Show Hide image

What can you find on the eBay of secrets?

Encrypted corners of the internet have become a marketplace for company secrets. IntSights’ Ido Wulkan and RedOwl Analytics’ Tim Condello discuss how to tackle the problem. 


Keep your friends close but your enemies closer. This mob maxim from The Godfather Part II takes on a twisted new meaning on the dark web. The dark web, for those in the dark, is a collection of websites that exist on an encrypted network and cannot be found using traditional search engines or browsers. Dark web users are afforded, therefore, a cloak of anonymity and unknown location. For this reason, the dark web has become a hotbed for insider trading, converting friends into enemies for the right price.

Ido Wulkan, intelligence team leader at IntSights, and Tim Condello, technical account manager at RedOwl Analytics, co-authored a special report on this phenomenon – Monetizing the Insider – last month. Wulkan, who terms these dark web sites as a “sort of eBay of secrets”, explains how they have evolved over time. “What it does is give cyber criminals a new variety of products that before now no one thought were available online. It started off as a place to sell drugs and other such illegal merchandise, but gradually as the dark web has become more popular, more readily accessible, the market has evolved.” What kind of things are people selling now? “Information. There is a concrete and prominent market for insider insight and information.” Like what? Condello pitches in: “What the report found was that dark web criminals enlist people who work and have insider knowledge at banks and financial institutions. It means they can steal or transfer money; we found the dark web being used a lot to manipulate stocks.”

It seems fair to say, then, that the criminals on the dark web are setting their sights a little higher than soap opera spoilers. Wulkan continues: “With the insider’s information, the threat actor attempts to profit with a more educated action, maybe a stock market bet, and the insider receives a commission. The dark web facilitates illicit trading activity by providing anonymity, making actors difficult to identify. All of the transactions are in Bitcoin (a type of digital currency that uses encryption) so it’s harder to trace them.” As of January 2017, the exchange rate of 1 BTC was US$895.

The dark web’s insider trading racket, Condello is keen to stress, is pronounced. He says: “The insider trading forums we investigated were exclusive. They were like clubs. Though some activity may be happening in generic black markets, it appears that the most potent information and sophisticated actors are in small, elite groups. These groups require those who apply for membership to prove their capabilities and/or access to knowledge by sharing real inside information, which is then thoroughly checked and confirmed.”

The KickAss marketplace, a dark web forum which the report case studied, is a hub for such groups. The forum’s managers claimed to enforce high standards by reviewing every user’s post for accuracy. In return for this high bar, they also charge a significant 1 BTC membership fee. The forum is fairly active with around five posts and a total of 40 BTC in transactions (US$35,800 per week). According to the report, there are members who make more than $5,000-a-month using the leaked information.

Recruitment of insiders on the dark web is growing. Research found that forum discussions on insiders nearly doubled from 2015 to 2016. What are the reasons behind this? While Condello accepts that in some circumstances, employees of organisations can be duped or let down by their own lack of appreciation for the sensitivity of the information they are privy to, he suggests that the most common cause is disillusionment. “I suppose you get some cases where people are roped in, but there are plenty of people who do end up seeking out this kind of activity themselves. The hackers will capitalise on the sort of person who needs money or is maybe dissatisfied with their status in life or position in the company. Insider trading is a way for them to make some money out of their situation.”

Indeed, dark web criminals have targeted collusion with some lower-level employees of organisations who are more receptive to the promise of a cash reward. The report featured examples of a dark web forum member approaching a cashier in a large chain to help purchase iPhones and another to relay credit card details.

But why are people willing to risk their jobs? Wulkan adds: “Well, if they are that unhappy then is it something they’re going to lose? I think people are more willing to take risks because it is easier to stay hidden.”

Is there any light at the end of the dark web tunnel? Yes, there is; and both Wulkan and Condello insist that companies must do their utmost to reach it. According to the pair, the response to insider trading should be three-fold: cultural, human and technological. The cultural dimension, recommends Condello, relates to “creating an environment to mitigate from the threat of disgruntled employees. So it’s important that companies start understanding the relationship between their human and technological resources. There needs to be a holistic approach to training and a message that we’re all in this together. If people are happier in their work, they are less likely to want to sabotage it.”

Further to this, the human aspect, Wulkan points out, means treating the two as one and the same is misguided. He says: “Treating insiders as a technological problem ignores the human side of their motivation and behaviour. Security teams must monitor employee behaviour across a broad array of channels that identify suspicious activity and also help understand negative employee sentiment.”

Despite the focus of Wulkan and Condello’s comments being on the less technical elements of the problem, neither are naïve as to the pertaining need for advanced technology. Condello concedes: “Regardless of what you might manage with your culture or staff, you’ve got to prepare for the case that it might not work too; so you need an effective insider threat programme. This means a foundational capability to see across all employee activity and spotlight any unwanted behaviour, while still respecting employee privacy.”

How can surveillance still respect employee privacy? Given that employees are ultimately using a work system, Condello considers any charge of encroachment philosophically. He says that monitoring is a “last line of defence” and more concerned with “patterns of work” than scraping the barrel of email content. 

Underestimating the capacity for internal threats has, according to Wulkan and Condello, themed a worrying amount of companies’ capabilities for cyber security. Ironically, 80 per cent of security services studied in the report focused on perimeter defences, while fewer than half of organisations had budgeted for insider threat programmes. “The threat landscape,” Condello reiterates, “is not something that’s exclusively external and companies need to realise that.”

The cost to productivity and – arguably more damaging – reputation is a risk factor that no company can afford to take lightly. Wulkan concludes: “We’re not only talking about protecting the company and the brand; it’s about protecting the customers as well.”

Rohan Banerjee is a Special Projects Writer at the New Statesman. He co-hosts the No Country For Brown Men podcast.

Show Hide image

Investing in a secure future

Increased training and investment in cyber security infrastructure are essential in the digital age.

It is easy to underestimate how crucial the internet is to our everyday lives. It has become an essential tool in the way we communicate with others and conduct business both at home and abroad. More than 1.6m people work in the digital sector or in digital tech roles in the United Kingdom and the internet continues to provide individuals and businesses with huge opportunities.

However, we know that criminals seek to exploit the many benefits of the internet for their own personal gain, often at great expense to others. The WannaCry ransomware attack, which hit the NHS as well as other organisations, highlights the seriousness of the threat and reinforces the need to properly protect ourselves online.

In the recent Cyber Security Breaches Survey 2017, just under half (46 per cent) of all businesses identified at least one breach or attack in the last year. Although it is difficult to put an exact figure on how much this cost the UK economy, it is likely to be in the billions.

We are also all too aware of attacks by hostile state actors who look to exploit the UK through intellectual property theft, in order to further their own interests and prosperity. We take these attempts to disrupt our national security very seriously.

That is why this the government set up the National Cyber Security Centre (NCSC), which provides cyber security at a national level. In its first year of being operational, the NCSC responded to 590 significant cyber incidents, more than 30 of which were sufficiently serious to require a cross-government response.

It is not just large organisations and our national infrastructure that are targeted by online criminals; individuals also face the daily threat of being scammed in their own homes. It is now the case that British citizens are 20 times more likely to be defrauded at their computer than mugged in the street.

It is a threat we all face. I strongly believe that we – individuals, businesses and the government – must play our own part to mitigate the risk and ensure that the internet is a safe and secure space for everyone. The government has legislated within the Serious Crime Act 2015 to create a new offence that applies where an unauthorised act in relation to a computer results in serious damage to the economy, the environment, national security or human welfare, or a risk of such damage occurring.

Legislating against online criminality goes some way to tackling the problem; however, close collaboration between the government, business and international partners is essential in combating the increasingly sophisticated attacks that the UK faces.

We work closely with the NCSC, which acts as a bridge between industry and government, providing a unified source of advice and the management of cyber-related incidents. It is at the heart of the government’s 2016 National Cyber Security Strategy, which is supported by £1.9bn of transformational investment to 2021.

Our law enforcement agencies across England and Wales also play a vital role in disrupting the activities of cyber criminals and bringing them to justice. They now operate as a single networked resource with the National Crime Agency (NCA) and Regional Cyber Crime Units using shared intelligence and capabilities. The NCA also has a dedicated Dark Web Intelligence Unit which targets those criminals who exploit hidden areas of the internet.

But we also want people to take their own preventative measures, so that they don’t become a target by criminals operating in the cyber space. We are running a series of campaigns and programmes which aim to encourage individuals and businesses to adopt more secure online behaviours.

Cyber Aware works with over 320 public and private sector partner organisations to encourage us all to take simple steps to protect ourselves online including using a strong, separate password for our email accounts and installing the latest software and app updates on our electronic devices.

The NCSC has also recently launched expert guidance on how small businesses can easily avoid common online breaches and attacks. Should organisations seek to improve their cyber security further, they can get certification through the Cyber Essentials Scheme.

To further support the efforts of SMEs in improving their cyber security, regional cyber crime prevention coordinators engage with businesses and members of the public to provide customised cyber security advice based on the latest technical guidance from the NCSC.

We must also look to the future – we now have a whole generation that have grown up immersed in tech. It is hugely important that we harness their talents and put them to good use rather than letting them wander down a path towards criminal online activities.

We must train and engage with the next generation of cyber security experts and is why the NCSC is taking a leading role in promoting a culture where science and technology subjects can flourish within the education system. Their CyberFirst programme identifies and nurtures young talent through a series of summer workshops and competitions. In addition, their CyberUK 2018 programme focuses on encouraging more women to enter into the technology industry, a sector that is largely seen as male-dominated.

There is a great effort across government and law enforcement to pursue online criminals, prevent
those that are headed on a path towards criminal activity, protect the public and prepare for the many threats we face online. We will continue to invest in law enforcement capabilities at a national, regional and local level to ensure agencies have the capacity to deal with the increasing threat from cyber crime.

However, this is not a threat that we can tackle alone. It is everybody’s responsibility, from top to bottom, to follow the guidance provided and increase their awareness of cyber security in order to create a safe space to communicate and conduct business online.