Security researchers at Arizona State University (ASU) think so and they’re already seeing some success. In a paper titled, “Darknet and Deepnet Mining for Proactive Cybersecurity Threat Intelligence”, the group of 10 co-authors outlines the possibilities of programmatically identifying zero-days before they’re used in an attack by scraping and parsing known so-called Darkweb and Deepweb forums. According to the research, various data mining and machine learning techniques can be used to analyze discussions in forums where malicious code is sold in exchange for bitcoins and the initial results are encouraging.
As an example, the paper highlights the Dyre Trojan discovered by FireEye in July of last year.
In February 2015, Microsoft reported a Windows remote code execution vulnerability, MS15-010. According to the team’s research, no known exploit existed for that vulnerability until April 2015, when an exploit (Dyre) that leveraged the vulnerability appeared on a Darknet market site for 48 BTC, or US$10,000 – US$15,000. Using this information, the researchers worked to devise an automated process of gathering information from these marketplaces and searching for keywords that could be filtered and classified as possible malicious code for sale. The results so far are impressive.
The team is current tracking twenty-seven marketplaces and twenty-one forums selling anything from cocaine to the latest Adobe exploits – and this is where it gets challenging.
Much of the information collected on these sites is in the form of unstructured data that is no relevant to cyber security. For example, the word “SALE” could be misspelled causing the automated system to simply skip over this misspelled word as noise.
Another challenge, of course, is word variations particularly those found in the common hacker vernacular such as “S4L3.” Despite these challenges, the team has proven that automation has some serious value in identifying zero-day exploits in the wild detecting 16 zero-day exploits over a four week period. Despite the initial success, automation of zero-day hunting may remain a novel idea.
Getting to the left of the cyber kill chain has been a topic of discussion for over a year now, with a lot of groups focusing efforts on intelligence gathering at the pre-reconnaissance phase; so far, these approaches have had mixed results.
One of the most significant challenges facing the cyber intelligence community looking to use automated gathering techniques is the constant change of the forums themselves.
Cyber criminals are becoming more and more aware they what they can do to their targets, the targets can do to them. This cat-and-mouse game of shifting techniques only increases the situational awareness of the adversary forcing them to change their behavior. Forums are becoming increasingly harder to gain access to and sophisticated vetting processes are being established to weed out cyber researchers and law enforcement with intentions of stopping zero-days before they ever hit their first victims.
In 2013, the FBI brought down the so-called Silk Road, an illegal marketplace selling everything from heroin to hitmen for hire. Court documents revealed that the FBI used many traditional investigative techniques in the take down but also used cyber as a tool to dismantle the very network the Silk Road was built upon.
In all, the operation seized US$4 million in BTC and led to the arrest of the alleged operator, Ross Ulbricht. Despite FBI efforts, the Silk Road has been relaunched as the “Silk Road 3.0” with those backing the project proclaiming this new version has “undergone a massive security upgrade and modified design”, likely to keep federal snoops from poking around.
It’s not just cyber criminals that are making automated techniques difficult, changes in the threat landscape are also forcing changes in the way cyber intelligence is delivered. The scope of attacks is evolving as well.
Kevin Mandia, FireEye’s new CEO points out that “As the current threat environment shifts to smaller scoped breaches, some organizations may be opting for good enough over best-of-breed detection.” This shift in attitude could curb spending on research and development projects in the search of unknown zero-days in favor of resiliency and incident response, the right of the kill chain, the exact opposite of where ASU team believes it can make a difference.
According to their paper, the ASU researchers are currently shopping their system around looking for additional funding for their research, and why not? Their system of collection and parsing isn’t just collecting zero-days it’s also collecting over 300 high-quality cyber threat warnings weekly making it an invaluable source of actionable information.
Hopefully, the ASU project will find a home that will mature their system. Future iterations will likely include the collection and analysis of other types of information being sold in the Dark and Deep webs such as stolen credit card information, health records, and other criminal activity.
Written by: Rick Gamache
Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program. Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.
Twitter – https://twitter.com/thecissp
(Security Affairs – Zero-days, DarkWeb)