2017 Cyber Forecast: Threat Intel Will Play Major Role in Helping Organizations Manage Risk

There are a lot of cybersecurity trends to reflect on as we kick off the new year — the growth of ransomware and extortion, the emergence IoT-powered botnets, the evolving cybercriminal landscape — but I believe the biggest risk trend to watch in 2017 may revolve around how organizations react to dealing with those new threats as their attack surface continues to expand.

The digital presence of many companies has extended on a variety of fronts, including social media, customer engagement, marketing, payment transactions, partners, suppliers and more. That increased exposure clearly has benefits for organizations. However, it also makes it difficult for organizations to track, evaluate and take action against the constant barrage of the growing threats — many of which are at least one step removed from the direct control of internal security teams.

That theme was evident in SurfWatch Labs’ new report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack. Our threat intelligence analysts have observed and evaluated data connected to hundreds of incidents that emanated from outside of organizations’ walls over the past year, including:

  • accidental exposure of sensitive data by third-party vendors
  • shoddy cybersecurity practices causing breaches at vendors that house organizations’ data
  • vulnerabilities in software libraries or other business tools being exploited to gain access to an organization
  • vendor access being compromised to steal sensitive data
  • credentials exposed in third-party breaches causing new data breaches due to password reuse

It’s clear that organizations are struggling with these expanding threats. Not only are organizations at risk from threats trying to break down their front door, those threats are increasingly coming through side doors, back doors, windows — any opening that provides the path of least resistance. For example, a 2016 survey of more than 600 decision makers found that an average of 89 vendors accessed a company’s network each week and that more than three-quarters of the respondents believed their company will experience a serious information breach within the next two years due to those third parties.

SurfWatch Labs’ annual cyber threat report echoed that concern, finding that the percentage of targets publicly associated with third-party cybercrime nearly doubled from the second half of 2015 to the second half of 2016.

“Cybercrime is increasingly interconnected, and issues at one organization quickly moved through the supply chain to impact connected organizations in 2016,” the report noted. “That interconnectedness is evident in the growing pool of already compromised information being leveraged by threat actors, the expanding number of compromised devices and avenues to exploit compromised data, and the way in which data breaches and discovered vulnerabilities ripple outwards – sometimes several layers deep through multiple vendors – to touch unexpecting organizations.”

That interconnectedness is pushing organizations to try to gain more context around the growing number of threats so they can better prioritize actions. As I wrote in a previous blog, organizations are spending more money than ever around cybersecurity, yet they are not necessarily becoming more secure.

Cyber threat intelligence can help to peel back that layer of uncertainty and guide those tough cybersecurity decisions by answering questions such as:

  • What is the biggest cyber threat facing my organization and what steps can be taken to mitigate that risk?
  • Which threats are active within my industry and impacting similar organizations?
  • Have any vendors or suppliers suffered a data breach that may impact my organization in the future?
  • Is any information related to my organization being sold on the dark web?
  • Is my organization at risk from employee credentials exposed via third-party breaches?
  • What new and old vulnerabilities are currently being exploited by threat actors?
  • And other questions unique to your organization …

That context is what many decision makers say is lacking within their own organizations. Going back to that 2016 survey of key decision makers — more than half of them believed that threats around vendor access were not taken seriously and almost three quarters believed that the process of selecting a third-party vendor may overlook key risks.

A smart and thoughtful approach to cybersecurity that provides the necessary context can help to both shine a light on those new risks and filter out the excess chatter so your organization can focus on practical and relevant solutions that have an immediate impact on your cyber risk.

Cyber threat intelligence came a long way in 2016, but many organizations remain overwhelmed by the number of cyber threats and are continuing to experience data breaches. Expect the use of relevant and practical cyber threat intelligence to see continued growth in 2017 as organizations more to address their blind spots and more effectively manage their cyber risk.

2017 Cyber Forecast: The IoT Problem is Going to Get Worse

The new year is underway, and one of the biggest causes of concern carrying over into 2017 is the threat posed by the growing number of compromised Internet-of-Things (IoT) devices. As I stated in my previous cyber forecast blog on extortion, I prefer to base my “predictions” around actual intelligence and verifiable data. IoT-related security threats have been talked about for the past few years, but they have been relegated to the periphery of the cybercrime conversation due to the fact there wasn’t much threat data around real-world attacks. However, the second half of 2016 saw those concerns move front-and-center due to a series of incidents tied to the Mirai botnet:

  • In September, both KrebsOnSecurity and French hosting provider OVH were hit with massive DDoS attacks, reportedly hitting 620 Gbps attack and 1 Tbps in size.
  • Those attacks were quickly tied the Mirai botnet, the source code of which was subsequently released by a user on Hackforums.
  • A few weeks after the source code went public, DNS provider Dyn was hit with what appears to have been an even larger DDoS attack – causing major sites such as Twitter, Netflix, Reddit, Spotify and others to be disrupted across the U.S. and Europe.

Those attacks will certainly lead to increased scrutiny within the IoT marketplace both now and in the future, but in the meantime cybercriminals are focusing their attention on finding new ways to leverage the numerous vulnerable IoT devices for their own malicious purposes. The past few months have seen various hacking groups fighting to take control over their share of those compromised devices, as well as companies such as Deutsche Telekom and others suffering outages as those groups tried to expand their botnets by attempting to infect customers’ routers with Mirai. One group has even been observed selling IoT-powered DDoS services that claim to provide as much as 700 Gbps in traffic.

All of that activity has led to one of the clearest trends in SurfWatch Labs’ data over the past few months: an enormous rise in threat intelligence surrounding the “service interruption” category.

This chart from SurfWatch Labs’ 2016 Cyber Threat Trends Report shows a sharp increase in the amount of threat intelligence related to the service interruption category in Q4 2016.

“Over the past two years, the ‘service interruption’ tag has typically appeared in approximately 16% of the negative CyberFacts collected by SurfWatch Labs,” SurfWatch Labs noted in its annual cyber trends report, Rise of IoT Botnets Showcases Cybercriminals’ Ability to Find New Avenues of Attack. “However, that number jumped to more than 42% over the last half of the year due to growing concern around IoT-powered botnets such as Mirai.”

The problem of botnets powered by compromised IoT devices goes beyond just service interruption. It reflects many of the larger cybersecurity issues facing organizations in 2017:

  • an expanding number of vulnerable devices
  • the problem of default or easy-to-guess credentials
  • the difficulty of identifying vulnerabilities and patching them in a timely manner
  • questions of who along the supply chain is responsible for security
  • and issues outside your organization’s direct control that impact your cyber risk

Compromised IoT devices are a perfect example of the interconnectedness of cybercrime and how the poor security of one component by one manufacturer can led to hundreds of thousands of devices being vulnerable.

The sudden surge in concern around IoT devices reminds me of similar cyber risk discussions that have occurred around ICS/SCADA over the last few years. In both cases, the devices were often designed without cybersecurity in mind and those cybersecurity implications are now leading to serious potential consequences. However, unlike ICS/SCADA devices, IoT devices are primarily consumer focused. As we noted in the 2016 Cyber Trends Report, the potential of having multiple devices per household for any developed nation means that collectively these vulnerable devices are the largest digital footprint in the world not under proper security management.

DDoS attacks have always been a staple of cybercrime, but the expanding number of potentially compromised devices, along with cybercriminal tools designed to easily exploit those devices, has created growing concern around the tactic. Due to these concerns, I forecast with moderate confidence that IoT-driven botnets will affect a greater number organizations in 2017 as suppliers, manufacturers, regulators and the security community all continue to wrestle with this ongoing issue.

Cybersecurity Budgets: Does More Money Equal More Secure?

I’ve read report after report showing that security budgets were increasing, yet the number of breaches at companies of all sizes also continues to climb. This leads me to believe that somewhere there is a breakdown in how cybersecurity programs are being run — where allocating more spend and focus on cybersecurity oftentimes does NOT actually produce better outcomes.

There is an abundance of information out there that backs this up — this isn’t just me pontificating. Here are some highlights:

On security budgets increasing:

On cybersecurity issues increasing:

I think this can all be summed up best in a report by Morgan Stanley from this summer called Cyber Security: Time for a Paradigm Shift, where they stated:

“Companies are spending more to safeguard their digital assets, but cybercrimes are still growing in frequency and severity. What’s needed now isn’t more security, but better security.”

Now to be clear, this is not meant to serve as a doom and gloom piece. Certainly, there are pockets of goodness here and there and a lot of people are working hard on many good efforts, but holistically, the state of cyber security still has a long road ahead of it. And the question becomes how can we ensure that as we spend more effort and budget on cybersecurity, that we are at the very least impacting the cybersecurity outcome in a similar level of uptick?

I recognize that my own observation is just my perception, which is based on what I personally read and do each day. As such I wanted to get some additional input from my peers, so I did some crowdsourcing through LinkedIn:

We all see the news reports regarding how security budgets are increasing each year but yet for some reason nothing ever seems to get better. Why is that? I have my own specific thoughts on the question but wanted to share and see if anyone had an answer of their own.”

A wide range of opinions followed as to why cybersecurity continues to be a challenge and where we as a community need to focus our efforts.  The responses (summarized and paraphrased) to date have been interesting to say the least:

  • A handful of opinions appeared to point some attribution to cybersecurity vendors. My interpretation of those comments is that the vendor-driven FUD has generated a sense of urgency for organizations to purchase specific solutions and therefore fatten the vendor pockets — or at a minimum create a very complex marketplace which presents a challenge to those trying to navigate it.
  • Several opinions revolved around the idea that although budgets have risen, the volume and sophistication of threats are either out-pacing or out-maneuvering those security professionals who are trying bring more resources to bear.  
  • A handful of opinions appeared to state that security departments are underfunded and have an uphill battle for additional resources as security is generally viewed as a cost center as opposed to a revenue generator. Additionally, one individual stated that a potential area to look at is what budget is being used to cover past investments, therefore allowing fewer resources to be applied to emerging risks and in turn giving the appearance or possibility of a gap.
  • Poor leadership was mentioned several times, with comments stating that there are those that promote waste and will buy any new flashy thing that hits the street and that ensures that investments are not as strategic as touted to be.
  • I also had a few individuals who seem to disagree with the question and stated I was irresponsible or I was performing a disservice for even asking such a thing.  

The crux of all the input, with the exception of few outliers, revolves around a more simplified question of are we allocating “resources” to all the proper areas? Well, I think the answer to this really depends on your reality, which is ultimately your perception based on your experiences.

Everything you see or hear or experience in any way at all is specific to you. You create a universe by perceiving it, so everything in the universe you perceive is specific to you.” – Douglas Adams

I raise the perception/reality point to highlight that the responses to my Linkedin question are based on individuals’ experiences. Some folks have worked for or alongside poor leaders, have had poor experiences with vendors, or have had to do the budget defense drills. Some apparently don’t even see an issue and took offense to the question. These perceptions are also what drive a lot of these research reports that I listed above. Many of these are survey-based and while the survey structure and questions I am sure follow best practices for research processes, these surveys are being answered by people whose perceptions are their own reality.

My perception is based on my current role as head of the SurfWatch threat analyst team and from my previous role as CISO for a major transportation authority as well as a similar position for a DoD entity, where I tried to take an outcome-based model as much as reason dictates. Outcomes can be measured, they can be defended, and they can give you insight. Theoretically, if I apply more resources to a given defined problem the outcomes should change in some manner either good or bad. If the outcome does not change after putting more focus on that area, then I am going to start questioning a few things:

  1. Was the problem defined correctly?
  2. Was the problem measured correctly?
  3. Were the resources applied correctly?

Following these three key questions are a few more that hopefully prompt you to think about changing your perception/reality:

Problem Definition: The Art of The Plausible

  1. Do you use some type of analytical process to identify threats to your organization? And I don’t mean you base it off of news chatter, I mean you use a defined set of analytic inputs and analysis to determine what is true and what is not.
  2. If you have, have you analyzed what an actor’s capabilities and intentions are?
  3. If you do know what their capabilities and intentions are, have analyzed their tactics, techniques and procedures?

Problem Measurement: The Art of The Possible

  1. Have you observed using both internal and external data collection efforts any indications of previously defined threats or new undefined threats?
  2. What is your false positive rate for observing defined and undefined threats? Meaning you detected a threat, but investigation determined the threat to be untrue.
  3. What is your false negative rate? Meaning you did not detect a threat and post incident analysis determined the threat to be true.

Resources Applied To The Problem: The Art of Reality

  1. If you lead a cyber program, do you have a list of defined products and services that you deliver to the organization?
  2. Do you know what the exact budget allocation for labor and material is for every single one of those products and services?
  3. Have you defined policy, process and procedures for each one of those products and services?
  4. Can you identify what products and services specifically are applied to a defined threat?

The bottom line here is I believe that security spend is increasing and that many people and organizations are working hard and doing good things. But I also believe that we do not use intelligence enough to help define the problem area. If we can measure the problem, we know what resource to apply to it to change an outcome for the better. Instead, generally speaking we as a community deploy capabilities based on what we perceive to be the problem and hope that the outcome does not change for the worse.

As a former CISO, I have personally used intelligence-driven, analytical processes to identify what is true and then apply resources to address the “known knowns.” It takes diligence and determination, but by leveraging intel to drive our cybersecurity strategy, we can start to see a light at the end of what can be a long, dark tunnel.

2017 Cyber Forecast: Blackmail Using Media and Sensitive Data Will Grow

The end of the year is drawing nearer, and with that comes a handful of traditions: family gatherings, eggnog by the fire, and everyone’s annual list of cybersecurity “predictions.” While it’s a bit semantic, I’m personally not a big fan of the term “predictions.” As someone who lives in the intel world, it’s more about looking at the data and making forecasts using probabilities. In all of the cyber threat intelligence that we provide our customers, we include a confidence level based on what we’re seeing and the probability of that threat impacting a specific customer.

I start out with the above just to level set the rest of this blog (and the next several blogs around 2017 cyber forecasts). When it comes to identifying trends and making a forecast on probability of what threats make waves in 2017, based on the success of ransomware attacks I have moderate confidence that we will see growth of more traditional extortion-related cybercrime.

SurfWatch Labs has seen a steady growth in the number of targets publicly associated with extortion, blackmail and ransoms over the past few years, and we expect that number to rise even higher in the coming year.

Extortion-related crimes are on the rise (note: 2H 2016 data includes intelligence collected through December 7).

One of the best and most recent examples of malicious actors using extortion is the hacking group known as TheDarkOverlord, which has breached, attempted to extort and then publicly shamed a variety of organizations over the second half of 2016.

The latest incident is the November breach of Gorilla Glue. TheDarkOverlord claimed to have stolen more than 500 GB of data, including research and development material, intellectual property, invoices and more. The group then offered Gorilla glue its signature “business proposition.” As we wrote in a SurfWatch Labs blog earlier this year, the proposition is simple: pay the blackmail or face further data leaks and public shaming. After what TheDarkOverlord described as “a moderate dispute” with Gorilla Glue over payment — we’re guessing Gorilla Glue refused to pay — TheDarkOverlord shared a 200 MB cache of files with the media to help spread the story.

The evolving use of the media is actually one of the more interesting tactics used by TheDarkOverlord and other successful extortion groups this past year. Extortionists have referenced news coverage in their demands, prompted users to research past victims, and impersonated cybercriminals with established media coverage — all in an effort to lend credibility to their threats.

For example, back in April CloudFlare reported that a group using the “Armada Collective” name was blackmailing businesses with an extortion email that read, in part:

We are Armada Collective.


Your network will be DDoS-ed starting [date] if you don’t pay protection fee – 10 Bitcoins @ [Bitcoin Address].

If you don’t pay by [date], attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

The link in the email led to a Google search of the group, allowing victims to quickly see that some security researchers had described Armada Collective as a “credible threat.” Except the attackers were not part the original Armada Collective. They were copycats simply exploiting the original group’s already established name. As CloudFlare later discovered, there was not “a single incident where the current incarnation of the Armada Collective has actually launched a DDoS attack.” Despite the lack of follow through, the group managed to extort hundreds of thousands of dollars from the victims.

Leveraging the media in that manner is something the SurfWatch analyst team has observed more frequently over the past year. However, news outlets and victims are starting to become more skeptical of claims. That’s one of the reasons threat actors such as TheDarkOverlord have evolved their tactics to establish a more direct and somewhat dysfunctional “relationship” with the media. Bloggers and news outlets get access to a direct source of stolen data that can help help generate headlines. Extortion groups receive the platform necessary to incite worry in the partners and consumers of the victim organization, adding pressure to pay extortion demands.

With cybercrime events seeing more mainstream coverage each year and extortion proven to be a successful, low-effort tactic, expect that dysfunctional relationship to continue to develop in the coming year. Extortion has proven particularly useful when it comes to the theft of sensitive customer data as it provides multiple additional ways for a threat actor to monetize information. If the victim organization doesn’t provide immediate compensation via an extortion payment, individual customers may then become targets of blackmail — sometimes years into the future.

Adultery site Ashley Madison announced its data breach in the summer of 2015, but individuals exposed in that breach were still being sent blackmail letters and emails nearly a year later. Some victims reported that when they didn’t pay, the blackmailers then followed through on their threats by sending letters about the individuals’ alleged infidelity to family, friends, and workplaces.

More recently, hackers stole customer information from Valartis Bank Liechtenstein and were reportedly threatening individual customers — including politicians, actors and high net worth individuals — that their personal information will be leaked if they do not pay 10 percent of their account balances in ransom.

These extortion and blackmail attempts are not nearly as prevalent as ransomware, but they follow the same principle of quick and easy monetization via the victims themselves. The past year has proven that the media can be successfully used as a tactic to better extort both organizations and individuals, particularly when it comes to sensitive information that may lead to brand damage or embarrassment. That trend will likely grow in 2017 as threat actors look to take advantage of every avenue when attempting to monetize future data breaches.

Controlling What You Can Control: Using the Threat Triangle to Gain Focus

With cyber-attacks on the rise and organizations looking for more effective ways to fend off malicious actors, cyber threat intelligence has emerged as a buzzword in cybersecurity. Unfortunately, some of the information being marketed as cyber threat intelligence isn’t backed up by much actual intelligence; rather, it’s just another threat feed to be added to the already large pile of data that needs to be evaluated.

Part of the problem with good threat intelligence, I recently wrote, is that it’s time consuming. Effective cyber threat intelligence shouldn’t just add to the ever-growing list of concerns facing your organization, it should provide actionable insight into how to best focus security resources to achieve solutions. Evaluating those specific threats, determining their relevance and coming up with practical solutions unique to your organization is hard work.

threat_triangleThere are many ways to evaluate threats, but I tend to revert to my Navy training when thinking about the cybersecurity of our customers. Our rules of engagement dictated evaluating threats from three avenues: the capability, intent and opportunity to cause harm.

Taken individually, each has seen an overall increase over the past few years. Taken together, the add up to what Europol recently characterized as the relentless growth of cybercrime.

Let’s briefly take a look at each pillar:

  • Capability of Threat Actors: As SurfWatch Labs noted in its recent report, officials have estimated that the bulk of the cybercrime-as-a-service economy may be powered by as few as 200 individuals, yet those services can put sophisticated cybercrime tools at the fingertips of a vast pool of actors. Europol agreed, writing in its report that “the boundaries between cybercriminals,  Advanced  Persistent  Threat  (APT)  style  actors  and other groups continue to blur.” Clearly the capability of threat actors continues to evolve, putting more organizations at higher risk.
  • Intent of Threat Actors: Cybercrime tends to be driven by either profit or the desire to cause harm to an organization. The growth of dark web marketplaces, the widespread adoption of successful tactics such as ransomware, and the increased focus on cybercrime by the media, government officials and regulators has widened actors’ abilities to monetize cybercrime and directly impact an organization’s brand and bottom line.
  • Opportunity for Threat Actors: A recent study found that 89 third-party vendors access a typical company’s IT system each week. In addition, the technology footprint of organizations continues to grow as more as-a-service solutions are implemented to increase productivity and more digital services are offered to customers. This provides threat actors with an expanding number of avenues that can be exploited — some of which are not directly under your control.

Despite this widely reported growth in the capability, intent and opportunity of threat actors, many individuals still feel as though they will never be targeted. A study released last month from the National Institute of Standards and Technology found that many people still hold the view that cybercrime will never happen to them and that data security is someone else’s responsibility. People feel overwhelmed by cyber threats, and as a result, they engage in risky behavior.

Simplifying Security, Control What You Can Control

The good news is that out of those three aspects used to evaluate cyber threats, organizations essentially have control over only one: opportunity. The capability and intent of threat actors are largely external to your organization; however, a real and measurable impact can be made when it comes to limiting the opportunities for cyber-attacks.

Unfortunately, many organizations have not done enough to close the opportunity window on cyber-attacks. That was a central theme of SurfWatch Labs mid-year report: despite claims of “sophisticated” attacks, the bulk of cybercrime observed has exploited well-known attack vectors. Europol’s September report also found that organizations were not helping themselves — in many cases providing ample opportunity for cybercriminals to exploit.

“A large part of the problem relates to poor digital security standards and practice by businesses and individuals,” Europol noted. “A significant proportion of cybercrime activity still involves the continuous recycling of relatively old techniques, security solutions for which are available but not widely adopted.”

This brings us back to the importance of evaluated cyber threat intelligence. Cyber threat intelligence should directly address that opportunity and provide solutions to close — or at least to severely limit — cybercriminal avenues of attack. What vulnerabilities are being actively exploited in your industry? What social engineering techniques are being leveraged in similar campaigns? How are threat actors monetizing the information and what is the potential impact if our organization faces a similar breach?

The answers to questions like these are a large part of the hard work that is the intelligence portion of cyber threat intelligence. Those answers can help to shine a light on paths that may significantly reduce your organization’s potential cyber risk.

Cyber threat intelligence, if done right, can help to limit the opportunity for threat actors to cause harm. This renders their capability less capable and their intent harder to pull off — at least against your organization.

Healthcare Databases for Sale on Dark Web, but What Else is Being Sold?

The recent theft and potential sale of various healthcare databases has once again put the sector at the forefront of cybercrime — and makes many wonder how their information is affected by criminal activity on the dark web. While healthcare-related data is not nearly as prevalent on the dark web as other sectors like financial services, SurfWatch Labs has observed a variety of items being offered up for sale in addition to this week’s headline-making healthcare databases.

As previously noted, common threat intelligence found on the dark web includes compromised credentials, stolen financial information, stolen intellectual property, threats stemming from an organization’s supply chain, and information on a wide range of hacking services and other cybercrime tools. These same categories also apply to healthcare organizations.

Over the past year SurfWatch Labs has observed direct healthcare breaches, third-party breaches that have impacted healthcare organizations’ employee accounts, fraudulent prescriptions, and other healthcare-related cyber threats.

What’s Being Sold on the Dark Web Now?

This week, several healthcare databases were put up for sale on the dark web by an actor going by the name “TheDarkOverlord” — along with a hefty price tag for that information.

On Monday, after previously posting three different databases that contain names, addresses, Social Security numbers, birth dates and some phone numbers of 655,000 individuals, the hacker told the Daily Dot that he was sitting on a “large” number of other databases. On Tuesday he followed through on that claim, adding for sale a database of 34,000 records from a New York Clinic as well as a health insurance database with 9.3 million patients, which he said was stolen using a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.” On Wednesday he again made headlines by naming one of the companies breached, Midwest Orthopedic Clinic in Farmington, Missouri, and said that the owner “should have just paid up to prevent this leak from happening.”

According to the post, the 2GB file contains 9,278,352 records and is selling for 750 bitcoin (around $485,000), a far higher price than is typical for items sold via dark web markets.

A posting of more than 9 million records is on the extreme end of the price spectrum, and it could be that the actor is trying to spin up some media attention in order to better extort potential victims or drive future sales — if he is indeed sitting on many more databases to sell.

More typical of the type of healthcare-related information found for sale on the dark web is counterfeit documents and other identity information that can be used for different types of fraudulent purposes, including but not limited to medical. Although this information does not sell for hundreds of thousands of dollars and make national headlines, it is much more prevalent.

For example, fraudulent medical cards from around the world are available for approximately a few hundred dollars.

In the posting below, a vendor is selling a Quebec Medicare card template for $700. “Why is it so good?” the vendor asks rhetorically. “Because it has the latest security features, and is a valid photo ID. Most places will trust the Medicare [card] before they trust the DL [driver’s license] because almost no one makes them.”

The vendor is also selling driver’s license templates, but fraudulent Medicare cards are an easier option for the buyer, he wrote. With this card, all the buyer needs is a hologram overlay (which he conveniently also sells) and an embosser.

Likewise, non state-sponsored health cards are available. The listing below, from a now-defunct dark web marketplace, is selling a U.S. health insurance card for $40.

Why? “These are to provide proof that you have health insurance in the United States,” the seller wrote, adding that an insurance card like the one provided is an excellent way to round out a fake identity. “If a fake ID is questioned, this can be pulled out to back it up and eliminate any question. [It] may save you. In addition it may be used as a secondary form of ID to open up a PO box under a false identity.”

Insurance cards like the one for sale here have a variety of cybercriminal uses ranging from direct medical identity theft to verification purposes in order to perpetrate other forms of fraud.

Some items for sale on the dark web leverage physicians’ identities. The posting below is from a vendor who is currently selling a signed California drug prescription form from a medical group with six different doctors. “These are REAL doctors Rx Scripts, from a REAL CA medical practice,” the vendor wrote. “These are extremely hard to come by.”

The form, which includes up to three prescriptions, is selling for $75, and the vendor will even fill out the script for an extra $100 if the buyers are unsure how to do so.

“The form contains Doctors Names, DEA numbers, and CA license numbers,” the listing reads. “These are signed prescriptions you can fill out yourself for pharmaceuticals in CA, I would like to get rid of these ASAP.”

Additionally, the dark web is often associated with illegal drugs – and for good reason. Reporting on dark web markets such as Silk Road tends to focus on hard drugs; however, prescription drugs are readily available. They can be purchased from a variety of sellers on nearly every dark web marketplace.

This vendor is selling a wide wide range of prescription drugs in different dosages.

Utilizing Cyber Threat Intelligence

In addition to the postings from open marketplaces shown above, there is information to be gained from the private cybercriminal forums and markets on the dark web. As more researchers and law enforcement turn to the dark web for intelligence gathering purposes, cybercriminals have begun to take more precautions. Some markets require a referral to gain access. Some require a user fee. This chatter, both the public postings and more restrictive groups, can provide important insight into the most active cyber threats facing your organization.

For example, SurfWatch Labs has previously observed certain forum members requesting health insurance records from specific companies – presumably to assist in perpetrating insurance fraud as one actor was specifically looking for “high cost treatments.” Knowing which actors are targeting an organization, what those actors are looking for, and other chatter around potential cyber threats can be invaluable when it comes to planning, budgeting and implementing a company’s cyber risk management strategy.

This type of dark web threat intelligence provides direct insight into the malicious actors that target healthcare organizations, and it goes beyond the big ticket items that generate news headlines and spark a national conversation. Those stories are important, but in many ways the dark web shines a light on a cybercrime problem that is much more insidious: death by a thousand cuts.

With so many different threats out there, knowing which threats to focus on is critical. In many ways cybersecurity is simply about effective prioritization, and to that point, cyber threat intelligence and the dark web is a vital aspect.

Top 5 Items for Sale on the Dark Web, and What Businesses Can Learn From Them

In April 2016, the dark web market Nucleus went offline. Before its disappearance, Nucleus had become the number two most popular market on the dark web, hosting tens of thousands of listings for a variety of illicit goods and services. The debate continues around why Nucleus vanished; however, it was just one of the many different markets where users could go to anonymously purchase credentials to customer accounts, stolen payment card data, pirated software, counterfeit currency and goods, malware, hacking services and more.

pic 1
Screenshot of Nucleus Market before it went offline in May.

Knowing this can be quite useful to businesses and threat researchers. It can be leveraged for valuable cyber threat intelligence including the kind of data being bought and sold by cybercriminals, tools and services that are commonly used, and vulnerabilities that are being actively exploited. Most importantly, the dark web provides much needed context. But with the huge number of threats out there, some legitimate and some not, where should organizations focus their resources? Threat intelligence from the dark web can help provide businesses with that important insight. With that in mind, here are five of the most common items for sale on the dark web, and how that information can help organizations combat cybercrime, according to SurfWatch Labs data.

1.Stolen Credentials

Although a wide variety of cybercrime-related items are for sale on the dark web, stolen credentials are among the most prevalent. When looking at the most popular dark web market in 2016, credentials trade accounts for nearly a quarter of the data collected by SurfWatch Labs. Cybercriminals initially get this information by using phishing messages, malicious applications, and other methods to get malware such as keyloggers installed on victims’ devices. These stolen usernames and passwords often end up for sale on the dark web where other malicious actors then use them for a variety of purposes. Although online banking accounts are a natural target, other types of credentials readily available for purchase include employee and personal email accounts, social media accounts, eBay and PayPal accounts, and other popular services such as Netflix, Uber, and more.

How this can help your organization: With the huge number of data breaches and stolen credentials out there, it is likely that some employees have had their usernames and passwords compromised, and in many instances those include work-related email addresses. Monitoring the dark web for stolen credentials related to your brand and your employees can allow you to educate users, prevent fraudulent logins and stop a future attack from spreading.


pic 2


2. Fraud and Stolen Identities

When a point-of-sale data breach occurs, that stolen payment card information often ends up for sale on various dark web markets. Cybercriminals act very quickly to monetize those accounts. The longer a stole card is on the market, the less valuable it becomes due to the likelihood of it being tied to a data breach, theft, or other fraud — and cancelled by the bank or cardholder. Other items for sale related to fraud include counterfeit documents such as passports and driver’s licenses as well as personal information needed to open lines of credit such as Social Security numbers, dates of birth and other identifiers. Like traditional crime, cybercrime is largely driven by money, and fraud and stolenidentities have traditionally been the go-to methods for turning a quick profit. However, it is not just the occasional thugs perpetrating these acts. It is often professional cybercrime rings run by gangs in other countries that have been perfecting their techniques for years.

How this can help your organization: Many point-of-sale data breaches aren’t discovered until the stolen payment card information shows up for sale or fraudulent charges begin occurring on enough cards to pinpoint a source of the compromise. By finding the stolen information sooner rather than later, retailers and financial institutions can shorten the shelf life of stolen cards and reduce potential losses.

pic 3


3. Intellectual Property

Media piracy is a popular practice on the dark web. Stolen ebooks, music, movies and other forms of entertainment are sold at a fraction of the cost — with none of the profits going to the creators. In addition to piracy, even more damaging forms of intellectual property are bought and sold on the dark web. This may include source code, stolen customer lists, trade secrets and other sensitive data stolen from organizations. A report by the Commission on the Theft of Intellectual Property stated that stolen intellectual property costs the United States as much as $300 billion each year, and the Center for Responsible Enterprise and Trade estimates trade secret theft costs between one and three percent of the GDP of advanced economies. Not all of that is sold on the dark web — much of it is nation-state espionage — however, of all the items for sale on the dark web, intellectual property tends to be the most impactful and have the most long-term consequences for organizations.

How this can help your organization: Finding intellectual property such as source code for sale on the internet is a significant cause for concern. Unlike payment card information, which can be stolen from a variety of locations, intellectual property is a likely indicator of either an intruder gaining access or an insider selling valuable information. Media piracy, which is the most common form of intellectual property for sale, can lead to a significant loss of income, particularly if that item finds it’s way onto popular torrent sites where users freely share stolen material.

pic 4


4. Supply Chain Threats

Effective threat intelligence should include all the cyber risks facing an organization, including risk faced by third-party partnes and vendors. Vendors may have their own credentials or intellectual property for sale on the dark web, or there may be relevant vulnerabilities that are being actively exploited by malicious actors. Those potential issues may move down the supply chain and impact other organizations along the way. For example, in April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include professional sports leagues as well as major media and entertainment companies. A malicious actor indicated plans to infect those brands’ users with malware. Although these incidents are often not the direct fault of those companies, the fallout from customers, investors and regulators does tend to fall directly at the feet of those organizations.

How this can help your organization: Vendors and the supply chain are among the most common causes of data breaches, yet they’re often a blind spot when it comes to an organization’s cybersecurity practices. Having insight into potential issues not just within your organization, but with your partners can help to give a more complete picture of your organization’s risk and help alert you to any potential issues before they make way down the supply chain and into your business.

pic 5


5. Hacking Tools and Services

In addition to stolen items, malicious actors can purchase many different types of hacking tools and services. One popular market actually began by specializing in selling zero-days and other rare exploits. For example, one user was previously selling a new way to hack Apple iCloud accounts for $17,000. Other items for sale include exploit kits, keylogging malware, phishing pages, remote access Trojans, hacking guides and more. The cybercrime tools purchased may even come with subscription services, easy-to-use interfaces, technical support and other features often associated with legitimate software. In addition, cybercrime services are for sale including distributed denial-of-service attacks, doxing and help hacking accounts. The cybercrime-as-a-service model has segmented the market so that actors can specialize in their own field, whether that is running a botnet, creating exploit kits or stealing credentials. All types of cybercrime tools and services are available — for a price.

How this can help your organization: Knowing what tools are readily available and popular can help organizations defend against common attack methods. In addition, new exploits that are put up for sale or modifications to existing tools can provide insight into how cybercriminals are evolving their attacks in order to evade detection. This context, combined with other dark web threats, can help provide the necessary threat intelligence to help effectively guide your organization’s cyber risk management strategy.

pic 6