Keep your friends close but your enemies closer. This mob maxim from The Godfather Part II takes on a twisted new meaning on the dark web. The dark web, for those in the dark, is a collection of websites that exist on an encrypted network and cannot be found using traditional search engines or browsers. Dark web users are afforded, therefore, a cloak of anonymity and unknown location. For this reason, the dark web has become a hotbed for insider trading, converting friends into enemies for the right price.
Ido Wulkan, intelligence team leader at IntSights, and Tim Condello, technical account manager at RedOwl Analytics, co-authored a special report on this phenomenon – Monetizing the Insider – last month. Wulkan, who terms these dark web sites as a “sort of eBay of secrets”, explains how they have evolved over time. “What it does is give cyber criminals a new variety of products that before now no one thought were available online. It started off as a place to sell drugs and other such illegal merchandise, but gradually as the dark web has become more popular, more readily accessible, the market has evolved.” What kind of things are people selling now? “Information. There is a concrete and prominent market for insider insight and information.” Like what? Condello pitches in: “What the report found was that dark web criminals enlist people who work and have insider knowledge at banks and financial institutions. It means they can steal or transfer money; we found the dark web being used a lot to manipulate stocks.”
It seems fair to say, then, that the criminals on the dark web are setting their sights a little higher than soap opera spoilers. Wulkan continues: “With the insider’s information, the threat actor attempts to profit with a more educated action, maybe a stock market bet, and the insider receives a commission. The dark web facilitates illicit trading activity by providing anonymity, making actors difficult to identify. All of the transactions are in Bitcoin (a type of digital currency that uses encryption) so it’s harder to trace them.” As of January 2017, the exchange rate of 1 BTC was US$895.
The dark web’s insider trading racket, Condello is keen to stress, is pronounced. He says: “The insider trading forums we investigated were exclusive. They were like clubs. Though some activity may be happening in generic black markets, it appears that the most potent information and sophisticated actors are in small, elite groups. These groups require those who apply for membership to prove their capabilities and/or access to knowledge by sharing real inside information, which is then thoroughly checked and confirmed.”
The KickAss marketplace, a dark web forum which the report case studied, is a hub for such groups. The forum’s managers claimed to enforce high standards by reviewing every user’s post for accuracy. In return for this high bar, they also charge a significant 1 BTC membership fee. The forum is fairly active with around five posts and a total of 40 BTC in transactions (US$35,800 per week). According to the report, there are members who make more than $5,000-a-month using the leaked information.
Recruitment of insiders on the dark web is growing. Research found that forum discussions on insiders nearly doubled from 2015 to 2016. What are the reasons behind this? While Condello accepts that in some circumstances, employees of organisations can be duped or let down by their own lack of appreciation for the sensitivity of the information they are privy to, he suggests that the most common cause is disillusionment. “I suppose you get some cases where people are roped in, but there are plenty of people who do end up seeking out this kind of activity themselves. The hackers will capitalise on the sort of person who needs money or is maybe dissatisfied with their status in life or position in the company. Insider trading is a way for them to make some money out of their situation.”
Indeed, dark web criminals have targeted collusion with some lower-level employees of organisations who are more receptive to the promise of a cash reward. The report featured examples of a dark web forum member approaching a cashier in a large chain to help purchase iPhones and another to relay credit card details.
But why are people willing to risk their jobs? Wulkan adds: “Well, if they are that unhappy then is it something they’re going to lose? I think people are more willing to take risks because it is easier to stay hidden.”
Is there any light at the end of the dark web tunnel? Yes, there is; and both Wulkan and Condello insist that companies must do their utmost to reach it. According to the pair, the response to insider trading should be three-fold: cultural, human and technological. The cultural dimension, recommends Condello, relates to “creating an environment to mitigate from the threat of disgruntled employees. So it’s important that companies start understanding the relationship between their human and technological resources. There needs to be a holistic approach to training and a message that we’re all in this together. If people are happier in their work, they are less likely to want to sabotage it.”
Further to this, the human aspect, Wulkan points out, means treating the two as one and the same is misguided. He says: “Treating insiders as a technological problem ignores the human side of their motivation and behaviour. Security teams must monitor employee behaviour across a broad array of channels that identify suspicious activity and also help understand negative employee sentiment.”
Despite the focus of Wulkan and Condello’s comments being on the less technical elements of the problem, neither are naïve as to the pertaining need for advanced technology. Condello concedes: “Regardless of what you might manage with your culture or staff, you’ve got to prepare for the case that it might not work too; so you need an effective insider threat programme. This means a foundational capability to see across all employee activity and spotlight any unwanted behaviour, while still respecting employee privacy.”
How can surveillance still respect employee privacy? Given that employees are ultimately using a work system, Condello considers any charge of encroachment philosophically. He says that monitoring is a “last line of defence” and more concerned with “patterns of work” than scraping the barrel of email content.
Underestimating the capacity for internal threats has, according to Wulkan and Condello, themed a worrying amount of companies’ capabilities for cyber security. Ironically, 80 per cent of security services studied in the report focused on perimeter defences, while fewer than half of organisations had budgeted for insider threat programmes. “The threat landscape,” Condello reiterates, “is not something that’s exclusively external and companies need to realise that.”
The cost to productivity and – arguably more damaging – reputation is a risk factor that no company can afford to take lightly. Wulkan concludes: “We’re not only talking about protecting the company and the brand; it’s about protecting the customers as well.”