journey of information after it’s stolen, how insiders help set up the breach, and what you can do to protect your company from darknet insiders.
In our last article, we covered the clearnet and the darknet, today we will be discussing how insiders connected to your organization may use the darknet for their own ends. We will also go deeper into terminology used on the darknet. Your company can be put at serious risk if you’re not paying attention to what’s happening on your network.
Before covering the interaction between insider threats and the darknet, it’s important to revisit what an insider threat is. Your organization is under threat from both external actors and insiders. Insider is an umbrella term that is meant to capture anyone who has access to sensitive information on your network. People who have access to this information are usually employees, managers, executives/directors, and sometimes board members. Those are just a few of the more obvious internal people; however even business partners, suppliers, and privileged advisors can be considered insiders.
Insiders can reasonably always be considered a threat, but not all threats are the same. Negligent insiders typically follow the rules and may make a poor decision which leads to a data breach. Ongoing education and user behavior analytics usually work to correct the issue of negligent insiders.
The other type of threat is the malicious insider who fully understands what they’re doing. Malicious insiders have a variety of intentions, some of which include: frustration, political/ideological, personal grudge, financial pressure, or emotional backlash. Whatever the case, malicious insiders are the cause of fewer data breaches, but when they’re successful the results are devastating. Malicious insider threats are the only people who are willing to take the extra step of trying to hide their footsteps. Enter the darknet insider.
Darknet Enabled Insiders and Their Profile
What happens when a malicious insider meets the darknet, absolute disaster. This is not simply a matter of them gaining the ability to hide their steps. It’s more the fact that they gain access to an on-demand network of mercenary hackers, information peddlers, and cyber weapons they would have never been able to so easily access on the clearnet. On the darknet there are constant requests to sabotage someone or a company posted on forums or dedicated job boards. If contact is made it is directly to the job poster or directly to the hacker(s).
So is there a difference between a darknet insider and a typical malicious insider? The main difference is in consideration and calculation for an attack. For example, a malicious insider who is motivated by emotional backlash will be so intent on exacting revenge they will likely try to carry it out themselves and will likely be reckless in the implementation. However, darknet insiders whose intent may be centered on espionage, sabotage, or financial pressure, will be more careful along the way. The darknet provides these insiders a space to anonymously coordinate a devastating attack on their employer.
Darknet Insider Threat Scenarios
What happens when an insider goes on the darknet? The following scenarios are the likely cases that become reality when a malicious insider goes on the darknet.
Scenario 1: MaaS Assist
MaaS stands for malware as a service and is a dangerous development that has happened in recent years. Essentially if someone is looking to sabotage or attack a company but is not that skilled in programming, they can instead hire a hacker to execute a job for them. The hacker provides the service and then collects payment. In some cases this’s not even a hacker but a machine that may provide the service. In these cases, the payment is made upfront and then the machine executes whatever job the customer selected. If a malicious insider uses this service they will no doubt be able to execute ransomware or sabotage based malware on your network, all without ever having to be even a novice at programming. All they had to do in many cases was hand over their credentials.
Scenario 2: The Leaker
Under this scenario, a malicious insider will act as a leaker and will share sensitive information with either a private party or with the public. If the insider is sharing information with the public will perform what is known as a data dump where a massive amount of information is made available online for anyone to see. Some of these dumps are shared on paste sites such as pastebin and its darknet equivalent. In some cases, leaks have even had their own websites established to make it easier for the public to search the database. An example of this was the Panama Papers case with law firm Mossack Fonseca which was at the center of a massive breach. It was an insider who worked through the darknet to leak data to news outlets, they then all coordinated and published the sensitive data online.
Scenario 3: The Saboteur
The plan here is simple, malicious insiders coordinate online to either purchase cyber weapons or the services of a seasoned hacker. In either case the intent is pure sabotage. The ability to sabotage operations goes beyond simply deleting data. Thanks to cyber weapon development by state actors, and then the theft and leak of those same cyber weapons, people have access to some of the most destructive technology in the world. It is not hyperbole to state that an insider can easily destroy machinery, disrupt supply lines, or destroy valuable assets. By employing an experienced hacker the insider is able to pay in the form of cash or stolen information, which has a high price on darknet markets.
Scenario 4: The Salesperson
The final scenario that is also the most common is the sales person. This type of insider can work alone or with others. The role they play is the extraction of information from the company network and then puts that information up for sale on the darknet. Simple process, and the longer the insider is embedded in the company’s network, the longer they can continue having a side income from the stolen information. Most companies are only aware that information has been stolen when there is an alarming breach, but when an employee is able to do their job and steal in plain sight, it will go undetected. Thankfully, there is a technology that can safeguard against this type of insider, it is called user behavioral analysis. We will explore more of that later in the series.
Here we have revealed a profile and typical scenarios a darknet insider will be found in. Next in the series we will explore more in depth what communication and exchange looks like on the darknet and how insiders participate in the whole process. It is easier than you may think, which should be of concern if the average layperson can pick it up easily.
Also in the Series:
Darknet Chronicles Pt 1: Clearnet vs Darknet