Dark Web – Use it at your advantage

Das Dark Web – Setzten Sie es mit

Cyber Threat Intelligence zu Ihrem Vorteil ein

Andreas Crisante / Christian Fichera

@ Meet Swiss Infosec June 2017

wizlynx group © 2017

Andreas Crisante
Senior Cyber Threat Intelligence Advisor @ wizlynx group
 Degree in Information Security
 27+ years practical experience and business expertise spanning all
aspects of information technology management, thereof 16 years in
Cyber Security
 Large experience in defining and providing IT-Security strategies,
Cyber Security concepts, IT-Security and Risk-Management,
Collaboration Technologies, Search and
Knowledge Management
 Basel, Switzerland

Christian Fichera
 Senior Cyber Security Consultant @ wizlynx group
 10+ years’ experience in secure web application development
 Penetration Testing & Secure code review specialist
 Web and Mobile application security assessments
 Project manager
 Basel, Switzerland

© 2017
 About wizlynx group
 HQ in Switzerland, global presence

 A strong Cyber Security service provider

• Extensive experience in Security Reviews (Penetration Testing and
Ethical Hacking, Information Security Audits
• Infrastructure and network security solutions
• Managed Cyber Security Services
• Incident Response
• Cyber Threats Intelligence
• Complemented with high level of competency in ISEC,
Quality & Project Management for enterprise IT organizations.

 Portfolio of services (excerpt):

• Pen Tests & Ethical Hacking to assess devices, networks, services,
applications for vulnerabilities. Social Engineering to assess awareness
of humans
• PMO Services, Project, Quality, Engineering and Cyber Competence
Centers
• 24/7 Infrastructure & Security Operations Center

exclusive partner for Switzerland  Numerous credentials and extensive experience in:
• Pharmaceutical, banking, insurance, telecom, nutrition, and IT industries

© 2017
wizlynx Services Portfolio
wizlynx InfoSec Consulting
wizlynx Security As a Policy & Controls
Service •
•
Identification of threat profile of the organization
Plan and organize ISMS
Operate and Maintain
• 7/24 Monitoring of Security Infrastructure
•
•
Develop security architectures at organizational level
Definition of applicable Security Controls for the ISMS domains
• Analyze of security events from the various sources
• Depending on SLA: up to full management of Security
Events
• Forensic analysis support in case of security breaches
• Incident Handling
• Cyber Threat Intelligence
Security
Managemen wizlynx Design & Integration
t Design & Architecture
Lifecycle • Design & Architecture of Security Infrastructures
• Develop security architectures at an application,
wizlynx IT-Risk Assessments network and component level
• Identify solutions per architecture level
Threat/Risk Management • Pro-active reduction of vulnerabilities to reduce
the impact of possible threads
• Assessment of thread severities
• Prioritization of remediation efforts
• Managing IT-Risk on
wizlynx Security
Assessments
Assess
• Accurate identification of systems
• Accurate identification of vulnerabilities application,
© 2017 network and component level
THE DARK WEB

© 2017
The Web’s Layers
SURFACE WEB
vast, exposed, easy access

DEEP WEB
partly visible, mostly hidden, requires
special access with authentication

DARK WEB
hidden, difficult to find, need specific
access technologies

© 2017
Dark Web: a Distributed Anonymization Network
Technology

 P2P network of many loosely-connected hosts running special clients

 Participating hosts have multiple roles (Client, Relay, Exit Node)
 Communication is masked and encrypted
 Requests “hopping” through network to hide origin and/or destination
 The access to the content can be restricted to the Dark Web only
(so called “hidden service”)
 Addresses use specific designation
(e.g. “t5dh587hhsg09xi809.onion”)
 Dark Web provides anonymity to both Sites and Users

© 2017
History of the Deep/Dark Web
.

© 2017 Source: Trend Micro

What is the Dark Web? Electronic
Devices
Content, Services & Products
Credit Cards Personally
 Collection of Un-indexed and Anonymous websites Identifiable
Malwares & Information
 Marketplaces, Forums, Wikis, Blogs, etc.
Exploits
 Intelligence Exchange
Botnet Rental
 Market place for Remote Access Trojans, Exploits, Malwares,
Counterfei
stolen accounts, DBs of stolen data, PII data, malicious
Bank t
services like “Rent a botnets” or “Rent a DDoS attack”, and Money
Account
more!
Information
Hitman
 Bitcoin as main currency For Hire E-Commerce
Hacker For Hire Accounts

Weapon Prescription
s Drugs Drugs

© 2017
Hitman for Hire
examples

© 2017
Weapons
examples

© 2017
And more
examples

© 2017
Underground Forums

© 2017
Hacker For Hire
examples

© 2017
DARK WEB AND CYBER SECURITY ?

© 2017
Direct Threats from Dark Web?
A new channel for old attacks

How big is the risk for an organization?

 Only a small part of attacks originate from Dark Web

 The present protection mechanism and systems are remaining effective to a certain extend
 SIEM systems can identify TOR traffic, C&S traffic, Cryptolocker attacks

 Dark Web camouflages the attack origin

 The attacks are analogous to public internet
 Restricts preemptive detection and research, discovery of attack chain
 Restricts real-time identification of threat actor
 Restricts post-breach forensic investigations
 Latest malware patterns in the outbreak analyzed are indicating Dark Web integration

© 2017
Attacks from Dark Web
How is the Dark Web used by Hacker

 Attacks from the Dark Web mainly with HTTP-based delivery

 SQL Injection, Vulnerability Scans primary attacks discovered
 Stimulus for attack from the Dark Web
 Delivery of malicious code
 C&C (Command&Control) servers
 DDOS used to stage “decoy attacks”
 Delivery of valuable information "Knowledge is
 Intelligence exchange
Power”
(Sir Francis Bacon, 1597, English
 Marketplace for exploits, hacker tools, etc. philosopher, statesman, scientist)

© 2017
NEW AGE OF CYBER SECURITY
LEVERAGING WEB(S) INTELLIGENCE

© 2017
New Age of Cyber Security

Intelligence and Cooperation, Cognition,

Perimeter Controls
Integration & Preemptive

© 2017
wizlynx CTI (Cyber Threat Intelligence) powered by

Real-Time Monitoring Reporting

Qualitative and quantitative

Alerts & Early Warnings
research and analysis
© 2017
Cyber Threat Intelligence = Cognition Security
Preemptive tailored Cyber Security Protection

Cyber Threat Intelligence allows the

 visibility into the latest malwares, exploits and threat vectors
Unstructured Data
 identification organization’s information in the Dark Web and use it as an
Indicator of Compromise (IOC)
 detection of upcoming attacks before they become active
 identification of compromised accounts and computers of your organization
Cognitive Analytics  detection of stolen credit card information
 discovery whether the organization’s confidential information or even trade
secrets have become publicly available
 identification of Phishing and Cybersquatting attacks
 The automated and fast processing of hidden big data, difficult to find with need
Preemptive Security
of specific access technologies

© 2017
Sources

Open Sources Sample Closed Sources Sample

Social Media – Facebook RSS, Twitter, YouTube Closed forums & marketplaces
Web based communities Criminal infrastructure hosting malicious attacks
User generated content – wikis, blogs & video Malware hunting in the dark net
sharing sites
Public & Academic data Honeypots
Pastebin Automated sink holing
Search engines CERT collaboration
IRC Malware sandbox combined with human analysis
Malware databases (e.g. Virus Total) Spam mailboxes
Zeus Tracker Hacking & underground forums including zero-day
exploit forums

© 2017
wizlynx CTI (Cyber Threat Intelligence) powered by
High level features

Provides an organization with 5 unique capabilities – allowing to perform the following actions on cyber
threat intelligence

 Collection From multiple sources and in multiple formats

 Correlation Intelligence across all the modules
 Categorization Malware family, bot IP’s, MD5
 Integration into 3rd security tools
 Action Take intelligence to create custom YARA[*] rules to dissect malware

Available as
 SaaS
 full Managed Security Service
[*] YARA = open source tool with
Perl-compatible Expressions, used to
examine suspected files/directories
and match strings.

© 2017
wizlynx CTI (Cyber Threat Intelligence) powered by
Features
wizlynx CTI is divided into distinct yet at the same time integrated modules allowing companies to choose
to specific modules that suits their business needs.
Botnet and Command & Control
• Detect infections in critical servers, VIP users, and clients
• Protect by recovering stolen user IDs and passwords
• Proactive, realtime awareness of crime servers, track and block
Targeted Malware
• Track malware & mobile malware trends to detect targeted malware.
• Connect internal network analysis appliances to send malicious
binaries for analysis into a cloud-based elastic sandbox
• Early warnings of information theft or leaks due to a malware attack
Credit Card Theft
• Create proactive cyber security strategy to prevent credit card fraud
• Block stolen credit cards
• Protect corporate cards and VIPs from non-authorized purchases
• Insurance costs reduction due to control/credit card fraud mitigation
Brand abuse
• Abuse and Social Monitoring Module monitors online presence to
identify brand abuse, reputation damage, and other forms of
attacks on your brand.
© 2017
Hacktivism
• Live threat data, which can be streamed into SIEM
• Early warning of information and credentials theft or leaks
• Vulnerability analysis specific to applied technology
• Hacktivism global overview, including active operations/geo location
Data leakage
• Detecting information leaks from third parties, such as
outsourcing, consultants, audit, and other partners
• Delivering a list of documents w/ information organization
• Gather “classified” documents/information publicly available
Rogue Mobile apps
• Identifies false, infected, modified, or copied apps - as well as apps
performing brand abuse activities.
Phishing & Cyberquatting
• Combats attacks by detecting attempts to acquire sensitive
information by masquerading as a trusted entity, by detecting
similar domains used to replace company’s original domains
Media tracker
• Monitor sources mentions with potential impact to brand reputation.
• Identify news/media activity threatening the organization’s security.
• Filter news and media sources easily with sophisticated search
functionality.
 SECURITY NOTE
NO

DEMO ! PHOTOS
NO
VIDEOS
ALLOWED

© 2017
Summary
Consistent blocking of attacks
and remove vulnerabilities "Knowledge is
 Interrupt malware and Power”
exploits
(Sir Francis Bacon, 1597, English
 Discover and protect philosopher, statesman, scientist)
endpoints
PREVENT

Identify unknown threats against your

Concise and quickest possible
Incident Management
 Score and improve your
incident response
capabilities
RESPON
 Locate indicator of
compromise
enterprise with intelligence and
analytics
 Discover attacks across your
organization
 Percept abnormal behaviors
D
DETECT
 Prioritize threats

© 2017
Danke. Andreas Crisante
Senior Cyber Threat Intelligence Advisor

Thank you. andreas.crisante@wizlynxgroup.com

Obrigado. Christian Fichera

Senior Cyber Security Consultant
christian.fichera@wizlynxgroup.com

谢谢. Wizlynx AG

Terima kasih. Hauptstrasse 11

4102 Binningen
Switzerland

Gracias. Mobile: +41 79 320 83 55

andreas.crisante@wizlynxgroup.com
www.wizlynxgroup.com

© 2017
BACKUP SLIDES

© 2017
 Botnet Module Capabilities
 Provides a high quality feed of compromised credentials
 Recovered credentials can belong to customers
 Recovered credentials can belong to internal users
 Recovered credentials can belong to 3rd party suppliers
 Recovered credentials can belong to VIP’s

 Our platform is the only platform to provide a stream of credentials recovered from a diverse range of
sources
 The data provided is current and will give an organization actionable intelligence
 If such a service was not in place, such credentials could be used to launch APT related attacks

© 2017
 Credit Card Theft Module Capabilities
 Provides a high quality feed of compromised credit cards
 Recovered card details are time stamped
 Corporate Cards and those belonging to VIP’s can be monitored in addition to retail & business
customers
 Detailed MI to track card compromises by region

 The only platform to provide a stream of card data recovered from a diverse range of underground
sources & POS compromises
 The data provided can be fed via API directly into any middleware fraud engines deployed to provide
card blocking functionality in real time
 Any entity involved in use of credit cards will see an immediate return on investment with higher rate
of compromised card detection

© 2017
 Data Leakage Module Capabilities
 Searches for documents and confidential information that belongs to your organization but should not
be publicly available
 This solution complements existing controls as it can identify leaks that have for one reason or
another bypassed existing controls such as DLP systems
 Example of sources being monitored in real time includes, but are not limited to: P2P Networks,
Google Docs, DropBox, …etc

 Detect insiders leaking confidential information

 Identify leaks bypassing DLP controls
 Enhance DLP controls and secure better ROI
 Detect information leakage from third parties
 With increased business demand for BYOD this module can help identify information leakage
originated from mobile devices

© 2017
 Rogue Mobile App Module Capabilities
 Detect illegal mobile applications that are being publicly published without your Organization's
authorization
 We provide a real-time feed with following types of data:
 Official Mobile App Markets
 Alternative Mobile App Markets

 Detect rogue applications and data theft

 Detect new and legitimated applications that have not been authorized by the CISO & Identify blended
attacks (those involving malware)
 Protects brand value: constant and active monitoring of mobile app stores for improved visibility of the
threats that are infringing your brand’s integrity, value, and reputation

© 2017
 Hacktivism Module Capabilities
 Provides a high quality stream of cyber intelligence related to Hacktivism activity targeting your
organization
 Identify groups and malicious actors targeting your organization
 Early warning of planned attacks
 Track and preserve information from across all forms of social media including Twitter, RSS , and
underground forums

 Wizlynx platform is the only platform to provide and track detailed information across a diverse range
of social media
 The platform can preserve the information captured from social media allowing for a detailed forensic
investigation at a later time
 Take the information captured and feed directly into your SIEM solution

© 2017
 Targeted Malware Module Capabilities
 Checks in real-time against emerging campaigns and known new malicious websites that are being
detected across organizations
 Upload suspicious files into our solution’s for real time analysis and a complete technical report is
generated which can be viewed online. This report can be used to fingerprint the malware and aid in
the identification of infected devices on the corporate network
 Static code analysis looking for suspicious behavior, obfuscated scripts, malicious code snippets, and
redirects to other malicious sites.
 Dynamic analysis that sandboxes the destination, simulating a real user on a machine with a goal of
observing any changes made to the system.

© 2017
 Phishing Module Capabilities
 Phishing websites can cost enterprises enormously. Without robust protection, a well coordinated
attack can leave the enterprise vulnerable to:
 Financial losses
 Reputation damages

 Phishing feed can be stand alone or fed into an existing service to enhance detection capabilities
 Ability to store and view snapshot of Phishing Site and Meta data for use during investigations
 Real time alerting and reports of fraudulent Phishing URLs

© 2017
 Brand Abuse Module Capabilities
 Detect abuse and misuse of your brand.
 Prevents coordinated real-word attacks and brand dilution. Keeping abreast of brand-related issues in
community networks is now a crucial part of any brand protection strategy. Left unchecked, many
brand-related issues that start small in these social networks can quickly explode into full fledged brand
or public relation catastrophes in matter of days.
 Example of sources monitored in real time includes but are not limited to: Vimeo, YouTube, Search
Engines, Google Images, Social networks

The unique stream of targeted brand abuse that is delivered will help to:
 Aid legal and marketing teams to quickly move against malicious use of brand
 Brand dilution and devaluation: examples include unauthorized use of brands, logos claiming
partnership affiliation or other endorsements, or on sites with objectionable content

© 2017