3231: How Searchlight Cyber Tracks Threats Before They Strike

[00:00:04] When you hear the term dark web, what comes to mind to you? For many it's the shadowy hidden corner of the internet that's filled with cyber criminals, illicit marketplaces and underground hacking forums. But what if I told you that the threats on the dark web can provide organisations with early warning signs of impending cyber attacks, sometimes weeks before they actually even happen.

[00:00:31] That's where a company called Searchlight Cyber comes in. Today I'm going to be joined by Dr Gareth Owenson, he's CTO and co-founder of Searchlight Cyber, and he spent years studying dark web, cyber crime and digital forensics. And he's worked alongside law enforcement agencies and governments, and played a big part in helping them track down cyber criminals and undercovering hidden threats before they strike.

[00:01:00] So today we're going to explore together how cyber criminals operate in the dark web, from selling stolen credentials to advertising network access, and why traditional cyber security measures are simply not enough to defend against today's threats. And yes, it is a tech podcast, so we will have to talk about how AI is playing a role in the next wave of cyber attacks from automated phishing campaigns to AI generated malware.

[00:01:30] But most importantly, I want to learn more about how organisations can tap into dark web intelligence to stay ahead of the threats before they hit. So, how much of your company's data is already floating around the dark web without you even knowing? And what can businesses do to proactively defend against these unseen threats?

[00:01:54] With the scene perfectly set, it's time to introduce Dr Gareth Owenson, CTO and co-founder of Searchlight Cyber. So, thank you for joining me on the podcast today. Can you tell everyone listening a little about who you are and what you do? Hi there, yeah. I'm Gareth Owenson. I'm the Chief Technology Officer at a company called Searchlight Cyber.

[00:02:16] And we're a dark web intelligence company, so we help the likes of law enforcement, private companies, and the cyber security industry protect their customers, citizens against threats that emanate from the dark web, and from the criminal underground, so cyber criminals operating in all sorts of spaces even beyond the dark web. Myself, before doing this, I was an academic, so I used to work at university and teach cyber security and do research into dark webs and cryptocurrencies.

[00:02:45] And I did that for about 15 years, looking at the threats that come from these places online, how you analyse those threats, how you defend against them, what vulnerabilities exist in those networks, and how they might be leveraged by law enforcement to protect against crime. There's taste there. Probably in about 2015, 2016, I approached law enforcement, offering to help them build some tools to tackle some of the crime that's taking place on the dark web,

[00:03:13] but they were in a fairly early stage at the time. And what they needed was not a project with the university to do investigations. What they needed was a tool with a big red button that said solve crime. And so that's really what spurred us to set up Searchlight Cyber, was to build those tools for law enforcement to help them solve the crimes which were taking place on the dark web.

[00:03:31] And since then, we've grown out not just doing law enforcement, but also helping cyber security companies and large enterprises protect themselves from criminals operating on that dark web as well. Well, there's so much I want to talk with you about today, because every single day on this podcast, I take a completely different area of how technology is impacting our lives, our work and even world and try and demystify it, put it in a language that everyone can understand.

[00:04:00] And as soon as you say the words dark web, it sends off this curiosity and that certain amount of intrigue there, because it does remain a mysterious and often misunderstood part of the internet. So based on your research, your experience and all the work that you're doing here, what are the most surprising or scandalous activities you uncover? And how do they impact everyday organisations? Yeah, well, I guess it might just be worth talking about first, like what the dark web is.

[00:04:28] Yeah, the dark web is just an encrypted part of the internet that provides anonymity to people that are using it. And so, you know, just like in Chrome or Firefox, you go and visit a website and browse around the website, you can send messages to people and that sort of stuff. The dark web is very much the same. You know, there's a browser which you can use to browse the dark web. It's a special piece of software you have to download. But the difference between the clear web and the dark web is when you use the dark web browser,

[00:04:54] it provides anonymity to you to make it difficult for the site you're visiting to know who you are. And also, if you want to host content, so like host your own website, the dark web provides you the ability to host a website, making it difficult for people to know where that website's being hosted. And so that naturally attracts a lot of criminality, right? Because if you have always to set up a website on the clear web, you know, selling cybercrime tools or drugs or weapons, those sorts of things, you know, it's not going to be on the internet for very long before law enforcement kick down the door

[00:05:24] and switch off the server because the clear web makes it easy to identify where that server is located. However, when it's hosted on the dark web, the dark web provides the server with a degree of anonymity. And that means that you get many dark web sites which are doing outright and blatant criminality being hosted. Because they believe the dark web provides them with, you know, essentially an impunity to do whatever they wish, you know, without law enforcement being able to catch them.

[00:05:51] One of the very first cases that really sort of came to worldwide attention was the Silk Road, which is a drugs marketplace back in 2012, 2011, 2012. And the guy that set up Silk Road realized, well, hang on a minute, I've got a way to anonymously host content, you know, a website, an eBay style site, Amazon style site and sell things. And now I've got a mechanism to accept payments, which, you know, on the face of it are also anonymous, which is Bitcoin. And so the guy that set up Silk Road put those two things together to make what was at the time

[00:06:21] one of the biggest drugs marketplaces in the world where you could simply go online and have drugs delivered in the mail to your house. Since then, there's been, you know, many drug sites, many places selling weapons, murder for hires, a whole ecosystem of cybercrime sites. So, you know, if I want to get access to a large enterprise, for example, I can go on to the cybercrime sites and there will be criminals actively advertising which companies they've managed to gain access to.

[00:06:50] And you can buy off them. So if I wanted to get into a large enterprise in the UK, I could go on there, find them in one of the lists, which these guys are advertising and pay a relatively small money to get access to their corporate network, from which I can go and steal all their intellectual property or wipe the hard disks, you know, and demand a ransom, for example, which is obviously what you see. Yeah, I mean, really, anything you can put online, right, that would be criminally orientated is what you'd expect to see on the dark web.

[00:07:21] If you look at the guys that sort of create the dark webs, on the surface, they say it's being created to sort of essentially for human freedoms and privacy, right? It's a place in which anyone could go online and be completely anonymous without anyone being able to identify who they are. That is their stated goal. I believe that they passionately believe in that. But unfortunately, when you create these truly anonymous spaces, it does attract, frankly, a majority of it ends up being some kind of criminal activity.

[00:07:50] And there's really a small number of people that are engaged in it for privacy reasons. I mean, a classic example is if you're in China and Russia, for example, and you want to look at content or host content which is against the current regime, then it provides you a shield against being identified. But that is really a tiny fraction of what these networks get used for. I think that's pretty fairly obvious that that would be the case. And ultimately, in Western countries, it thwarts the judicial process, right?

[00:08:17] Because the judicial process is the shield for citizens' privacy. And if law enforcement want to go and identify where a server is or where an individual is, they have to get a warrant and get a judge's sign-off. And that's the protection for privacy that you get in Western countries. But unfortunately, the dark web gives a fairly strong technological guarantee, which thwarts even law enforcement from time to time. And so actors can engage in some really horrific crimes for a very long period of time before they end up getting caught.

[00:08:47] Wow, it's incredibly cool the work that you're doing here. And just to bring to life some of what you've just said, before you came on the podcast, I was doing a little research. I think it was in 2023. Searchlight Cyber's dark web intelligence actually helped thwart an early-stage cyber attack on a European government agency by investigating that dark web traffic you were just talking about. So can you walk me through that investigation and the importance of the pre-attack intelligence in stopping the threat?

[00:09:17] Sure. So we keep an eye on pretty much all areas of the dark web and the criminal underground where we think time is taking place and where the majority of the data which we recollect is associated with cybercrime. As we collect that data, we mine it for information so that we can more readily identify the threats that would face our customers but other organizations as well. And as some of this data is coming in, we identified traffic going to, unfortunately I can't name the agency,

[00:09:48] going to a fairly important European agency. And given that we've got a fairly extensive network in the law enforcement space, we were able to reach out to the agency and point this information out to them and that actually identified a very real threat which they had at that particular time, I believe, where someone had penetrated their network and was exfiltrating information. Without their information, they would probably have been none the wiser for quite some time,

[00:10:14] probably before until that group released their information online if they ever did so. So in summary, looking at the dark web and the criminal underground gives you what we call a pre-attack intelligence. So if you use traditional cybersecurity tools, you're largely defending yourself against people which are already hitting your network. And if you use a firewall, for example, that's people that are already touching your network.

[00:10:39] But most cybercriminals nowadays, they're not doing that in oscillation, right? So they're coming to your network with valid usernames and passwords which have been stolen. And traditional cybersecurity tools are not designed to defend against that because they don't identify as a threat because you log in with the username and password. And it goes, oh, okay, this is a trusted user. And so they get a green light to go and access those systems. But if you go onto the dark web and some of these underground forums, you'll see actors selling stolen credentials, for example.

[00:11:08] You'll see other actors buying those stolen credentials and then using them to penetrate the network, get a foothold, and then package that up and sell that foothold itself, you know, onto other cybercriminals. The classic example is if you see ransomware groups who are frequently attacking companies, encrypting all of their files and demanding a large ransom to decrypt the files. It's often not them that's penetrating the customer's networks. That should be going onto the dark web.

[00:11:33] And they're buying the access and then weaponizing their existing tools through that vector to attack that company. So having sight of the fact that there are stolen credentials for your network or there are actors selling access into your network gives you the intelligence where you can patch that hole before one of these cybercriminals, one of the ransomware groups, for example, buys those creds or that access and exploits it to encrypt your data. So you can think of it as being almost a pre-attack warning.

[00:12:03] You know that something's going to be inbound pretty quickly. Generally, what we found is if we see someone on the dark web selling access into a corporate network, there's a lag of about four to six weeks before we see that company in the news because they've been the victim of saying ransomware attacks. So it's really about thinking about cybersecurity in a more holistic way now. You know, traditional cyber defenses have served us well, but they're not really designed against this new threat

[00:12:30] where these attackers are trusted by virtue of having some pre-authenticated access into the customer's network, which ultimately is trusted, right, and the existing tools ignore. And for business leaders listening to our conversation today, I was working alongside a cybersecurity analyst once. He was telling me how he was hanging out in these spaces to look out for if there were any data breaches, any credit card breaches in the workplace

[00:12:57] to see if anything was at risk there. And to expand on that, are there any other primary ways that threat actors misused Tor and the dark web? And ultimately, how can organizations be active in that space to detect and defend against these threats before they actually happen? Because I suspect for a lot of people listening, they'll be blissfully unaware of that world and will have nothing to do with it. But sometimes it helps to be a part of that, to keep a lookout for things, right?

[00:13:28] Yeah, so I mean, threat actors primarily, I quote, unquote, abuse the dark web by exploiting that anonymity, right? To engage in crimes so that law enforcement can't catch them or can't identify them. The reality is many cyber criminals are based in Russia or countries which are unfriendly to the West anyway. But if the Western law enforcement agencies are able to identify them, you see the FBI putting out awards for their arrest and that sort of stuff. They put out arrest warrants internationally,

[00:13:58] so if they ever leave Russia, they get arrested. But primarily, they're using the dark web to give them that shield, right? So they're not identified and they can continue their peaceful life wherever they happen to be. That's not to say that we don't see cyber criminals outside of those countries. We very much do. We've seen plenty in the UK that use TOR to try and hide themselves from detection. In terms of businesses protecting themselves, now it's just not enough to go onto the dark web with a single analyst

[00:14:26] and search for threats to your organization. The dark web is reasonably large. It requires a certain amount of expertise and it also requires you to have the relationships with those threat actors to gain access to the places where the real stuff is being sold. So some companies do try to do it alone just with a single or a couple of analysts, but it's really a much bigger task than that. We as a company have a reasonably large threat intelligence team whose sole job it is to go out, build relationships with threat actors,

[00:14:55] gain access to spaces which you otherwise wouldn't have access to, and then our technology team then builds the technology to collect that data so that we can search in an automated way, identify those threats to those businesses. And that's really, I think, the only way you can defend yourself. And there's just too much going on to monitor it with humans. You need to have this collaboration between humans gaining access and machines collecting and analyzing that data to give you alerts for those threats in a timely fashion.

[00:15:22] We hear about some companies that operate in the space that are solely analysts and customers getting an alert a month or so after the activity actually took place. And I told you the example earlier where typically we see a company in the news four to six weeks after information is published. And so you do need it in not real time, but you need it in as close to real time as you can. You need it within a couple of hours of that information being posted so that you can investigate and take the necessary mitigating action before that threat actually touches your network.

[00:15:53] So at Searchlight Cyber, you do work closely with governments, law enforcement and enterprises. And again, to further bring this to life for anybody listening in whatever field they're in, what challenges do groups like this face when they're attempting to track criminal activities on the dark web? And maybe dig a little bit deeper on how your intelligence platform helps overcome them too. I mean, if we take law enforcement, for example, I can't go too much into the techniques that law enforcement use,

[00:16:22] but I can give you sort of a flavor. You know, if you're a law enforcement agency and investigating a threat actor on the dark web, you know, you may go onto the dark web, you follow them, you look at them in forums. That's a very human effort-involved activity. And if you think on a particular forum, you know, an actor may have, you know, tens of thousands of posts. And there may be on several other forums as well. Now, it's not feasible for a human being to go through all of those posts and try and extract information.

[00:16:51] What our tooling does is we collect all of that information in one place, so you can search it in one place, regardless of, you know, whether on forum A, B, C or D. And then we automatically analyze all of that information, looking for information that could be of use to law enforcement. So, for example, you know, maybe when they first set up their account, you know, five years ago, they used an email address, you know, in which case that gives you a hook into the real world, which you could use to identify that person. Our tooling automatically flags that person-identifiable information up

[00:17:20] so that law enforcement would see it front and center, rather than, you know, months down an investigation of a human being trawling through the information. And it's the same picture, really, with commercial enterprise, right? Our issue is that they don't have the time or the resource to go through and trawl through all this information. And actually, really, what they want is to be told about the threats when they happen so that they can go straight to them rather than continually searching and trying to do it in a manual way where they may simply miss that information

[00:17:50] because the space is so vast. And so, really, that's what we do, is to analyze this information in a large-scale way and bring intelligence to the end customer that they can action without a huge amount of human effort. And the dark web is constantly evolving. So, I've got to ask, if we do look into the future, I mean, what emerging threats or trends do you see coming in the months and years ahead? And is there anything organizations should be doing today

[00:18:19] to adapt their cybersecurity strategies in response for these attacks that could be waiting further on down the line? I mean, that's a great question. I'm generally terrible at predicting the future. You know, there are many dark webs and we see more spring up all the time. Thankfully, there seems to be a critical mass around a couple that doesn't seem to shift a great deal. So, we know that the threats are largely going to emanate from those spaces.

[00:18:47] I think what we've seen over the last decade, and I think which is certainly getting stronger, is that threat actors are a lot more organized now than they used to be, a lot more commercialized. If you go back 20 years, you know, most hackers were doing it for a laugh. Whereas now, there are serious organized crime criminals that are doing it for a profit. And there's a supply chain that's involved, you know, supplying the different steps involved in the attack. And we can monitor and see that supply chain and extract information from it, which is useful.

[00:19:17] So, I think we're going to see more of these attacks. You know, we've seen particularly the Russian cyber criminals doing ransomware, for example. They're not particularly sophisticated, but they're having an enormous impact just by how prolific they are, right? They're just incredibly persistent. And so that, you know, almost everyone's going to know a company which has been affected by one of these ransomware groups over the last few years. The other thing that's kind of emerging is, you know, AI in the real world is finding many uses.

[00:19:45] There is, I think, a fear as to how that may be used by cyber criminals because it potentially takes the effort of one cyber criminal and multiplies it quite considerably. In the early days of AI, what people were most concerned about was propaganda. You know, you see Russia and China and what have you trying to influence Western elections by spreading information online, publishing videos, and then adverts and all that sort of stuff. You know, that takes a team of people to do that stuff.

[00:20:13] Whereas now with AI, we can generate convincing human text en masse. Different messages even target those messages in an automated way, whereas previously we couldn't do. In the cyberspace, you know, as far as commercial entities are concerned, you know, one of the threats that they faced has been phishing attacks where a company gets spammed with email address, emails asking for login credentials or to, you know, you need to log in and reset your password, but it actually sends you somewhere else and they capture your password.

[00:20:42] You know, those emails generally in the past used to be crafted by a human being, but now they can be crafted automatically and the bot can even take care of the interaction with the person should they respond to it, you know, and try and convince them to click the link and to put in their credentials. I think that's a potential threat going forward. It's difficult to know what we will do about that because there's not really any great AI detection technologies that really work reliably enough to be useful in that space at the moment.

[00:21:10] And I think that's understandable. I'm not sure that's necessarily going to get better because AI ultimately is mimicking human text, you know, by learning from human text and so it becomes difficult to distinguish the two. But I think that's an evolving threat that, you know, we're all sort of keeping an eye on at the moment. You know, we've seen, I can't remember the name of it now, but there was a criminal group that released a, like a criminal AI chatbot type thing that could generate malicious code

[00:21:39] and, you know, malware and that sort of stuff. It wasn't enormously sophisticated. That was a few years ago now. But we could see some of those things coming out and what that basically means is that less sophisticated actors who perhaps would struggle to get started may now find it much easier and so we may see that there's more of them. And on that side of things, if we're talking about a sophisticated threat actor or a wannabe threat actor that's just hanging out in these areas to try and learn their trade for want of a better phrase,

[00:22:09] it's the message that, hey, you're not as anonymous as you think you are and there are a lot of people watching. Is that fair to say? Yeah, I don't know how many of them know that. I think most of them do know that law enforcement and lots of cybersecurity companies are monitoring those forums. I guess newcomers may not be aware of it, but I certainly think the seasoned ones are very much aware and a little bit more careful about what they post. But yeah, for newcomers, you're not going to operate very long in those spaces without getting caught unless you really know what you're doing.

[00:22:40] Obviously, you've got such a great background in cybersecurity, digital forensics, another great area that we're seeing more and more of now. But any advice that you'd like to leave any business leader listening looking to stay ahead of dark web threats, let's try and take it a bit more seriously, incorporate actionable intelligence into their security frameworks, maybe even work with you. Any advice that you would offer around that? Yeah, I'd say the traditional approaches to cybersecurity is no longer sufficient. You know, yes, you need your firewalls,

[00:23:10] you need your email scanning, you need your antivirus in place. These are table stakes now, any kind of cybersecurity practice. You now need to be much more proactive and monitor the threats which are coming at your organization. And whether that's, you know, with a company like ours or someone similar, you need that intelligence coming in so you can take, you know, mitigating action before those guys hit your front doors. And it's not, it's just simply not optional anymore. You know, like I say, only look at just a list of companies

[00:23:39] which are breached through ransomware. The signal for almost all of those is on the dark web that it can be detected in advance, sometime in advance, and certainly in far and up in advance that mitigating action can be taken. And I think one of the biggest challenges for people listening all around the world is that pressure of having to be in a state of continuous learning all the time. I think it's something we all feel. And obviously some are right in the heart of this space and almost leading the way. I've got to ask,

[00:24:08] how or where do you self-educate? How do you keep up to speed with the latest trends in this space? I mean, tech's reasonably easy, I think, to stay up to date with, right? Well, actually, that's not true, right? I mean, everyone says tech's hard to keep up with because it moves at such a fast pace. Yeah. The flip to that is it's easy to keep up with it to an extent because everything is on the internet and everything is often, you know, the learning materials are often available for free. And so you can teach yourself and you can keep up to date.

[00:24:36] You know, I largely self-taught long before I went to university. Most of my learning is self-taught. I very rarely attend courses. The only time I would attend a course is if, you know, the subject that I want to get into is just simply too much to, you know, know where to start and to know what's important. Like, the best way to learn is to learn by doing. And the information out there is readily available if you want to get into some area of cyber or some other area of computing. You don't need to sit around and wait for a course to start.

[00:25:06] You can get started today with really not too much difficulty. And for anybody listening that will maybe want to talk with you or find out more information about Searchlight Cyber, how you might be able to help some of the work that you're doing, where's the best starting point for everything? Yeah, so our website is slcyber.io. And if you go on our website, there's a contact form where you can reach out to us. And if you're interested in our product offering, there's a, we can put you in touch with someone who can walk you through

[00:25:35] a demonstration of the products. Similarly, if you're looking for a career in cyber, you can reach out to us on the website. And we're regularly advertising for positions from, you know, full-stack developers through to cybersecurity professionals and salespeople. I mean, we very much welcome applications from qualified individuals. So that's the best place to get in touch with us. We put a lot out on social media and LinkedIn of some of the activity which we're doing. Our blog is a great place to see some of the awesome stuff that we've been doing recently. You know, if you've been involved in the cybersecurity space,

[00:26:05] we've recently acquired a company called AssetNote. And that company is based out of Australia. And they're regularly putting out blog posts about critical vulnerabilities, which they're finding in enterprise software. Most recently, the Palo Alto vulnerability was found by Searchlight Cyber, by our AssetNote division. And so you should see our name around a lot if you're in the cybersecurity space by the information which we're pushing out from our blog, because it is very unbankable. Well, I'll add links to everything, including your social channels. I would urge anybody interested in this space

[00:26:34] to follow you on those channels. There is some great information I was looking at before you came on the podcast. And I think today we unmasked a certain part of the hidden dark web that people talked about, unlock some of that mysterious dark things that happen there, exposing how criminals exploit the Tor network for everything from malware, stolen data, and a whole range of other criminal activity. But I think we've done it in a language everyone can understand. And it's my hope that people take the curiosity

[00:27:04] from today's conversation and then go away and learn more and find out more information of how you might be able to help too. But just thank you for starting this conversation today. Yeah, thanks very much. After my conversation with Gareth today, I think the dark web isn't just a curiosity, so much more than that. It's actually an early warning system for cyber threats. And with Searchlight Cyber's intelligence tools, businesses can see attacks forming before they happen.

[00:27:33] Whether it is stolen credentials being sold, ransomware operators planning their next move, or criminals shopping for access into corporate networks. I think one of the biggest takeaways is that traditional cybersecurity approaches, including firewalls, antivirus, even endpoint detection, they're all useful, but they're not enough anymore. And organisations are needing real-time intelligence to understand the threats

[00:28:02] that are emerging in those dark hidden corners of the internet. I think it's also worth mentioning that AI-powered cybercrime is on the rise, yes, especially with the lowering of the barrier of entry. Because if criminals can now use AI to generate more convincing phishing emails, automate attacks, scale their operations, if the threat actors are doing this, businesses need to step up their game just to keep up with the pace. So, do you know what is happening

[00:28:31] on the dark web right now that could impact your business? If not, it's time to start looking. But it is something that you cannot do on your own. Probably end up doing more harm than good, to be honest. It's a dark, murky place out there. So maybe just have a look at what Searchlight Cyber are doing, follow them on the social channels, and let me know your thoughts. If you've got anything you'd like to share, how you are approaching this problem, maybe you think we forgot something today

[00:29:00] or something else you want to highlight, whether it be ask me a question or come on the podcast, email me, techblogwriteroutlook.com and LinkedIn at Neil C. Hughes. But that is it today. So, thank you as always for tuning in. Hopefully you found it as informative and helpful as I did. And if you did enjoy yourself, please come back and do it all again tomorrow. But thank you for listening as always, and I will speak with you then. Bye for now. Bye for now.