Unmasking the darknet

By Dr Xueyan Yin
Dr Xueyan Yin
Assistant Professor
Department of Information Systems

Dr Xueyan Yin is an Assistant Professor at the Department of Information Systems where her research focuses on digital media data analytics such as multimedia content design, use of internet water army and game-based promotion strategy. She applies numerous research methods including machine learning and econometrics analysis and aims to pursue projects with high-societal and practical impact.

In recent years, cyber threat intelligence (CTI) has matured as an industry with a multitude of companies generating operational intelligence for their client firms to prevent potential attacks. Up until now, CTI has largely operated on the so called “darknet.” This is a hidden network infrastructure that overlays the publicly available internet, and can only be accessed with specific software or communication protocols. Modern darknets such as Tor, I2P, and ZeroNet provide security, anonymity, and censorship-resistance by utilising multi-hop layers or Peer-to-Peer (P2P) networks.

Darknet services can serve illicit content

Darknet services serve both legal and illegal purposes. Most content is believed legal, including “clearnet” websites (e.g., BBC and Facebook) that provide darknet access to protect users from site blocking and network surveillance and sharing of legal materials involving copyright infringement. However, Moore & Rid (2016) indicate that 29.7% of Tor darknet services serve illicit content, including drugs, finance, extremism, and hacking. These services are commonly in the form of blogs, sharing platforms, or discussion forums.

CTI is big business

Given the global increase in crippling cyberattacks, many organisations are considering adopting CTI. According to Mordor Intelligence, the CTI market was valued at USD 5.28 billion in 2020 and is expected to reach USD 13.9 billion by 2026. Through CTI, organisations can learn hackers' attack strategies and methodologies and deploy preventive approaches whilst building awareness and understanding of threat trends.

Where should CTI operate?

Regarding the scope of CTI, the first question that comes to mind is defining the data source. Everything that is publicly available and accessible via a search engines forms part of the surface web, and a lot of hacking content is available here. For example, hackers have extensively posted tutorials of their malicious tools on YouTube, allowing the content to be accessed worldwide. Companies should consider whether the contents of the surface web are already efficient in predicting real-world attacks. In other words, no need to go to the darknet community.

Is analysing text sufficient?

The second question is what kinds of data should be included? The CTI community has primarily focused on analysing texts posted by hackers such as forum discussions and malicious product listings, and the social network structure among hackers. Descriptions of malicious product listings on darkNet marketplaces are studied to identify emerging cyber threats. Customer reviews of malicious product sellers are analysed to identify key hackers (Li 2014). Jargon in online hacker language is examined to better understand hacker communication (Benjamin 2015).

However, an emerging form of hacker communication, hacking videos, has been rarely analysed. Hackers are increasingly using videos to transmit hacking information and spread recruitment for hacktivist campaigns. The video format allows hackers to communicate procedures and ideas more effectively than textbased communication and is particularly useful for hacking tutorials and soliciting hacking group members.

Hacking video needs to be analysed

Analysing hacking videos enriches the existing CTI by introducing hacking content (e.g., attack vectors and hacking campaigns) that is not available in the text-based hacker community content and social networks. The increasing presence of hacking videos, transmitted through traditional social media on the surface web to broad audiences, is having a profound impact on the cybersecurity landscape. Hack video on the surface web may better represent the contents on the darknet than text-based sources. As such, there is an urgent need for hacking video analytics to facilitate research into understanding the role of hacking videos and developing CTI from these videos.

Cyberthreats in Hong Kong closely follow the global threat trend. Ransomware and cryptomining have been the two most common types of cyber threats over the past few years. Organisations based in Hong Kong can also benefit from building CTI which can improve an organisation's security protection and prevent data breaches.