tor, longstanding verified attendees, and newer unverified
people signing up for a visit. Some forums
have high levels of security and restrict attendance
to only active members. Others are more relaxed,
willing to allow participants with a trusted referral.
Once registered in a forum, participants range
from curious spectators to criminal groups to
hactivists, who are there for political and financial
reasons. “Depending on the culture of the
group you’re dealing with, you can sometimes be
completely transparent and let them know you’re
a researcher or a journalist looking to learn about
emerging threats,” Heid says.
Threat actors in different countries host forums
through different platforms. “In the Middle East,
hackers use a messaging tool called Telegram,
whereas in China they use something called QQ.
We have been able to routinely access hundreds of
forums, burnishing our personas as we go along,”
Cozzolino explains.
In establishing his persona, Heid says building
trust is a critical process. “At the end of the day,
you’re dealing with people,” he says. “The more
forums you attend, the greater your trustworthiness.”
There is a running joke among white hat
hackers, he says, that for every chat room with
100 people, only 10 are real hackers. The rest are
spectators.
The cybercriminals are well aware of such spies.
(Hackers call them “sock-puppets.”) “They know we
exist, but they don’t know who we are,” Heid says.
Hackers also expect to be hacked. In fact, it’s
a bit of a sport. “There are long-standing rivalries
between certain hackers who hack each other’s
websites and release data from each other’s
databases,” he explains. “There’s no honor among
thieves.”
TAKING STOCK OF THE SPOILS
According to Cozzolino, his team’s cyberspying has
paid off for Secureworks’ clients. “We’ve picked
up vital intelligence about new variants of malware
and ransomware early on, and found exploits well
before they were published,” he says. “Last year,
for instance, we discovered three exploits before
they were disclosed publicly.”
But like a fake lead in a physical criminal investigation,
cyberspies must be careful to cull valid intelligence
from the darknet. “There’s a fair amount
of counterintelligence going on, with the actual
threat actors leaking false information to muddy
the waters,” Heid says.
Cozzolino agrees and adds that each time his
team finds something, they label it with high, medium,
or low confidence.
So, has he ever blown his cover? “We take very
good precautions so there is no way the threat
actors can link us back to anything real,” he says.
“Everything we do is on a separate system with
multiple layers of security.”
Cyberrisk professionals say white hats are
making a big difference in the war on cybercrime.
“They’re providing a valuable resource by spying
on potential threats before they become full-blown
disasters,” says Vance Brown, CEO of the National
Cybersecurity Center, a cybersecurity think tank.
“The intelligence they provide is an extremely
important piece of the overall puzzle.”
As cybersecurity experts shed more light on attack
strategies, Cozzolino says, everyone benefits.
“To better guide decisions on cyber-preparedness
and response, you need to collect, analyze
and authenticate each piece of threat data. The
intelligence we’ve vetted is valuable to clients, the
economy, and all of us.” ■
43
Get more insights on the cyber threat landscape in the
Secureworks State of Cybercrime Executive Summary.
DellTechnologies.com/Secureworks