[Reader’s Note:] This is the third installment in a series of blog posts describing a four-step process for using open source threat intelligence (OSINT) to create effective defenses against nation-state attackers. Check out Part One or Part Two of the series if you missed them!
Nation-state attackers not on Dark Web? Don’t bet on it.
One of the biggest misconceptions about nation-state hackers is that they don’t frequent the Dark Web. The thinking is that with their state sanctioned and enabled anonymity, these attackers have no need for the Dark Web. Instead, they can talk, work, and collaborate using their own private networks.
The problem is that this assumption is flat-out wrong.
Trickier to spot, but they’re there.
Cybersecurity pros who battle these attackers all the time, including military and intelligence service teams, know that nation-state attackers are on the Dark Web regularly. They’re just harder to spot than your garden variety hacker.
Nation-state attackers do the same as other hackers on the Dark Web. They do basic research, listening to what other hackers are discussing as a way to stay current on vulnerabilities, attack strategies, tools, etc. They also use the Dark Web to selectively recruit and hire hackers with particular skills needed for a specific type of attack. And rather than taking on lengthy and expensive development efforts, they’ll sometimes outsource an entire operation, such as building a zero-day attack.
No matter which of these activities they’re conducting on the Dark Web, there are certain telltale signs that point to the threat actor as likely being a nation-state attacker. These signs include:
- Having very specific, narrow goals
- Posting only rarely and always tersely
- Using business-like language
- Posts that are never boastful or self-promotional
- Having large budgets and short timeframes
Enterprises and other organizations should monitor the Dark web consistently, looking for any of the above behaviors. It’s especially important for cybersecurity pros look for these activities that are related in any way to their organization or industry sector.
Don’t think nation-state attackers aren’t on the Dark Web. They’re there, watching, listening, and occasionally acting. Consistently monitoring it can uncover these threat actors and their intent early, when their attacks are still in the planning or development phases.
You just need to know what to look for.
[Next in the Series, Coming Soon: Identifying nation-state attackers’ weapons at the surface]
Looking to learn more about the four steps on using open source threat intelligence (OSINT) to create effective defenses against nation-state attackers? Check out our free whitepaper below!