Trying to help the C-suite understand the nuances of a darknet investigation can be challenging. The darknet often seems like an unnavigable black box to those who do not deal with cybersecurity every day. Getting a handle on what is in that black box is the very purpose behind a process known as the OSINT darknet investigation.
OSINT (open-source intelligence) is a security strategy based on collecting and analyzing data gleaned from publicly available resources. When applied to the darknet, it goes a step further by utilizing specialized OSINT tools to navigate the otherwise hidden networks frequented by hackers and cybercriminals.
The mechanics of a typical OSINT darknet investigation are simple enough in principle. They are built on a three-phase intelligence strategy:
Table of Contents
Phase 1: Raw Data Collection
A big reason hackers assume the darknet is hidden is the fact that standard search engines – like Google and Bing – do not index darknet websites. To find them, investigators rely on specialized ‘onion’ search engines and automated crawlers.
Dark web crawlers, able to access hidden websites and forums, act as the ‘Google of the darknet’. They find and index forums, marketplaces, in sites that specialize in hacker data dumps. Meanwhile, automated scraping harvests as much data as possible from known criminal hubs. Scripts look for designated selectors that could tie criminal activity to known targets.
Practically speaking, raw data collection is looking for indicators that an organization is at risk. Information like executive names, proprietary projects, and even a company’s internet domain all raise red flags.
Phase 2: Pivot and Analysis
Data collected from crawling and scraping provides the starting point for understanding threat actor behavior. But analysts need to do something with the data. This occurs during the pivot phase. In this phase, security analysts rely on specialized OSINT tools to perform a detailed link analysis.
DarkOwl, a provider of multiple well-known OSINT tools, explains the purpose of pivoting. They cite the example of a threat actor using a particular handle on a known darknet forum. If an analyst picks up that handle during a routine data search, they can then pivot to see if the same handle appears on other sites. He can also check to see if it is linked to older data breaches.
Strangely, hacker operational security often fails because of carelessness. A hacker will reuse the same username or email because they assume their activities are hidden. Such carelessness sometimes links a darknet persona to a real-world identity.
Phase 3: Processing and Reporting
Raw data and its subsequent analysis are inevitably full of noise. Therefore, the third phase of the OSINT darknet investigation is processing noisy data and reporting on the outcome. Investigators use a variety of filters to separate junk from actionable intelligence.
Properly processed data typically results in a structured report that answers three common security analyst questions:
- What did our analysis find?
- How serious is the threat?
- What should we do about the threat?
The mechanics of the OSINT darknet investigation are as important as the results they produce. As with any other process or procedure, the quality of the mechanics determines the quality of the outcome. Therefore, it is important that security teams not only understand what an OSINT darknet investigation is but also how to perform it properly.
With the right knowledge and a good selection of OSINT tools, security analysts can find hidden data and transform it into actionable defense. At a time when cybercriminals are robbing legitimate industries blind, security teams must use every available tool to stop them. The OSINT darknet investigation is one such tool.
