First thing first, so we are all on the same page, let us group all these ominous words such as “Darknet”, “Darkweb”, or other similar analogies behind a much more sensible one, the DeepWeb. Then, let’s take a dive together into it to define what it is exactly and what information it contains.
The DeepWeb in a few words
The DeepWeb represents all the portions of the Internet that are not readily available, either because they are not indexed by common search engines, or because they need special tools to access them.
Amongst the most known are the pasties websites, aptly named because they offer a unique way to share data by simply copying and pasting the information on them. Originally used to exchange code snipped, they are now often used to dump credentials by random hackers, or to store additional offensive payloads such as obfuscated PowerShell scripts.
A bit deeper
Going a bit deeper, the DeepWeb also refers to alternative networks such as The Onion Router (TOR), I2P, or FreeNet, which allow people to publish data online, without any kind of censorship, and with the added benefit of preserving the anonymity of publishers and readers alike.
But these are simply alternative networks on top of an already quite furnished infrastructure. Many services can be found on the Internet for those who know where to look at such as private Websites, Forums, Chat Systems, or emails, and the venerable IRC.
The information one can found on the DeepWeb is various. On pasties websites, stolen data such as samples of credential dumps are common. These credentials might originate directly for your internal servers, but more often than not, the leak would come from on a third party breached web server.
Forums are also a trove of information, where people sell stolen data, or talk about the exploitation of external vulnerabilities, possibly targeting your brand or external IP’s.
Therefore, this all boils down to one question: if you were to look into it, would you find some of your data on the DeepWeb?
Scanning the DeepWeb
The issue is that looking up all these alternate streams is a time-consuming task. And how would you go to ensure that everything is checked, considering the ephemeral existence of these platforms or the complexity to access some of them without the knowhow?
Keep in mind that data are exchanged from hand to hand by people who made their business out of it. Most of the forums are using escrow systems between peers to validate who can access them while banning automation by using captcha systems.
This is why in order to simplify and perform this monitoring for you, Excellium CSIRT has developed and operates a platform called EyeDeep. EyeDeep uses a modular architecture making it easy to plug in new data sources. Excellium Services can now scan your IP ranges, domains, and keywords deeper than ever. We do not claim that we can scan the entirety of the DeepWeb, but we work hard to search for your data outside of the traditional perimeter.
EyeDeep’s new capabilities
While previously EyeDeep’s focus was mostly on websites pasties, our platform can now automatically scan various alternative forums and marketplaces in order to monitor what cybercriminals are discussing, buying, and selling. EyeDeep is capable of combing forums on onion sites on the TOR network.
Additionally, EyeDeep monitors various shaming lists used by attackers who claim a successful attack against a company to brag about it on public media. These shaming lists are often the repositories of download links for the victim’s data. This category regroups several infamous blogs such as those of the Revil, Maze, or Sekmeths groups.
EyeDeep also monitors various PGP servers as part of our identity survey. For each of your domains, we look for newly published PGP keys and we notify you as soon as a new key appears.
Finally, in order to maximize our detection coverage, EyeDeep also looks for your IP ranges and domains in our threat intelligence database, as well as other various open-source intelligence feeds. This allows us to detect any compromised asset reported by third parties, or a new ongoing phishing attack.
Coming up on the roadmap, EyeDeep will also soon integrate certificate transparency and passive DNS databases in order to optimize the surveillance of your domains and detect phishing and fraud attacks targeting you in the earliest possible stage.
Your opinion matters
Combined with alerting and reporting capabilities, EyeDeep can be the angular stone you need to start monitoring the DeepWeb. And as always, Excellium CSIRT will take into account any of your feedbacks and remarks to improve the platform. Do not hesitate to contact Excellium Services if you have any questions or wish to give EyeDeep a try.