Lessons from the Dark Web: What Hackers Teach Us about Cyber Resilience

With a background in philosophy, my transition into the world of cybersecurity as a penetration tester sparked a deep curiosity about the inner workings of the prolific cybercrime groups I saw in the news. To better defend against these groups, I needed to understand more about how they worked, specifically how they recruited people, vetted them, and turned their skills into a profitable business model. To find out, I began investigating the online forums and chat groups on the dark web where these malicious groups are active. 

Below, I’ll share some of the eye-opening details I uncovered about their internal operations, including how cybercrime groups like Conti operate like major corporations, why they have the upper hand, and why the psychology behind hacking matters as much as the technology. I’ll also explore why adversary simulation is best suited to help security teams validate the defenses they have in place to counter the evolving tactics of these groups.

Very Organized Crime

At the time I was doing my research, Conti was one of the bigger groups in the wild. I was struck by the fact that these hacking groups were serious business—it was not the fun and games that some people might imagine. They had an HR team, and there was a lot of order to their recruitment activities. They even went so far as to create a campaign slogan for their recruiting efforts—they called it Make Ransomware Great Again.

Within that recruitment process, they had specific vetting activities. They would create a post on a forum announcing that they were looking for specialists, so to speak. Anyone interested in that role would need to provide personally identifiable information (PII) on a high-profile person—whether it was an executive, politician, or celebrity. Forget about showing a resume. They wanted to see what candidates were actually capable of and required proof that they could hand over someone’s medical records or something similar.

What this showed me was that the groups themselves were trying to do as little work as possible. They wanted the easiest, quickest way to get a return on investment. By hiring someone who had already accessed PII on a high-profile individual, they were almost guaranteed access to an important network or system. 

A One-Sided Game

I also learned that these malicious actors play a different game than we do. As soon as they find some type of open vulnerability, something that we as defenders are not paying attention to, they have pretty much won. And this has been made even easier on the dark web, where threat actors can easily buy rootkits that do everything for them—they essentially just have to press buttons. 

In that way, their discipline is much different from ours—we have to be almost perfect in our defense and they just need one opportunity. That is a very challenging imbalance for defenders. To overcome it, we have to put ourselves in the mindset of our adversaries—we have to think like them and simulate what they could do given an opportunity. That gives us something to build a strategy on beyond simple compliance.

The Psychological Element

Prolific threat actors are notoriously good at researching the companies and industries they are looking to exploit, often learning huge amounts of information about the company and its individual employees. They then utilize that information to get access to an organization’s network because humans remain the weakest link when it comes to cybersecurity.

This is very evident when we look at the tactics of Scattered Spider, for example. They use what we call multi-factor authentication (MFA) push bombing to frustrate or confuse employees into helping them bypass the controls that are set up to stop them. This is the psychological element to hacking that goes beyond the simple technology involved. Malicious actors are very good at it, and it makes them very dangerous.

Because once an adversary has access to your environment, there’s often a dwell time they get to observe your day-to-day activities. They are trying to understand what your crown jewels are, what assets generate the most revenue for you, and what things you need to keep your business running. And with this knowledge, they can get an understanding of how to bring an organization to its knees quickly and unhindered. Their recent and highly publicized attacks have wreaked havoc on industry giants in the US and UK. This ability to persist—despite the combined efforts of law enforcement agencies around the world—makes the group particularly dangerous and can be attributed to three key characteristics. 

Closing the Gap 

As AI becomes a greater reality, it will exacerbate many of the challenges we currently face with malicious actors. It will speed things up and allow them to become much more sophisticated, with fewer errors than before. For example, in the past, we were able to spot phishing campaigns because of things like grammatical errors. But, with AI, that will be less and less possible.

Ultimately, what I learned on the dark web about the malicious actors operating there led me to realize that we must be relentlessly proactive in our efforts. And one of the best ways to do that is to simulate attacks and breach situations, so that you can understand exactly how your defenses will perform in the moment and what would actually happen if malicious actors were successful. 

Many security leaders start with a blue team that is responsible for defending their “castle.” They are given a budget to buy tools and build the controls. But the problem is these tools need to be configured, and not just one time. They need to be configured continuously, especially if something changes in the environment. And while this is an area with the biggest spend—tools and controls—very few organizations are focused on actually validating that these tools are working the way that they’re supposed to. 

SafeBreach brings that focus of validating the expensive tools organizations have purchased to show where things are working as expected, where they aren’t, and what could happen, and what needs to be done to close the critical gaps. Learn more about the capabilities of the SafeBreach Exposure Validation Platform, then schedule a customized demo to see it in action.