The deep web, also known as the dark web, is a part of the internet that is not indexed by search engines and is therefore not accessible to most users. It is often associated with illegal activities, such as the sale of drugs and weapons, and is therefore sometimes referred to as the “dark side” of the internet.
The deep web is not a single entity, but rather a collection of networks and websites that are not accessible via traditional web browsers and search engines. These networks and websites are often hidden behind anonymous networks such as TOR, and can only be accessed using specialized software and tools.
One of the key features of the deep web is its anonymity and lack of centralization. This makes it difficult for law enforcement agencies and other organizations to monitor and control the activities that take place on the deep web, and has contributed to its reputation as a hub for illegal activities.
Overall, the deep web is a complex and largely mysterious part of the internet, and its true nature and extent are difficult to fully understand. While it is often associated with illegal activities, it also serves as a platform for a range of legitimate purposes, such as providing a space for political dissidents and other marginalized groups to communicate and share information.
It is generally difficult to detect leaked secrets on the deep web, as this part of the internet is not indexed by search engines and is therefore not accessible to most users. In order to access the deep web, users need to use specialized software and tools, such as the TOR network, and must know the specific addresses of the networks and websites they wish to access.
However, there are some general steps that organizations can take to try to detect leaked secrets on the deep web. Some of these steps include:
Monitor social media and other public forums: Many users of the deep web will post information or discuss their activities on social media and other public forums. By monitoring these forums, organizations may be able to detect leaked secrets or other sensitive information.
Use specialized tools and services: There are a number of specialized tools and services that can help organizations to monitor the deep web for leaked secrets. These tools often use artificial intelligence and machine learning algorithms to analyze large amounts of data from the deep web and to identify potential leaks or other security issues.
Work with law enforcement: In some cases, organizations may be able to work with law enforcement agencies to detect and investigate leaked secrets on the deep web. These agencies may have access to specialized tools and expertise that can help to identify and track activities on the deep web.
In this blog, we are focusing on how we can detect leaked information by monitor social media or public forum.
Hackers are selling stolen information via online services all the time. Here are a few popular websites that are used for exchanging leaked information:
- Pastebin
- Pastie
- Slexy
- Ghostbin
- QuickLeak
- JustPaste
- AdHocUrl
- PermanentOptOut
- OptOut
As security analysts who are protecting the company’s assets, we are always concerned if there are any leaked information is exchanged by hackers via these online services. Therefore we would like to figure out a way to detect relevant leaked information exchanged online. This blog describes how we use DTonomy to quickly set up an automation to detect relevant leaking so that we can take remediation actions quickly.
Pastebin
Pastebin (https://pastebin.com) is a populate paste tool service that people copy & paste random stuff on for temporary storage. Researchers also found out it’s a popular destination for hackers to dump the secrets they have just stolen, such as usernames & passwords. The following blog describes how to develop an automated workflow on DTonomy platform to detect potential secret leaks from your organization automatically.
Automation
Step 1:
You can sign up for a subscription service from Pastebin to send you an alert email whenever it detects a potential secret leak that’s of your concern, based on the regex rules you had set up.
Step 2:
The workflow in DTonomy starts with an “Email” that monitors the inbox that you have set up to receive the Pastebin alerts and retrieves the alert email whenever get a new one.
Step 3:
You need a “extractUrl” node to extra all the hyperlinks from the alert email.
Step 4:
Filter out the hyperlink list and only keep the ones that have a Pastebin url. The regex rule you can use is “pastebin.com|pastr.io”
Step 5:
Use “http request” node to retrieve the html content of each Pastebin url you have parsed from the previous step.
Step 6:
Use the regex rule to find out if there’s any mention of your organization’s domain. For example, if your organization’s domain is xyz.com, you can use the following regex rule:
r'([a-zA-Z0-9-_\.]*@xyz.com:[a-zA-Z0-9\'!"#$%&()*+,-./:;<=>?@[\]^_`{}~]+)'
This regex rule finds any username/password that matches your organization’s domain
Step 7:
Last step you can decide what to do with the leaked secrets. For example, you can check your organization’s identity management system, freeze the compromised accounts, and send an alert to both the individual and your network admins.
Now you have an automation set up to start detecting leaked information for you tirelessly.
