About a year ago, a ransomware attack locked down municipal systems in a small town in Arizona, leaving the community with services down for more than a month, a high incident response bill, and citizens. fearing that their sensitive information has been compromised. Weeks before news of the breach went public, information about accessing the city’s VPN portal was available for sale on a popular Russian hacker forum. The warnings were there, and it’s possible that someone monitoring the access brokers connected the points and raised an alarm before it was too late.
Ransomware attacks like this incident hardly ever happen in isolation. Each high-profile breach leaves a trail of breadcrumbs that give us vital information about how the attack unfolded – and when. The role of access brokers is one of the key elements in solving this information puzzle.
Why access brokers are worth watching
Access brokers are often at the start of the eCrime value chain. They play the role of intermediaries specialized in obtaining and selling means of access to victim networks. This valuable access credentials merchandise is then advertised to other cybercriminals on various underground forums or dark web marketplaces.
Understanding which forums or underground marketplaces brokers access to advertise their products, and what to look for, is key to staying ahead of ransomware attacks. Genesis, Russian Market, and Exploit Market are a few well-known forums where access brokers advertise. Typical attributes of a post can include location, industry, IT infrastructure operations details, number of employees, revenue, and access broker alias.
This transfer process, with access brokers laying the groundwork and selling vital information to malware operators, has spurred cyber attacks. Components of individual attacks are now monetized more quickly, and the complexity of the barriers for criminal actors to join various underground forums where they are sold has dramatically decreased.
The prices charged for the different types of access vary depending on the victim’s willingness to negotiate as well as the potential impact of the violation. For example, based on our insider information on Falcon X Recon threats, a corporate financial account with email credentials starts at $ 1,200, while administrator access to IT infrastructure starts at $ 20,000. .
Having a repeatable and optimized process for monitoring access brokers in place helps businesses and government agencies receive relevant warnings about impending attacks or exploitation of existing access.
Five steps of an optimized surveillance strategy
An optimized surveillance strategy relies on a foundation of threat intelligence about who the access brokers are and where they operate. Security advocates can patrol the dark web access broker network by following five iterative steps:
- Know your strengths
- Identify the bad actors
- Discover known markets
- Writing alerts to look for clues in these markets
- Assigning team members to follow up on legitimate warnings
Here are some starting points for these steps:
Step 1: Start by identifying what to protect. List your digital assets and characteristics such as domain names, IP subnets, location details, ISP, vertical, exposed identities and anything else that can help make your infrastructure identifiable.
2nd step: Identify access brokers who might target your industry or your assets. Find out what aliases they operate under and what credentials they usually sell. Providers established in this space can provide you with a starting point for these surveys.
Step 3: Make a comprehensive list of dark web forums and markets that you will need to monitor. Find out which malicious tools are used the most to collect access data. Knowing product names such as “red line” or “mystery” thieves can help create the right funnels to monitor processes.
Step 4: Threat Intelligence is essential to prioritize and place alerts in context. Codify the rules and create alerts based on the information learned. Alert funnel in an easily viewable format that can help sift through large volumes of alerts and help you focus on the most relevant.
Step 5: Assign responsibilities. Intelligence teams, identity and access managers, vulnerability risk managers, SOC analysts and incident responders can use the alerts generated to mitigate custom asset exploits, prioritize incidents partners and feed the surveys. These team members can also help refine the keywords over time so the process becomes more focused and relevant and can respond to the evolving access broker ecosystem.
A promising program
Monitoring Access Broker Forums provides insight, but businesses will need comprehensive mitigation strategies. The method can be very chatty, with hundreds of individual messages to watch out for. Access broker posts often contain a mix of structured and unstructured data, which can complicate the process. Translations may also be required to control publications in other languages. These challenges could explain why less than a third of companies monitor access brokers. Our internal research presented at Fal.Con 2021 earlier this year indicates that most programs are less than three years old.
Leaving the warning signs of dark web forums unexplored is a mistake. Tracking the breadcrumbs that access brokers leave behind is an essential tool in the cybersecurity arsenal. The fire, in terms of leaked access information, could have been started, but the explosion has yet to occur. Using an optimized oversight strategy, security advocates can not only highlight exposed organizational threat risks, they can also prioritize mitigating access exploitation and blunt, or even completely prevent ransomware intrusions.
Learn more about Falcon X offerings for deep dark web monitoring >