Summary
In this conversation, John Verry interviews Steph Shample, Cybercrime Analyst for DarkOwl, about the dark web and its implications for cybersecurity professionals. They discuss:
- The basics of the dark web, its purpose, and the types of activities that take place there.
- They also explore the value of darknet data for threat intelligence and how it can be used to understand and combat cyber threats.
- Cybersecurity professionals can benefit from understanding the dark web to gain insights into the tactics, techniques, and procedures used by threat actors.
- Additionally, they touch on the evolving nature of cyber attacks and the importance of sharing information within industry-specific groups and the role of tools like Dark Owl in proactively monitoring the dark web.
Keywords
dark web, cybersecurity, threat intelligence, darknet data, cyber threats, information sharing, Dark Owl, darknet intelligence, cybersecurity, proactive measures, incident investigation, security event response, third-party risk management, cyber threats, collaboration
John Verry (00:00)
Twice in 150 episodes, I’ve actually missed hitting record.
Steph S (00:04)
That’s not bad. I don’t know what 2 divided by 150 is, but that’s not bad. That’s okay.
John Verry (00:07)
It’s it’s it’s less than one right? I mean, so actually it isn’t anymore. I used to say it was less than 1 % now. It’s actually more than 1 % I have to get 50 more than I’m down to 1 % Alright so alright so with your blessing I’ll kick this thing off. Okay cool Hey there and welcome to yet another episode of the virtual CISO podcast With you as always your host John Berry and with me today Steph Shambel. Hey Steph
Steph S (00:10)
Excellent. Well done.
I’m sorry.
Okay.
Absolutely.
Hi, John, how are you?
John Verry (00:36)
I am doing well and looking forward to this conversation. I always start off simple. Tell us a little bit about who you are and what is it that you do every day.
Steph S (00:39)
Likewise.
All right, so I am a cybercrime analyst at this point in my life, but I basically analyze the really malicious actors online who are using hidden techniques to stay off the radar of one, researchers and two, government. So dark web, dark web adjacent platforms like Telegram, Discord, all of the places where it’s a little more difficult to intercept and understand what they’re doing. I am there along with Dark Owl, the company that I work for.
John Verry (01:13)
But I always ask, what’s your drink of choice?
Steph S (01:16)
I love that. Okay, so you had two listed, so I’m gonna also give two. I like to start with a nice like Blanc de Blanc. I’m huge into that. I was a champagne girl for a long time, but Blanc’s just a little bit more, it’s a little bit more chill. It’s a little bit less to start with. And then I go right to the dirty martini, extra dirty, no blue cheese olives. If you’re a blue cheese person, I’m sorry, but that’s bullshit. That’s it.
John Verry (01:38)
Yeah, I know I don’t have when I do when I do it and you’re trying to gin martini, okay I’ll say you could you do a dirty vodka martini. Okay. Tito’s Tito’s great goose. Where are we going? Okay. Tito’s is pretty damn good at the price point though. Hey, it, but so all kidding aside, if you’ve never had Tito’s, at the price point, it’s a, it’s a premium vodka comes out of Texas at a really good price point.
Steph S (01:42)
Yeah, I like gin too. I prefer vodka, but I love the gin. I do, I do. Grey Goose, Grey Goose, yeah. I’ll give Cheetos a whirl. I trust you, so I’m gonna give it a whirl.
Okay, I’m sure I have had it. I probably shouldn’t know. It was probably mixed. Yeah.
John Verry (02:08)
Yeah. And then, and then if you, if you, if you want to go down a rabbit hole with this stuff, there’s a, there’s a, there’s a vodka that’s the best vodka I’ve ever had called Musca Bascaia, which, which you can, you can find occasionally MOSK, I think OS anyway, it’s, it’s, it’s a fantastic vodka. years and years ago, I only first started drinking vodka, martinis,
Steph S (02:18)
I will have to give that away. Can you write that down?
John Verry (02:32)
I was in Canada and at that time, you know, Stolz Schneier was like the, if you thought you were impressive, you’d order a Stoli. And I ordered a Stoli and the guy with a French accent, he said, you know, clearly you’re from the U .S. And I’m like, okay, what are you talking about? He says, he says, you know, he says only a U .S. person would order Stolz Schneier. I said, well, what should I have ordered? He said, Moscow -Skaya. And I’m like,
Steph S (02:37)
the thing, yeah.
Okay.
you
I’ll give that a whirl. Are you a Belvedere fan by chance? I also love Belvedere. I love it. Yes. Yes. Everyone goes good.
John Verry (03:00)
I’m like, okay.
Belvedere is excellent. I like a lot of them. Van Gogh has a different taste, more oily, a little bit different. So it’s different. You know, this is a Lubraskan out of Poland, more potato vodka has an interesting clean flavor. But anyway, so I ended up drinking this and I was like, holy cow, this guy’s right. He said, this is Russian top shelf. He says Stoloshnaya is bar brand in Russia. So I ended up going to customs and bringing bottles home. And then for years, every time I was somewhere, I would try to find these
Steph S (03:15)
Yeah. Yeah.
John Verry (03:33)
these bottles of muscovist guy but anyway i digress yeah you’re getting me off getting me off track on alcohols you know i we should we should search and see whether there are actually vodka podcasts and if there’s not we should we should start one yeah exactly and all i need is another excuse to drink and so so no
Steph S (03:35)
Okay, that’s really cool. I know, I’m sorry. We could do a separate vodka podcast. We could do that. Just food for…
We should start that. It’s a need in the market, a need.
Don’t we all?
John Verry (03:57)
Yeah, so as if my job isn’t enough. Okay, so thank you for coming on.
Steph S (04:01)
You
Thank you for having me. It’s a pleasure.
John Verry (04:06)
So it’s interesting, you already started using the term dark web, dark net, dark net adjacent. All of this interesting dark gray area that’s out there. One of the things that I find interesting is that while most technology and information security people, I think have a fair degree of knowledge of the existence of the dark net, the dark web, whatever we want to call it.
But I don’t think they have a firm understanding of what it actually is. And I think part of that might be the challenge of, I think most people are concerned about going on to the dark net and have probably not spent time there. So, you know, and I think there’s this overarching perception that the reason for that is that there’s an overarching perception that going to the dark web is dangerous. So let’s start with the basics. What is the dark net or dark web? And if there’s a difference between the two, please define that.
Steph S (04:57)
Yeah.
John Verry (04:57)
How would one if they wanted to get there and is it in fact hazardous to do so?
Steph S (05:04)
I would say that there is an elevated level of hazard, but it’s not if you go onto the dark web, you are immediately compromised. And I think a lot of people hear the media and hear snippets, and then they go very hyperbolic in their own heads. So it does require a special access browser, right? You have to use the Onion router. If you try to put an Onion link into Chrome, Firefox, Safari, your browser of choice, it’s not going to work.
And the onion router is basically just that. It’s peeling the layers of an onion. So there’s one IP address that you start with, but then flips to another IP address in the middle, and then there’s an ending one. Each IP address has a different name. I won’t bore you with that. We can do some afterward questions if people want it. But the three IPs have a name. They all have separate purposes. And that is for obfuscation to block where you’re coming from. Because in normal browsers, like right now, the browser that we’re on in Chrome,
If you take and get the IP address, if we don’t have a VPN on, you can geolocate people, right? They can see where you are and where I am and tour. You can’t do that. It’s a different one. And the biggest difference between what people call the surface web. So your Google, what people use every single day normally versus the deep dark web, Google and all of that is index. That’s why you can search it. So if I go and say, okay, who’s John Berry, why is he sending me an email? What’s his life story? Where does he work? Right? I can pull all that on Google on the dark web.
these onion websites, they’re not indexed. You have to have special knowledge. And where that comes from is you’re either invited to these communities, invited to these markets and forums. You just can’t index it and log it the same way that the clear web can. And that’s one of the primary differences. So you have to have specialized targeted knowledge of where you want to go and how to get.
John Verry (06:43)
Gotcha. So if we take that to the next step, so we have this unindexed dark web, dark net out there. What is out on the dark web? Why is it not indexed as an example? What’s out there? And if somebody were to, and then if you could explain also, you mentioned onion router, you mentioned Tor, what are the relationships between those two?
Steph S (07:07)
Right. So why the dark web got started, it was initially, it was a military grade use for privacy, right? As I just mentioned, you try to obfuscate where you’re coming from and what you’re doing on there. Like we just talked about everything on the surface web is logged and detailed and your whole life is out there on the dark web that there is a layer of privacy and obfuscation that’s built in. So you can.
tailor that, you can turn off even more tracking, you can turn on the dark web tools, you can have, you know, take off HTTPS, don’t allow these web pages to load if they don’t have it, you can customize it. So it got started for privacy. And I will tell you that it’s still used for that in some cases. People in authoritarian countries, I think of Iran, Russia, China, as a matter of fact, Russia and China and Iran all have huge efforts to block the dark web, block Tor browser so that their dissidents who are talking about, no, this is what’s actually going on in our country.
they don’t have the access to the clear web to do it. So they’ve blocked the dark web as well because there’s no filters. And if those people can access the dark web, they can then tell the true story. Unfortunately, what that privacy, you know, it started as privacy, it started as trying to keep people to exchange safe information online in a safe environment without being targeted and understood where they were coming from. That’s unfortunately morphed into a really large criminal market. Now that the privacy is there and it’s more difficult to locate people such as
criminal actors selling malware, breaking into databases, stealing passwords, API keys, browser information. All of that is now sold on there because of the obfuscation and the physical hiding of where bad actors are. So the bad actors took the privacy -focused browser, turned it into an underground market, underground tips and trades for, I mean, you can hire everything from a hitman on there to the latest fentanyl that you might need, to the latest malware that’s used to go after a breach.
It is a hotspot of all kinds of malicious activity that takes advantage of that privacy that’s built into the browser.
John Verry (09:03)
Okay, we’re going to pause one second. Now I’m stopping the recording. So whoever’s doing this, can you cut this out? You’re breaking up a little bit. Now the good news is that it keeps it local, but I’m missing some of your stuff. Do you have anything running on your machine that’s consuming a lot of bandwidth?
Steph S (09:19)
only have the PDF open. Let me make sure that nothing else is there. You’re not your your word doc. I should say not the PDF. Sorry. Let me make sure that’s all closed. No, I’ll kill I’ll kill slack just for now. It’s muted, but I’ll kill it.
John Verry (09:24)
Okay.
Yeah, because you were, I don’t know if you could tell. The good news is that it records locally, so you don’t have to worry about that. But what happens is you’re saying things that I can’t hear that are breaking up, and then I’m in a situation where if I wanted to respond to it, I wouldn’t be able to. Okay.
Steph S (09:45)
Okay.
Okay.
Okay, so I’ve killed everything and then I do just want to make sure you is this microphone okay like is this a known issue sometimes that could be a problem. Okay.
John Verry (09:59)
No, no, you should be good. All right, cool. All right, so whoever is cutting this I apologize i’m gonna i’m gonna start up again here
So one of the guests I had on a podcast once where we were talking about the darknet sort of referred to this cybercrime supply chain. Is that where I find the cybercrime supply chain? The people that are selling access, the people that are selling credit card numbers, the people that are posting like pastebin type data where, hey, here’s a block of username password combinations that I was able to acquire.
Steph S (10:38)
Yes, absolutely. That’s exactly what it is. So again, the malicious actors have taken that privacy focused browser that was meant for dissidents and populations that were at risk. And the cyber actors have set up an underground criminal market. They train each other. They give each other tips on the best software to use, the best malware, the best ways to approach potential victims. You can buy anything from drugs, the latest way to break into a browser and grab API keys, cookies, session tokens, X509 certificates.
to hiring a hitman for murder. So there is just a wealth of possibility. Any service that you can think of that is malicious and detrimental to society is offered on the dark web. We see it every day. And what’s more, I really want to point out that the role that Telegram has taken in this, Telegram is also a very private messaging system. You can have big public groups. You can have a room with a channel with thousands of chat users, or you can have one -on -one DMs. What we’re seeing now is
The malicious actors are linking their dot onion websites to their telegram channels and cross advertising to really drive financial gain, make sure that people can access them in multiple ways. They offer tutorials and services for anyone that has problems after they’ve purchased it. Because I will also say the dark web and the criminal underground, it’s all about ego. So these guys really want to say, hey, I’m the best initial access broker. I can get you access into Cisco, Microsoft, Amazon. They drop all the big names.
then offer training and tutorials, and then they ask for a review, right? So just like we all do on the clear web, hey, can you say that my company provides good services? Hey, can you say that my pet sitting services are great? The criminal actors also want the review and they’re vying for that top position clawing their way to the top.
John Verry (12:20)
Yeah, I’ve spent a limited amount of time on the dark web because I’m one of those people that gets a little nervous anytime I have to go there. But I can actually validate, like I was shocked that some of the things you’re saying that people are probably going like, she’s just blowing smoke. I mean, I did stumble upon, I don’t remember how I found a hit band site and it was like, hey, we’re ex, you know, Ukrainian or Russian, you know, black dark ops people and for
Steph S (12:27)
you
John Verry (12:45)
And I was amazed, it was like for like 10 ,000 bucks, we’ll get rid of your wife. You know, it was, it was just, I was like, whoo.
Steph S (12:49)
Yeah. And that’s not even that expensive. Let’s be honest. And yeah, I mean, it’s really crass how, but you know, these people are just trying to make money and trying to take advantage of it. And it is absolutely wild to see the services that are prolific on the.
John Verry (12:53)
Yeah.
Yeah, the first time I realized the value of the dark web was like, geez, 20, 15 years ago, maybe. We had a client that had a website that got taken down and they spent a lot of time, money, effort, put it back up and immediately got taken down again.
And one of our guys jumped on the dark web and he, you know, and like you speak about these people have egos. He went to one of those hacker scorecard websites and he found the fact, the guy posting the images that he had come in and he, he explained exactly how he did the hacks. And we realized that there was a hidden back door, you know, and we were going to go to the client and say, Hey, you know, rebuild it, but now you’ve got to take this down. so it was, so, so that, you know, just a good example of where, it provides value. so, so Sun Tzu, right.
Steph S (13:35)
Mm.
Exactly.
John Verry (13:50)
famously said, you know, know thy enemy and know yourself in a hundred battles you’ll never be defeated. Is knowing the enemy the primary reason cybersecurity professionals should focus more on the dark side?
Steph S (14:03)
I absolutely love that. Do you want to pause for that or do you need to?
John Verry (14:33)
the joy of having dogs. All right, so for whoever’s cutting this, I apologize. What I’ll do is I’ll re -ask that question. So Sun Tzu is famous for saying, know thy enemy and know yourself. In a hundred battles, you will never be defeated. Is knowing the enemy the primary reason that cybersecurity professionals should perhaps focus a bit more on the dark net?
Steph S (14:35)
Okay.
I would say if you have doubts about what’s on the darknet that that is absolutely a wonderful way to look at it. Yes, you are going to know your enemy on there. Why? Because threat actors do feel that even with the risks, and you’re mentioning takedowns, websites going offline and then actors bring them back, we are seeing a spate of takedowns. If you’re watching the news, ransomware groups are going down. All kinds of forums and markets are being taken down as well. But regardless of that.
The threat actors themselves do feel that the dark web is still a safer place and more so the direct messaging component that’s on there. So each market, if you think of raid forums, XSS, those are some of the really huge ones. They have messaging capabilities built into it. Furthermore, they are also using talks now, which is huge among ransomware actors. These guys do feel that it’s safer to share and be extremely detailed. So again, they provide tips and tricks on the best ways to infiltrate a company. They give templates to their customers about
Here’s a good way to say and really fool someone that you call, whether it’s the HR department, the finance department, or a C -suite who might not be as technically capable. All of the tactics, techniques, and procedures, the TTPs that we use in cyber, they are discussed, they are weighed and evaluated on the darknet by the criminals themselves is absolutely a way to know your enemy and see, OK, right now the current trend is they’re infiltrating my VPN or my network via this way. Here’s how I combat that.
So you really can know your enemy of that. And I think it’s absolutely brilliant that you work that quote in there. That’s amazing.
John Verry (16:24)
Cool. Anytime somebody even tangentially refers to me as brilliant, I’m just gonna, yeah, you’ve just suddenly become one of my favorite people.
Steph S (16:32)
I’m just going to go with that. I like it. So I’ll tell you too, cyber can be a little bit brutal. We are because because the metadata and the wires, they don’t lie. Right. So sometimes there’s a whole bunch of infighting. So I like to add the nice aspect to cyber. That’s what I’m trying to do here.
John Verry (16:49)
Well, you can be nice to me anytime you want. So when you think about this darknet data, there are different types of uses for it, both from a preventative, detective, corrective components. So let’s chat about some of the major ways that you can use darknet data to your advantage. So the first, and probably the largest, might be threat intel.
Steph S (17:12)
Absolutely. So as I mentioned, you know, the actors are really trying to build up their infrastructure for financial gain or for notoriety. So they’re linking. Not only are they cross -linking, you know, this is my onion site where I sell malware and can help you. Then they link to Telegram. They might provide their tox ID. They’ll provide their proton mail. Now those are all indicators that are protected to a degree, but if you have those and you can start building the online profile, you can see, okay,
This threat actor specifically targets the financial sector, while this one goes after governments, national, global, around the world. This actor goes after VPNs, while this actor relies on very low key fishing, smishing, malicious documents, et cetera, et cetera. So you really do get to know who specializes in what way and what initial entry vector they’re going after. Again, that helps you protect your organization. But you can get as granular as this Telegram channel specializes in selling credit card
full credit card ones with CVVs and expiration dates while this telegram channel is only focusing on bins itself or this one is only about cryptocurrency. So I then need to go to the blockchain conduct additional analysis. So you really will not only know your enemy but understand how your enemy thinks because they articulated on the dark web and then they show it and then they train other actors. So that is an absolute wealth of cyber information and
It’s not always, it only takes one mistake though, right? One VPN drop to reveal an actual address. Some of these guys, especially the younger ones, the rookies, or if they get desperate, they will then maybe mention a Facebook and Instagram shop or a Twitter account. And when you have that open, that open selector, that’s where you can really go haywire and pivot off of that and really try to find out who you’re dealing with. That’s where, okay, you know, Baphomet who ran a really high level cyber crime conglomerate,
Stuff like that is how you get found out because they link to a clear net selector and it is open season for their kiss.
John Verry (19:08)
Gotcha. So as an example, change healthcare, right? Very famous breach that was alpha, alpha black cat alpha. I forget the name of the. Yeah. Alpha V black cat. Yeah. Okay. Yeah. But, but they, you know, if you look back in history, right? You know,
Steph S (19:17)
Black Alpha Black Hat. Yeah, I’ll have a black hat. We go by both.
John Verry (19:31)
HHS, I think put out a post saying that, Hey, we know these guys are attacking healthcare. They’ve had 70 successful attacks over this period of time. You need to be aware. And they actually posted how they were doing it. So I’m assuming that they had some dark bit data. You know, unfortunately change healthcare wasn’t listening because if they had been, that wouldn’t have happened. Right? So that’s a pretty good example of where threat Intel. Okay. Hey, I work in this, in this vertical, in this industry, there are
Steph S (19:41)
Absolutely.
John Verry (20:01)
acts happening right now against this vertical. Here’s how they’re happening. And they, you know, that, I mean, that’s the value prop, right?
Steph S (20:08)
Right. That’s definitely the value proposition further. I mean, let’s expand on that. Right. Let’s take it to the next level. Not only did black cat alpha V kind of detail what we’re doing, how we’re looking at it, but the ransomware blogs now their thing is get the victim, post them publicly, give them 24, 48, 72 hours. That timer is public on a dark webpage saying you have X amount of hours to pay until then. Now I do understand with the day to day operations, it’s really hard for companies to get that granular. I know it’s difficult.
However, things like the ISACs, the shared groups, there’s HS -ISAC health services, financial ISAC, retail, hotel, you name it, there’s probably an ISAC for it. That is where the value comes in, where I would hope that people are sharing the TTPs, the information gleaned. What these actors are saying online, that is where I hope analysts, practitioners from every industry, government, private, academic, take that information, share it, and make it public knowledge instead of that knowledge just being hidden on one corner of the dark.
And I think that’s where we need to go next for protection of industries and verticals. We have to take it bigger that way.
John Verry (21:11)
Gotcha. So in full disclosure to anyone listening, we actually are a customer of Dark Owl. We use Dark Owl in different ways within our organization. One question I would have for you to that extent, does using a tool like Dark Owl, is there a way that, look, no one, one of the challenges we all have in cyber is there’s not enough time, right? We’re all over work, right? So this idea of, this would be really cool. I’d love to spend time on the dark net. I would love to spend time in your tool.
Steph S (21:21)
to put out.
Yeah, you’re right.
John Verry (21:40)
But I just don’t have it. So I guess one of the questions would be Has a tool like dark owl developed in such a way that it can proactively so I can set some type of parameter and say hey I’m in health care, you know, just Alert me rather than me having to work at it Is there a mechanism by which you guys are developing and you know an easy way? For threat Intel that’s relevant to me to be surface to me as opposed to me having to go and get it
Steph S (22:09)
Yes. And that’s such a great point that you brought up because I know it’s intimidating to come into the day. You have 87 ,000 emails, 200 signal messages. We’re all overwhelmed. We have burnout. I get that. Let me full disclosure too. So I was actually, I used Dark Owl as a tool before I started working here. And I have always been so impressed by the, by the data. So when the opportunity came up and they’re like, do you want a job? And I was like, hell yeah. It’s like, are you serious? I’ve always used you. Yeah. So what we do is we have
I have to say, I’m really proud of our product team, right? Because they pull and take the feedback very seriously. I’ve seen other organizations. Listen, I’m former military. You give feedback that goes in the trash. Nobody cares, right? Dark Owl is different. So we have kind of a set it and forget it option. If you have an actor name, if you have a Telegram channel ID, you can customize and curate these alerts so you can come in and say, OK, I’m in a bank. I work at a bank. I need to understand these seven bins that I have.
Are they appearing on the dark net? Are they on telegram channels? What is their dark net exposure? What’s their digital footprint? You can set an alert and forget it. And actually the product team has a way to say, okay, I want an alert every six, 12 or 24 hours, right? So it’s analyst discretion that you can curate that and put that out there. And that was really important for me as an analyst because I would come in, it starts at 8 a Well, it actually starts overnight, but you’re getting hit up from every direction. I have an incident, I have exposure, I have this.
So not only do we have the curated alerts to set behind the scenes for you to help break that down, but our APIs are also, we have seven offerings for that. If you can ingest massive amounts of data and you want to see all of our API offerings and curate that as well, we really do make it analyst friendly and in our demos, right? And I’m not, I mean, yeah, do I want you to buy dark out? Yes, I absolutely do. But do I want public education more than anything? Yes, I really do. Get a demo from any dark out provider, or I’m sorry, any dark.
Net dark web provider and see what works for you. See what automation exists. See if there are actor profiles. Can you automate, you know, telegram channels, the actual numerical IDs or does your provider or does someone only work with the handles, right? Because handles, if a, if a telegram channel, if you’re John Barry, the user tomorrow, you could be John Barry, John Kerry, right? The names and the handles change.
but we focus on that information that is hard set, the technical metadata that doesn’t change. And that’s another important consideration when analyzing and understanding things that you can always rely on to tell you ground truth.
John Verry (24:35)
Gotcha. So let’s talk about another use case, you know, it kind of cross over right thread Intel kind of cross it into call it incident, potential incident investigation or a security event response. Talk a little bit about how something might be going on, how the darknet data can support that.
Steph S (24:56)
Yeah, real, real world example, right? We do see this every day with our clients and customers. One of the other alternatives that we, so not only can you set and forget a discord server ID, a telegram channel, a market, you know, a dot on your URL, but we also offer, you know, you can monitor IP addresses as well. So you can put maybe your internal IP addresses to, to detail, you know, okay, something going on. Are they discussing my internal IPs? Have we been breached? Because again, threat actors will provide the detail for notoriety. You can also monitor.
So your outside IP addresses, your public facing, you can kind of take a look and see, OK, is someone going to try to DDoS my infrastructure because I took a stand against insert world conflict today, right? So if there’s any physical threat, you can also use keywords to monitor that. So we allow for everything from a 400 term search block for Boolean. And you can get the specifics. What is popping for incident response? What do my IR responders need?
how can I arm them, how can I get this to the ground level to keep this incident from spreading via technical metadata, IP addresses, or something as simple as like a physical keyword that you have in a search blog. It takes curation, it takes specificity, but we use this every day and we refine those practices every day to better get to that and to assist incident responders.
John Verry (26:14)
Okay, so to the average person who just heard that, and me kind of in that average case, that was a little mind blowing. It’s like, okay, wow. No, no, no, no, no. And so I’m going to actually simplify it a little bit in the sense that you don’t have to have done all of the things that you’re talking about for dark.
Steph S (26:18)
No.
Sorry. Sorry.
That’s about it.
John Verry (26:35)
So I’ve been involved in two or three instances in the last two or three weeks where dark out was helpful to a situation I was in and I don’t know one tenth of what you know, right? And I don’t use the tool the way that you do. So a couple weeks ago it was a Friday late, like it seems like, I don’t know if you’ve noticed, but it seems like Fridays and weekends now are the popular time to greet somebody and they know, yeah, and holidays. Yeah, it just seems like Friday afternoon I’m always like, please.
Steph S (26:58)
And holidays, don’t forget that.
John Verry (27:05)
I don’t want to call and I’m getting calls at five, six o ‘clock at night. I mean, these people are brilliant that are adversaries. So I got a call and it’s a late Friday night and the client’s like, we think we might be under attack.
And we think it’s the CIO that we let go this morning. Cause at the timing is just too bizarre. And he had some privileged access to some of these systems and we’re like, okay. So we listened through it. I’m thinking to myself, I don’t think it’s this guy. Like I don’t.
been through a lot of these, it’s exceedingly rare that someone would be stupid enough to do this. The attack, the way that it was coming about did not sound like it was him. So I got on the phone with one of our guys that knows how to use Dark Owl, I don’t use it very well, and I said, hey, can you just look up this company that I’m on the phone with right now?
And all of a sudden, man, just signal after signal, stuff going on, stuff here, stuff there, stuff there. And traces it back all the way back to late January, early February. Somebody’s saying, hey, gained full access in, I’m on top of credit card data, I’m on top of these, hey, I’m going to sell this. So I mean, the reality is it was really interesting that we were able to kind of go from, do we have something going on, to you have something going on.
is not what you think it is. And you already have this challenge right now, right?
So it was like, it was just like, okay, wow. And they were able to take the right actions. They were, you know, they, they of course contacted their cyber liability insurance provider because it would involve a lot of them, a thousand plus credit cards of their, of their customers. They were an e -commerce site. So, I mean, so I, you know, what I’m trying to say is that if anyone’s listening, you don’t have to be Steph and have her knowledge and you didn’t have to know exactly how to fine tune the tool to, to kind of monitor all this stuff. It’s like, crap, is anything going on?
you know, hey, this is the way I can research it.
Steph S (29:03)
Yeah, you’re right. And let me take that down and simplify as well. Because simplicity is key. You’re right. People are intimidated by tech, and we need to change that narrative. So don’t be intimidated, and don’t be afraid. It is as simple as initial access brokers right now going and saying, I have 14 accounts available for streaming. I have 15 accounts available for a bank that I can get into. I have 16 accounts available for a VPN that gets you into a hospital and gets you a wealth of PII.
They are advertising out there. They are doing this publicly. So if you see your organization’s name on Telegram on this quarter on a dot onion website, you should automatically know in your gut. Ooh, this is not a good place for us to be appearing, right? I need to take action. I need to inform someone. Let’s get this to let’s get to the bottom of this. So you’re right. It really is that simple because threat actors keep it simple because threat actors just want money. So sometimes, right? Sometimes they want fame, but a lot of times it’s money. So you can just take a look, know some things off.
And then I’m also glad you brought up that because that CIO would be an internal risk, right? Or a vengeful employee, which is much different from an external attacking APT or state agnostic cybercrime group, right? And you’ve got to determine the nature of the incident because you’re going to mitigate it differently. So that’s very, very important to be aware of. You’re right.
John Verry (30:19)
Yeah, one of the things which you just said, which is really interesting to me and some of the, you know, sometimes the horses already out of the barn.
And sometimes the horse is only, you know, just they open the door, but the horse is still sitting in the barn. And what I mean is that, you know, are we at a point where we’ve had data exfiltration, right? So an IA initial access broker has already been in there and either they directly exfiltrated or they sold it to somebody who exfiltrated. Or if you get, you know, and people don’t understand this, is this the supply chain? Some people like to crack it open. Some people like to go in and explore and drag the data out. So there’s different people with different roles. If you’re able to identify the IA
Steph S (30:50)
Yes.
John Verry (30:59)
before somebody they’ve done something with the data, you were able to actually close that door and close that access that they had before you’ve had an impact. And it’s funny, you should mention that because one of the other, I mentioned it three times that I’ve been using Darko recently. The other one was we were, we proactively are just doing searches on elements of clients right on their behalf, sort of a dark web monitoring service that we provide to our clients.
Steph S (31:07)
I’m sorry.
John Verry (31:25)
And we got a hit from one of our clients and it was just a few hours old. It was something that had just come up because we, you know, one of the cool things about these dark red molecules, including yours, is you can set like, Hey, immediately notify me if you see X, Y or Z and you guys are out there constantly polling. So we got a hit that somebody had gained access into a system for one of our clients. That was literally just hours old. And what happened was that they had a recent acquisition and that recent
acquisition had left a server exposed and somebody had actually compromised it. But they were in IAB, they hadn’t actually started to pull the data off the system, or at least we didn’t think so. And we were able to at least, okay, you know, get them to actually get that data. Now it looks like the data might have actually leaked off the server anyway. But the good news is that, you know, we were able to say, hey, you’re under attack. Here’s the system that’s under attack. They were able to secure that server so there wasn’t further access into that.
And then we were able to proactively say, well, what else is going on in your environment? We found other things which were not properly protected, and they were able to get that stuff cleaned up before something further happened on those systems. So even in this case, even if the data, we’re still trying to figure out if the data is out there or not, but even if it is out there, it’s a very limited amount of data. And if we hadn’t seen this, these other systems likely would have been compromised as well, which would have led to a much broader issue for them to deal with.
Steph S (32:52)
Exactly. And I like that you keep using proactive because so much of cyber is reactive and that’s the nature of the game, right? That’s how the internet’s been set up. But we are now finally at a place where we all realize that we have to get proactive. And I do believe that starting at the ground level of initial access brokers or someone online trying to say, Hey, you know what? Organization X took a stance on social issue Y and now I want to go after them. Right. And here’s how I want to do it. Or here’s how I plan to do it.
We’ve got to be proactive. And then when we see that on the dark web or telegram or wherever, we can take that to ISACs or the task forces that are being set up. There’s a new ransomware task force. There’s a dark web task force. So this is how we get proactive. We say, listen, this actor that has a history of doing this and is successful.
You just appeared on their page. You need to take precautions. Look at your logs, look at your MDR, look at your endpoint, look at whatever, right? Take a look and see. And so proactivity is yet another thing. And I really think that’s going to be the shift for intelligence coming forward, especially with AI. So we’re at a really opportune time right now. Let’s be proactive. Let’s keep an incident at the lowest level and not lose our entire data. I have to go to backups to restore and really go worst case scenario. Like, can we keep the hurricane at a tropical storm?
versus a cat five. That’s what I’d like to do. And that’s what I do believe darknet data can get.
John Verry (34:15)
about that. So another I think really cool use case for darknet data is third -party risk management.
Steph S (34:24)
Yes, yes. We actually have a really cool tool that you can, so you know, if you’re, maybe you take all proper precautions and you know that your environment’s safe. However, if you’re not a one man show, you are unfortunately beholden to whatever vendor that you choose to use. And if your vendor’s caught up in that, and I will tell you the CLOP campaign of last summer, the CLOP Ransomware Group,
they were huge on supply chains. I think everybody started to see that that was it because it wasn’t that they were going after all of the big names. They did, some of them, but they were going after the mid -tier vendors or people who provided a certain system or service or piece of infrastructure. And that is what then led to the domino effect of them infiltrating all of the organizations. So you have to be aware of not only your own security posture and risks and what’s open,
but that of your vendors, that of your partners. You have to, you know, so if you’re using, let’s just say like a VPN service, if you’re using Cisco, right? And I’m not picking on, I’m just saying, I use Cisco, this is big. And Cisco appears in a telegram channel or on a dark web forum, right? Then you can reach out and say, hey, Cisco rep, I saw this. Do you have any Intel? Are you combating this? Are you aware of it? Is it a false positive? Is this fake? You know, is this cyber actor not real? But that enables you to have a data back.
conversation with a supply chain or third party vendor that might otherwise be really difficult and awkward to have, but you have to have it. So you have to have the data to back it up. And we are seeing that all the time. Yes.
John Verry (35:55)
Yeah, I also think it provides a lot of value, not only to monitor your existing third party providers, but in selecting a third party provider. Right? Because I mean, A, you might, somebody, like we know that it’s not uncommon for a tax to be ongoing for up to 18 months, two years in some cases where people are just not aware of it, right? Somebody already in their crap. And then the second thing of course is,
Steph S (36:03)
Absolutely. Absolutely.
Yep.
John Verry (36:19)
If they’ve had previous instances, it’s another data point for you to look at and understand, like, OK, that gives me an indicator. If you see two or three times that they’ve dealt with something in that dark history, then it’s like, OK, maybe this isn’t the best. These guys might not have their cybersecurity program where it needs to be to effectively combat these types of threats.
Steph S (36:41)
And then you can make those informed changes to make proper decisions. And then you’re not wasting time. You’re not wasting money. You’re not wasting resources. You’re making informed data -driven decisions. And on that note, we actually have a really cool, I’ve been impressed with this since I started. This wasn’t a feature earlier on, but it holds true that we have seen.
anywhere for three to four months before a major campaign is broken. And so it holds true for CLOP last year, I mentioned summer 2023, there was a second or third Okta breach in the fall of 2023. And actually we’re seeing the same unfortunately for the TeamViewer incident. Three to four months before any of that goes public, the actors are working, the actors are staging. And what we see is on the top level domains of those impacted, the victims of CLOP, Okta itself, and then TeamViewer.
Unfortunately, there is a spike in data that is exposed for their top level domains indicating. So they’re being discussed on telegram and the dark web. There are credentials that are being leaked and sold. So let’s say, you know, January of 2024, there was a huge spike in a huge discussion about team viewer. Why is this appearing so much? Why are they talking about on the dark web and what happened six months later?
We’re seeing the fallout of that today. So again, data making, data driven, metadata back decisions, it only helps you inform and make the right choices for protection for your organization as well as vendors. And it is too important to consider.
John Verry (38:06)
Yeah, one of the other areas I think that we’re starting to see is the cyber liability underwriting process is pretty challenging, right? You know, it’s hard to sell a $6 ,000 cyber liability policy to a small company, but when the cyber underwriting of significant enough to kind of figure out what they need to do, it costs 10 grand.
Steph S (38:12)
bitch, yeah. Absolutely.
you
John Verry (38:30)
So we’ve seen like, you know, they’re running scans against people like attack service management type tools. And now we’re starting to see that they’re starting to run dark net tools, right?
Steph S (38:39)
Yep, they definitely are. It’s almost like some of the dark net tools are acting as like an end map scan for cyber criminals. Honestly, they are really taking that and you know, the cyber criminals are doing their research and research and are very well informed and they have the resources. And so they are using the intelligence and the lack of action to then plan their own actions. Right. So we really have to
I keep talking about all of the different pillars that shape cybersecurity, and that’s academia, government, and then private, the CTI, the researchers, the task forces. But we also need data scientists in there. We need the cyber insurance people in there. We all need to collaborate because we are not working in silos. We are all being attacked together. We are all facing vulnerabilities together. And so we need to bring in the cyber insurance to get that alternate perspective.
and just have these conversations and keep it going by what we’re seeing at the ground level. And that is the dark web, the attack planning surfaces and where these actors are plotting before they actually spring to action.
John Verry (39:44)
Yeah, one of the things that we’re starting to talk with clients about is saying, okay, if you’re about to submit a CLI.
application, cyber liability application, why don’t we run a dark med scan because they’re going to run a dark med scan. And if they see something, you have no chance of getting a policy. But if we see something, we can get that cleaned up and maybe they don’t see that. Right. Same thing with, you know, just basic vulnerability tax service management stuff. Okay. You know, let’s run a scan. Let’s make sure you’re clean because if they do it and they see something, you’re either going to pay a higher premium or you’re going to be denied coverage.
Steph S (39:55)
Absolutely. Absolutely.
Right, you’re very right. And I also hope the public education, as we just mentioned, the big companies, the big names, we know they have the resources and the time and the personnel. But to your point earlier that you spoke about, about the mid -level, the smaller companies that don’t have the finances, $6 ,000 versus $10 ,000, we need to arm them too, because it is a problem and they are being repeatedly targeted. So we have to.
get every level of these cybersecurity pillars appropriately scanned, know what different risks we’re facing, and then implement protections. And that sounds really idealistic, but if you can just take a moment to educate yourself or take a moment to get a scan of a tool, consult with a service provider that you trust, it’s only going to do you better in the long run, right? You’re going to reduce your chance of becoming a victim.
And darknet intelligence should factor into everything else that’s out there, like, you know, showdown, census, gray noise. I use all of those as well. I adore them. There are multiple pieces and facets to intelligence and especially to protection. And we just have to consider all of them as well.
John Verry (41:20)
It’s funny you just used a term and I think it’s one of those things I have conversations with a lot about organizations. People say to me, you know, you don’t understand we’re not a target. And I think one of the other weird things that somebody who used these darknet tools for the first time would begin to understand that
There are definitively attacks which are targeted against specific organizations, but they are the minority by far of attacks. And that’s so much of attacks are opportunistic. So these, like an IAB, like you’re a…
Physicians group and you get hit you didn’t get hit because they said this physicians group looks interesting They were running some type of broad scan across, you know the internet right? Hey, there’s a bone out there It’s a zero day or it’s a bone that you know people have a tendency not to patch because it’s difficult to patch
I happened upon like when I had compromised the system, I had no idea whose it was. I had to look at this and go, wait a second. Hey, I’m into a physician’s group. So I think, you know, there’s this broad perception of, no, you don’t understand. We’re a small company. We don’t have a lot of valuable data. You know, we’re not a target. Wrong. Right. You know, that’s not the way targeting works. Right.
Steph S (42:37)
Yep, exactly. And I want a two -pronged response to that, because you’re so right. So number one, it’s not a question of if, right? It’s a question of when you’re going to have an issue. We need to start teaching that. We need to start really ingraining that, because you can’t think, it’s not going to happen to me. It’s not. Yes, it is. Look at the news. Read the news, right? Take a look. And then secondly, to your point, so unfortunately, the independent providers offices, OK, well, if you use Change United Health Care, right?
You yourself as a doctor’s office based in Idaho, no, you are not a target. But you are now negatively impacted. Your bills can’t be paid. Your insurance claims can’t be filled because it trickles up and then it trickles down. So we are all part of the spectrum and you can’t isolate yourself. You’re going to be impacted by it. So it’s kind of a pay me now or pay me later, right?
Do you want to do the work upfront? Do you want to face the ugly that’s out there and protect your organization, your profits, your family run business that you’ve worked your ass off to build? Or do you want to have an incident response later where you don’t have backups, you don’t have the money, you won’t have insurance because you can’t get it because you didn’t do a scan initially. So it’s kind of a, it’s hard to think about, but we’ve got to stop.
hoping that we won’t be a victim and just realize I’m going to be a victim. How do I prevent it and keep it at the lowest level? Because this is reality and we have enough data driven, especially with all the recent attacks and especially with how vocal cyber actors have been. We see where this is going. It’s not gonna get better. It’s only gonna get worse. So just protect yourself now.
John Verry (44:10)
Yeah, I do think that, you know, changing that.
practice of cyber to away from a purely preventative model into more a detective reactive model because there if Microsoft, you know, with its thousands of cyber security people and all of the resources they have can be compromised and if we go through the list of, you know, of all of these great companies that have are investing.
tens of millions of dollars into cyber, if they’re compromisable, what is your chance as a $20 million financial services provider or a manufacturing entity in the defense industrial base? I mean, yeah.
Steph S (45:01)
Thank you. That is an excellent point. If all of these giants that literally built and shaped the internet and Silicon Valley and Web3 and all of these, if they’re having issues and they’re having incidents.
Why wouldn’t someone else that doesn’t have their resources, time and money? You know, I mean, it’s just, again, we have to change the thinking. And I think that that starts in schools, not to completely diverge, but we’ve got to, I think, better and up the cyber curriculum that’s being taught, especially there are kids that start showing interest very early on. And there are kids, right? Like your two year old has an iPad, your grandmother’s on Facebook. Like this runs the whole spectrum. So we have to protect every single part of it because the data that’s revealed
can harm your business. And that’s like the bring your own device policy, right? Do you allow your employees to access personal accounts or things at work? Can they have Slack on their cell phone? Is there bleed over between the corporate and personal environment? And that’s how some of these things start. And especially at the smaller to mid -sized businesses too. So I really think that you’ve brought up some excellent points. And again, I support them because the data is there behind it. The data is driven. We have decades of this now.
John Verry (46:05)
if you keep flattering me that you’re just gonna be persistent. You’re gonna be a persistent guest on the podcast. And this week again, we have Steph Chample. I mean, it’s just, yeah, not her again. Not her again, she’s…
Steph S (46:07)
I’m really not trying to do that.
Everybody tunes out. Everybody’s like, I can’t stand these two. How much vodka have they had, right? But sometimes people just aren’t at this point where we can’t think of it and it’s just, okay, well, it’s public education, which is why I love doing podcasts. It’s shaping the thinking. It’s reshaping the thinking. And it’s just too important to put the message out there. And maybe 30 to 40 years from now, people will start listening. It’s not gonna be immediate.
John Verry (46:41)
Yeah, yeah, exactly. So, so I think we beat this up pretty good. Did we miss anything? Anything you want to add?
Steph S (46:49)
I don’t think so. I think just, you know, expect to be a victim, have backups and proper protections in place, reevaluate your stuff every once in a while, take and set aside a half a day. You don’t have to dedicate or sacrifice a whole week of productivity or your business to it. But this is part of being a responsible person connected to the Internet. And when you don’t know if you’re in over your head, if something bad does happen, reach out for help because resources are there and we do want to protect, you know, from the bad guys.
We are now facing a hybrid realm. It’s not just physical threats. It’s not just digital threats. Now it’s a hybrid of both and that’s for maximum impact of destruction. Cyber actors are plotting and planning for that. So let people assist you however you feel.
John Verry (47:31)
Sounds good. If folks were interested in talking with you specifically or talking with the folks at Darka.
Steph S (47:38)
so let’s go to dark out. Definitely. We have a bunch of great blogs and stuff that our team uses. We’ve got some engineering ones that just put out an info stealer blog. That’s almost becoming more popular than ransomware. So please go to dark out .com, read our blogs, check out our API documentation, see if our Intel could be for you. For me, I’m on LinkedIn. That’s the only social media that I have. and then otherwise maybe email that they can just, can they come to you first, John, can you be the filter? And then you put them to me.
John Verry (48:06)
That’s odd, but a lot of people that listen to this podcast would be like, why would we go to him when we go straight to her?
Steph S (48:11)
Because I need vetting, I need help in vetting. But no, finally, I love to have these conversations. I will nerd out with anyone for hours over cyber. And thank you again for this opportunity. I really appreciate you having me on.
John Verry (48:23)
no, yeah, this was great. And I think this is one of those topics that I think are interesting for a lot of people because we’re all so busy doing what we do and we know it’s out there, but like we said, we don’t have the time, the energy. We’re scared that by doing this and to kind of each time I have a conversation with people about this, I feel more knowledgeable and more comfortable, if you will.
Steph S (48:37)
Right.
John Verry (48:51)
with recognizing the value prop of this and beginning to figure out how to integrate that into what we’re doing internally and what we’re doing with our clients. So I appreciate you guys. The tool is a great tool for anyone that’s listening. I’m sure there’s other great tools and we actually subscribe to some other tools as well. Having a 360 degree view is good of stuff, but I will tell you the Dark L tool is a good tool. So thank you. I appreciate you coming on the podcast.
Steph S (49:04)
Thank you.
Yeah.
I agree, that’s why I came to work here. So thank you again. I appreciate you highlighting your use of dark out. I’m an employee, no one’s going to believe me, but outsiders are going to listen. So thank you, John. Cool.
John Verry (49:26)
Thanks, then.
