The dark web: What it is, how it works, and how to protect yourself from its threats

Considering growing information about everything around the businesses and public knowledge about vulnerability and exploitation techniques, every organization and company face up with a variety of threats in many aspects.

Traditional cybersecurity focused on prevention and prevention techniques mostly while modern cybersecurity finds detection more valuable and important for cyber defense. Regarding many reports available on SOC effectiveness factors in these days, the incident detection and response time should be reduced and is critical for every organization to handle it properly.

The ever-increasing number of cyberattacks requires cybersecurity and forensic specialists to detect, analyze, and defend against cyber threats in almost real-time and the main solution for these are the Security Operation Center with a good level of maturity at lots of operation consideration and goals to figure out whats happened around.

In practice, timely dealing with such a large number of attacks is not possible without deeply perusing the attack features and taking corresponding intelligent defensive actions. We need to use solutions that give us the required intelligence to detect and respond in a timely manner.

However, such an intelligence surely would need the aid of artificial intelligence, machine learning, and advanced data mining techniques to collect, analyze, and interpret cyber-attack evidence.

During recent years, there has been a significant increase in the number and variety of cyber attacks and malware samples which make it extremely difficult for security analysts and forensic investigators to detect and defend against such security attacks. Also, there are lots of cyberattack techniques such as watering hole attack and file-less attack which could make it hard to detect, especially with traditional cybersecurity approaches. Most modern attackers use our initial tools on our systems against us and it is not easy to find them in the way we used before. Another important issue regarding the emerging cyber-attacks is the fact that cybercriminals use advanced anti-forensics and evasion methods in their malicious code, which makes the usual security assessment techniques, or static malware and traffic analysis less efficient. 

So what is the solution?

First of all, we need to be aware of threats in meaning time and be prepared to respond to threats when we recognize them around our environments. In traditional Security Operation Centers, we don't use Threat intelligence or apply it in a practical way. But in modern SOC it is a vital part of threat detection and the importance of CTI is clear. The only way you can decide and act in a real risk-aware format is to use CTI properly.

But what is CTI exactly?

How we can use it?

Is it just about gathering different types of feeds?

As we may know the basic definition of CTI is: "evidence-based knowledge about adversaries – their motives, intents, capabilities, enabling environments and operations – focused on an event, series of events or trends, and providing a decision advantage to the defender."

In this paper, I am not going to define CTI in depth. I will do it later in another paper. I am just trying to review the importance of CTI in modern cybersecurity.

Threat intelligence could be received from an external source or it could be generated internally and for reaching a good result we have to use both of them.

By analyzing and reviewing recent cyberattacks we find out human-based analysis needs some kind of help for reducing Detection time and IR time.

In order to address the challenges explained cyber threat intelligence considers the application of artificial intelligence and machine learning techniques to perceive, reason, learn, and act intelligently against advanced cyber attacks. In particular, there is an increasing trend in the usage of Machine Learning (ML) and data mining techniques due to their proven efficiency in malware analysis (in both static and dynamic analysis), as well as network anomaly detection. Furthermore, we can use Cyber deception and honeypots projects in conjunction with ML and AI to identify threats and attacks against us. Totally, a combination of these methods would be required to provide up-to-date information for security practitioners and analysts.

Cyber Threat Intelligence (CTI) emerged in order to help security practitioners in recognizing the indicators of cyberattacks, extracting information about the attack methods, and consequently responding to the attack accurately and in a timely manner. 

Without CTI we don't have enough information about cybercriminals and threats. Logically without knowing about threats we can not prevent or detect them. So it is clear for everyone to use CTI properly.

As you may familiar with David Bianco pyramids of pain model, we need to gather and process all available types of information and good CTI give us this opportunity. If you don't know how attacks could happen, how you can look for it? or how you can implement the proper solutions and complete your IR process. CTI is the key solution for detection in near real-time and gives us all the necessary requirements of detection and response.

Overall, threat intelligence is an important investment for an organization's security posture as it provides the following benefits:

TI allows for strong prevention by giving, in advance, information on adversaries. It allows you to identify and stop cyber-attacks.

Cyber threat intelligence forms an overall picture of the intent and capabilities of malicious cyber threats, including the actors, tools, and TTPs, through the identification of trends, patterns, and emerging threats and risks, in order to inform decision and policymakers or to provide timely warnings.

Threat Intelligence is data collected and analyzed by an organization in order to understand a threat actor’s motives, targets, and attack behaviors. It enables organizations to make faster, more informed security decisions and change their behavior from reactive to proactive in the fight against breaches. Threat intelligence, or cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. The primary purpose of threat intelligence is helping organizations to perceive the risks of the foremost common and severe external threats, like zero-day threats, advanced persistent threats, and exploits. 

Threat Intelligence is very important as it gathers raw data about emerging or existing threat actors and threats from a number of sources. This data is then analyzed and filtered to produce threat intel feeds and management reports that contain information that can be used by automated security control solutions. Threat intelligence is important for the following reasons: 

• Sheds light on the unknown, enabling organizations to make better security decisions empowers cybersecurity stakeholders by revealing adversarial motives and their tactics, techniques, and procedures (TTPs) 
• Helps security professionals better understand the adversary’s decision-making process 
• Empowers business stakeholders, such as executive boards, CISOs, CIOs, and CTOs; to invest wisely, mitigate risk, become more efficient and make faster decisions.

Threat intelligence is one of the most critical weapons we can use in cyber defense. In an ever-evolving threat landscape, security teams often find themselves one or two steps behind the attackers. This is not just because of the attackers using new TTPs, but also because environments are becoming more complex, expanding attack surfaces and affording them greater opportunities.