Ramon Vicens & Antonio Molina - Seguimiento de actores cibercriminales en Dark Web y foros underground [rooted2019]
1. Follow up of Threat Actors and
Cybercriminals in the dark web
and underground forums
Antonio Molina
Ramon Vicens
2. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
root[~]# Who are we?
@rvicens
Ramon Vicens
• CTO and VP Threat
Intelligence
• Malware and Threat Analysis
• Gathering intelligence from
botnets & actors https://www.linkedin.com/in/rvicens
Antonio Molina
• Python Team Lead
• Big Data & Analytics
• Software Architecture
• Python & ML Lover
@aydevosotros
https://www.linkedin.com/in/amolinag
ramon.vicens@blueliv.com
antonio.molina@blueliv.com
3. • Motivation
• Real-life examples
• Understanding the cybercriminal ecosystem
• Big picture
• Project approaches
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
3
root[~]# Agenda
4. “DOCUMENT LEAKS
REGARDING COMPANIES
AND GOVERNMENTS”
#DRUGS
#WEAPONS
#ZERODAY
VULNERABILITIES
#CYBERCRIME
AS A SERVICE
#CREDENTIALS
#CREDIT CARDS
#BACKDOORS,
#SHELLS, #RDPs…
root[~]# Motivation: What’s out there?
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
5. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
5
root[~]# Motivation: examples
6. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
6
root[~]# Motivation: examples
7. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
7
root[~]# Motivation: examples
8. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
8
root[~]# Motivation: examples
9. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
9
root[~]# Motivation: examples
10. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
10
root[~]# Motivation: examples
11. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
11
root[~]# Understanding the cybercriminal ecosystem
12. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
12
root[~]# Motivation: Big Picture
13. FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
13
root[~]# Project approach – initial
14. • Statistics:
• Identified URLs : 654,715,561
• Identified unique sites: 326,212
14
root[~]# Project approach - results
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
text/html text/plain application/x-archive
application/gzip application/octet-stream application/zip
application/pdf application/x-xz application/epub+zip
text/xml text/prs.lines.tag application/rss-xml
application/atom-xml application/xml application/vnd-debian-binary-package
application/x-fictionbook+xml application/xhtml+xml application/x-mobipocket-ebook
application/x-bzip2 application/x-gzip
15. 15
root[~]# Project approach - results
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
• Statistics:
• Identified URLs : 654,715,561
• Identified unique sites: 326,212
16. • Enrich text (obtaining value from text )
• Natural Language Processing (NLP)
• Entity identification and extraction – Text Processing Pipeline
• Structured data: The web is made up of common places
• Modeling Social Structure
16
root[~]# Project improvement goals
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
17. 17
root[~]# Enriching the text
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
• Automating the process
• Natural language is ambiguous,
ironic, confusing... but beautiful
• The structure tends to be
inconsistent
• Computers work with "formal"
structured languages
18. 18
root[~]# Demo: Linguistic features of a text
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
19. 19
root[~]# Text processing pipeline
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
22. 22
root[~]# Word embeddings (Continuous-Bag-of-Words Model (CBOW)
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
23. 23
root[~]# Demo: Playing with word vectors
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
24. 24
root[~]# Crawling the Deep web
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
25. 25
root[~]# Crawling the Deep web
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
26. 26
root[~]# Crawling the Deep web
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
27. 27
root[~]# Crawling the Deep web
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
28. 28
root[~]# Crawling the Deep web
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
29. 29
root[~]# Crawling the Deep web
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS
30. 30
root[~]# Crawling the Deep web: Model
FOLLOWUP OF THREAT ACTORS AND CYBERCRIMINALS IN THE DARK WEB AND UNDERGROUND FORUMS