Exploring Dark Web Criminal Networks: An Automated Approach
Understanding Dark Web Criminal Forums
The dark web continues to be a treasure trove of information for threat intelligence researchers. Forums on platforms like Tor provide insights into the activities and interactions of criminals. Sophos Counter Threat Unit (CTU) is at the forefront of this investigation, engaging with dark web forums to gather critical data. However, analyzing these extensive discussions is a labor-intensive task, and there’s always the risk of overlooking important details.
A New Research Initiative
To tackle this challenge, Sophos has enlisted the expertise of AI researcher Francois Labreche, collaborating with Estelle Ruellan from Flare and Université de Montréal and Masarah Paquet-Clouston of the same institution. Their goal? To discover a more automated method for identifying significant actors within the dark web landscape. Their findings were initially presented at the 2024 APWG Symposium on Electronic Crime Research and have now been published in a formal paper.
Methodology: A Combined Approach
This research team innovatively combined a modified criminological framework developed by Martin Bouchard and Holly Nguyen alongside social network analysis. The original framework was designed to distinguish between professional and amateur criminals within the cannabis trade. In this study, it was utilized to trace connections among accounts posting in forums and to identify recent exploits linked to Common Vulnerabilities and Exposures (CVEs). By leveraging the CVE names alongside their associated attack patterns defined by MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC), they established a rich repository of data.
Using the Flare threat research engine, the researchers analyzed 11,558 posts from 4,441 individuals across various e-crime forums from January 2015 to July 2023. These posts referenced 6,232 different CVEs. The focus then shifted to creating a bimodal social network, connecting CAPECs to individual actors based on the specifics of their forum posts. After filtering out less relevant data, the analysis concentrated on 2,321 actors and 263 CAPECs.
Identifying Key Actors
The research team proceeded to identify key actors based on their expertise within the identified communities. They utilized three primary criteria:
-
Skill Level: This was determined by analyzing the difficulty associated with using a CAPEC as rated by MITRE (Low, Medium, High). The highest level among all scenarios related to an attack pattern was considered to maintain accuracy. The researchers focused on the 70th percentile to classify actors’ skills. For example, if an individual like “John Doe” discussed multiple CVEs linked to various CAPECs, a high skill rating would suggest deeper expertise.
-
Commitment Level: This metric was quantified by assessing the proportion of posts relevant to specific CAPECs against the actor’s total postings. Notably, individuals with fewer than three posts were excluded, narrowing the focus to 359 actors.
- Activity Rate: A novel addition to the framework, this element was essential in quantifying actors’ rates of engagement in forums. Calculated by dividing the number of posts containing a CVE and corresponding CAPEC by the number of days an actor was active, this rate inversely correlated with skill levels, revealing that higher-skilled actors often posted less frequently due to their extensive experience.
Results of Actor Analysis
The sample of 359 actors showcased an average commitment level of 36.68% of their posts dedicated to their identified community, coupled with a skill level rated at 2.19, falling within the “Medium” category. The average activity rate was determined to be 0.72.
Clustering Communities of Interest
The researchers employed the Leiden community detection algorithm to group the actors into distinct "Communities of Interest," reflecting shared interests in specific attack patterns. This analysis produced eight clearly defined communities, each differing in characteristics.
Key Findings on Actor Grouping
Among the reviewed data, only 14 actors were classified as "Professionals," indicating they possessed a superior skill level, commitment, and a low activity rate due to their seasoned involvement in focused communities. On average, these individuals displayed a commitment of around 90.37% to their particular areas of expertise.
Implications for Threat Intelligence
This study exemplifies how researchers can employ structured methodologies to enhance the understanding of dark web dynamics. By integrating AI and data analysis with traditional investigative techniques, organizations can refine their approach to identifying and monitoring influential figures within online criminal networks. While this research highlights specific actor classifications, it also acknowledges inherent limitations, particularly concerning reliance on established MITRE assessments.
As this technology develops, it has the potential to alleviate some of the biases present in traditional identification methodologies, allowing for a more nuanced comprehension of online crime landscapes. With further application and analysis, Sophos CTU aims to integrate these findings into their existing research frameworks to better anticipate and mitigate emerging threats in cybercrime.
