When bank worker Dayne Lynn avoided a jail term in January this year, for embezzling £75,000 from his employer Lloyds Bank, his mitigating circumstances were that he was forced to do so by dark web-based criminals. Revealing his role on the fraud team at the bank's Glasgow Atlantic Quay retail contact centre to an online chat room, Lynn had apparently compromised himself, leading to threats. Although his attempt to steal money from two accounts were blocked, the case illustrates how a seemingly innocent fascination with the dark web could lead to breaches of corporate networks.
For many enterprises, the dark web symbolises the cyber security threat. It is both a hiding place for criminals hell-bent on stealing data and a forum for greedy or disgruntled employees to discover the tools required to wreak havoc on their employer. As CA Technologies revealed in its Insider Threat report last year, the potential for rogue employees is not to be dismissed lightly but it is a lack of resources and awareness of the threat that is the undoing of most companies, especially those in the small to medium category.
For Don Smith, technology director and head of the Cyber Intel Cell in the 80-people strong Counter Threat Unit (CTU) at Secureworks, the dark web is primarily noise and low-end threat. It rarely provides valuable intelligence in combating threats and yet it fuels the perception that it is the platform of choice for cyber criminality.
Smith of course is talking from a purely cyber security point of view, one that is tasked with the on-going struggle to keep out cyber criminals from the company's many high profile-banking and financial services clients.
"We don't place a huge amount of effort on monitoring the dark web because it's mainly noise, or at the very low end, or the end of a cash-out operation," says Smith. "Don't get me wrong, we do have a view. We have a dedicated team who have built sock puppet identities and they are sitting in online forums. They are not in all of them but they are in a lot, in excess of 200."
It certainly works, although Smith has to point to an incident about three years ago to illustrate the fact.
"Is there a smoking gun story here where the Dark Web has led to good intelligence? I'd have to go back three or four years when we uncovered a potential vulnerability at a transport firm that was being discussed openly. Criminals were relaying their plans to steal data the following day so we managed to warn the company and they managed to block access. It's unusual though."
Kid in the bedroom?
Teenagers in dark rooms is the perception of the cybercriminal hacker. While there is some truth in this, Smith says that the bigger threat, at least to the majority of the firm's 4500 large financial services and enterprise clients, is very different.
"The big criminals, just to be clear, they don't talk openly in online forums because they're businessmen," says Smith. He references the Dyre Gang in Moscow, who when arrested in 2016 were operating out of offices that are the Russian equivalent of Canary Wharf in London.
"They are not sitting in a darkened warehouse with angle poise lamps. They are not on the dark web. They phone each other up and do deals. There are a handful of really nasty, organised criminal gangs and fraternities that are responsible for the vast majority of serious online criminality. These are very talented, well resourced, adaptive criminals that will keep going and keep modifying their tactics to increase the yield they get from an infection."
In fact, Smith has a theory.
"There's a stat that came from a malware report about 18 months ago - bear in mind I'm using statistics, much as a drunk uses a lamppost, more for support than illumination - in that particular month, 85 percent of all malware we researched belonged to one of four malware genealogies."
Smith points to the economic rule of three, which suggests that any free market will have three principal players. If 85 percent of malware comes from just four organisations, this is a mature and sophisticated marketplace controlled by very few actors.
Smith, who co-chairs the Strategic Cyber Industry Group at the National Crime Agency, a forum where the NCA works with the banks, retail consortiums and the security companies, talks about impact. These organised gangs are looking for a high return on investment and will change tactics if it means better margin.
"There's a constant evolution from the bad guys in terms of their tactics, from banking trojans to ransomware and cryptomining," says Smith. "In terms of ROI, with ransomware you just need to distribute your malware, have a bitcoin wallet and a website and you have 100 percent revenue retention, because you've cut off the entire distribution chain. More recently, around 18 months ago when cryptocurrencies started to creep up dramatically in value, the same actors were shifting their attention to crytpomining because it's became a more lucrative way of getting ROI from compromise of a single host. Even more recently we have the rise of targeted ransomware where a bad guy will come in and establish a foothold in an enterprise and then organise to encrypt all of machines in one go."
Counter measures
The point, for enterprises at least, is that the threat is often sophisticated. Smith and the CTU have a Priority Threat Landscape, which produces proactive research around 30 groups and nation state actors (within a defined threat landscape of around 200 Advanced Persistent Threat groups) to try and counter this. It often demands acting on intelligence quickly, with the team writing counter-code to mitigate the risk to customers.
"The bad guys who really make money are not in the habit of talking about it, so where are the people who are doing the most damage? That's our focus. It doesn't mean there is not bad stuff happening on the Dark Web, but if you are sitting in my shoes, where I am responsible for defending some of the world's largest banks from online criminals, my approach has to be much more focussed."
For small businesses though, there is a warning. Rapid growth in business email compromise (BEC), targeting businesses of all sizes and their supply chains, has seen huge losses over the past five years. The FBI, which last June made a number of global arrests, has recorded losses due to BEC of over $12bn in the last five years. Smith suggests the figure could be two to three times that number and says it will continue to be a huge problem this year, especially for small businesses and charities. It's highly targeted and profitable, as Secureworks revealed in its Gold Galleon report last year on Nigerian gangs targeting the shipping industry.
This is about education of staff throughout the supply chains but what about the insider threat? As we saw with Dayne Lynn, it could be relatively easy for criminals to compromise employees to either steal or act as a mule for the malware.
"We don't actually see a lot of insider threat," says Smith. "The very nature of it often means companies tend to brush it under the carpet."
It's an interesting point. A Verizon report recently found that 20 percent of cybersecurity incidents and 15 percent of the data breaches investigated within the Verizon 2018 DBIR originated from people within the organisation, with financial gain (47.8 percent) and pure fun (23.4 percent) being the top motivators. The report didn't put a financial figure to this, which indicates losses were relatively small.
"I did attend a session at a big UK bank where the CISO said it was important to assess the general grumpiness of staff and teams because that was his early warning system for some form of insider problem," says Smith, adding, "it's rare for an insider to go rogue even if they need money. It has to be an amazing opportunity for someone to swing towards being a criminal."
Would the dark web be a typical outlet here, a source for inspiration or is it just a distraction?
"Yes, it's really all a distraction," replies Smith, "although YouTube is probably a bigger distraction for staff. It's important to have some perspective and not get too carried away."