Stolen Data as a Commodity

---

Stolen Data as a Commodity

Excerpt from: Drivers of the Dark Web Economy

Stolen Data as a Commodity An excerpt from Terbium Labs’ CRO and Head of Intelligence Analytics, Munish Walther-Puri’s “Drivers of the Dark Web Data Economy” The dark web is often discussed vaguely or inaccurately, but is a key enabler of the fraud economy, as a streamlined source of trade in payment card and personal data. On the dark web, cyber criminals have developed a "supply chain" of fraud: professionalizing the process, operating enterprises at scale, and passing their products on to the buyers in wholesale batches. Fraudsters have a range of resources at their disposal to help them maximize the value of these accounts, and the communities of cybercriminals collaboratively develop new ways to grow and automate their operations.

"The part that's important to remember when thinking of this underground economy is that the activity level has to do with what is out there and how it is valued,” Walther-Puri describes. “So, data is one of the goods in this underground economy and that is the way it is thought about. If you are not thinking about it that way, that's the way you need to start to think about it if you want to disrupt fraud.”

In this presentation excerpt, Walther-Puri describes: 

How stolen PAN data is commoditized, traded, distributed, sold, and consumed;



The economic drivers of the dark web data economy;



A 3-step process to defeat the adversaries.

COPYRIGHT© 2018 INFORMATION SECURITY MEDIA GROUP, INC.

Walther-Puri brings his expertise in security, intelligence analysis, cyber risk and fraud to his role, where he oversees a team of research and intelligence analysts responsible for dark web data monitoring. His team produces accessible, automated intelligence to help clients minimize the risk of data exposure. Prior to joining Terbium Labs, Walther-Puri was the founder of Presearch Strategy, a New York Citybased firm dedicated to applying technology and analytics to political risk, strategic intelligence and cybersecurity through training and consulting projects. He is an active member of the analyst and intelligence community, a board member of Women 2.0, a council member of the State Department's Overseas Security Advisory Council for Europe, and President of the Fletcher Club of New York.

The Dark Web: Starting from the Beginning Let's talk about what actually happens on the dark web. There's a lot of attention paid to the dark web, but not all of it is accurate. So, let's talk about what it is not first, or rather it is not only. It is not a meet-up for terrorists, the red light district of the internet, an online gun show, or the Craigslist for hit men. These are the things that catch a lot of attention. While there are elements and components of them, it is surely not the majority of what happens. What the dark web is – a safe haven for dissidents and people, journalists and other human rights activists; a repository of, let's just say, unsavory things; and – I mean this in a little bit of a funny way but also in a true that way – it's sort of a weird online flea market. What we're going to talk about today is the structured economy of illicit goods, specifically data. Recent Major Dark Web Market Take-Downs: Important Takeaways The current state is that last year has been tumultuous. You may or may not be aware that there were two major markets taken down in a coordinated law enforcement effort over last summer, AlphaBay and Hansa Market. There's been a lot written about those take-downs, the circumstances behind them, and I encourage people to look into those as background context to where things are today. Those were followed by four to six months of increased instability in the dark web marketplaces and there were distributed denial of service attacks that affected uptime. What that meant is there were these two major markets and then when they were taken down, nothing really jumped into their place. There wasn't a number three and four that then became the two big markets. There was a third market that was vying to be the dominant place, but they're not anywhere in the league in terms of activity and market share. The other big takeaway from those take-downs is that the fraud community didn't really notice. And I don't mean to say that those take-downs weren't important and valuable, they were. But it didn't disrupt the fraud economy as much as the other economy, specifically the drug economy and some of the other illicit goods and services. So what we have now is there's no longer those market bellwethers. Before, by looking at those two markets, you could get a relatively good sense of what was happening on the dark web. Now with those gone, it's a lot harder to understand the market activity. The other thing that we started to see is that vendors are moving to more boutique sellers for the sourcing of their information and their data. This brings us up to speed with where we are now. The Strategy for Optimizing Disruptive Impact for the Fraud Economy I will give you the bottom line up front – the strategy for optimizing disruptive impact for the fraud economy – and then go back and explain how we got here to put this into proper context. There's three components to it: baseline, collection and exposure. The first is to establish a baseline, and that is for an organization to understand where and which kinds of data is out there on the dark web. The second is to develop a collection strategy, which is to develop a data source or sources of market and forum activity and really understand where that activity is going on. The third is evaluate exposure. When you have these first two components, now assess how the organization's data shows up. Is it different than COPYRIGHT© 2018 INFORMATION SECURITY MEDIA GROUP, INC.

before? Are we seeing something anomalous? That is the strategy for how to make the most of disrupted activity. That doesn't tell you exactly where and how, and that is precisely it. Organizations, particularly those focused on fraud risk, should think about where they can allocate their resources. In order to do that, they really need to understand the assessment and the overall exposure and that's where this comes in. The Drivers of the Dark Web Economy I wanted to give you those key takeaways upfront, but now we'll talk about the drivers of the dark web economy. Our perspective here at Terbium, is that it is an economy. It is not a legitimate economy and it is not a legal one, but it is an economy. All the drivers and components that impact a particular economy we see on the dark web. There’s a few key drivers but I've decided to highlight four. The first is an externality and an obvious one. This market is operating outside of the law, so there isn't any regulatory or accountability. You combine that with the minimal paper trail. The buyers and sellers are anonymous or in some cases, pseudonymous, and the transactions are almost entirely digital. Some of the ways that we have of combating fraud and even thinking about disrupting fraud do not apply here. We do not have some of those capabilities. We have to find a different, creative way to come at this. Out of the more traditional economic drivers, market availability is the best way to describe it and I think that is the supply. Markets on the dark web have down time and their operation is inconsistent. That has an impact not just on the market activity but also for those trying to track what's going on. When there were DDoS attacks and some of those markets were not available, buyers moved to a different market or they wondered what was happening with a particular marketplace. The second component related to demand is the market size and structure. There were two large marketplaces that were taken down and in their wake, there has been some other marketplaces that were tier two that have moved up, but the way the marketplace has responded is in response to the demand. So there's been more boutique, smaller, direct relationships between vendors and buyers. All of this is to say, it has become more difficult to have visibility into what's happening and what matters. If you think about the disruption strategy, trying to get a sense of exposure, that becomes increasingly challenging. Stolen Data as a Commodity The top three goods on the dark web are PII (personally identifiable information), financial data, and then the general category of access and compromise tools. The part that's important to remember when thinking of this underground economy is that the activity level has to do with what is out there and how it is valued. So, data is one of the goods in this underground economy and that is the way it is thought about. If you are not thinking about it that way, that's the way you need to start to think about it if you want to disrupt fraud. We have this idea that data may look the same or seem the same, but it is not worth the same. You'll forgive the crude analogy but if you think about dollar bills, they roughly look the same. They feel the same, they're the same size. No one would disagree that they are worth different amounts and they have different value.

COPYRIGHT© 2018 INFORMATION SECURITY MEDIA GROUP, INC.

Since data types vary in value, I’m going to use the example of payment card data to talk about this. And similarly, the perceived value is established by the market place. There are certain factors that are used to set the value in addition to supply and demand. The source of the data is irrelevant for cyber criminals and fraudsters. The format of this data has been standardized and in many cases completely digitized. These online bad actors are agnostic to some of these components of data. The value of data comes from one fundamental thing: What is the potential to monetize that data? Who are the people that are "shopping" for that data? That's one of the ways they choose their products. This might be a mindset switch, to think about cyber criminals and fraudsters as shoppers. In fact, it is sort of strange to think about them as consumers, but that is – in fact – the way that they operate. Another category we think about its freshness. So again, this is around payment cards, specifically. Older cards are more likely to have been detected; that is, cards that have an expiration date that is approaching more quickly are more likely to have been closed out by the organization versus an expiration date that has a while to go, for example, might be more available. The next is brand, and I don't mean the organization's brand. I mean classic or premium (business). There is a perceived higher value than a prepaid card, for example. The last, and this may come as a surprise to some of you, but please know that this is a reality: customer service. The idea that if the cards are, or if some part of the cards are not good or there's something not as promised with the data, then replacements are sometimes offered or there are bulk discounts. This is a marketplace that has evolved and developed. Then finally, product development and performance analysis. There are vendors that look at what their performance rate has been. How many cards have they put out there? What has been purchased? How long has it moved along? What is the sourcing that they're doing? Should they change or improve the way they're getting information? This is not said with any aggrandizing – they are entrepreneurs, and they are businesses, and they are in this illegal market – but they are not thinking of it that way and surely operating that way. Disrupting the Supply Chain of Fraud on the Dark Web The challenge with fraud, particularly cyber-enabled fraud on the dark web, is that it is not your fault but it is still your problem. The current methods that we have are ineffective and inefficient. That's not to say they're insufficient or that they should be stopped, but they're just not getting us far enough. The first example is that "disruption" is happening after the goods have been sold. This is a reactionary approach. The goods of data are already out there. Fraud has been perpetrated. Then, evidence of that is detected, investigated and remediated. It's damage control – which is fine – but that approach is not necessarily working; that's not how you really disrupt something. That might minimize it a bit, but the product has already been consumed at that point. If we talk about payment cards again, some organizations have though, “Why don't we just buy the cards and we'll take them off the market?” Simple answer to that is, you haven't gotten rid of the problem. It's not a sustainable solution. In fact, buying those cards inflates the demand. If we think about this again in economic terms, it could even signal value of certain types of brands or issuers and that's the last thing you want to do in this underground economy.

COPYRIGHT© 2018 INFORMATION SECURITY MEDIA GROUP, INC.

There are times where it can make sense to by a subset of cards if an organization is going to do analysis on those and look at how that compares to their distribution, or look at geographic circulation, but that would be for analysis. That doesn't necessarily solve the problem per se. We talked about the supply chain: inbound logistics, how the product and data comes in, manufacturing and operations, this is more conventional approach to the supply chain still, and outbound logistics, marketing, sales and services. Which part of this supply chain is vulnerable? I see the real opportunity in that middle stage: outbound logistics which includes storage and distribution. That's where there's the real opportunity. But we face a few problems which must be discussed before the solution. Overcoming Challenges to Find a Solution There are three challenges that we're facing. The first is anonymity. TOR guarantees this obfuscation, so mostly anonymity. I say mostly because it is possible to try and track someone down, but they're operating under pseudonyms as well. So the idea that it's 100% anonymous is a bit of a misnomer. But from the point of disruption, that's really difficult because we typically don't have information about the actor, their location, their history, tying them to other activity, purchasing, social media or anything else like that. Sometimes we can, but that anonymity makes it really challenging. The second is access. There are markets that are open and anyone can look at them but there are relatively few. For most of the markets, you have to sign up and get credentials, or some organizations will use personas or people under cover – law enforcement definitely does that. The problem is, that's individual marketplaces. Some of those marketplaces require credentials that you have traded, bought or sold stolen data. As an organization, we just don't do that. So that's a challenge as well, for any organization that wants to abide by the law and maintain a high ethical standard. The third is activity. There are different degrees of activity. There's vendor activity, there's what's happening on the marketplace…and then there's the dynamics going on across the dark web – all of which are all constantly changing. Just to remind you, the past 9-12 months have been pretty tumultuous. We had the two markets go down, then we had the DDoS attacks. It's been difficult and will continue to remain difficult to follow what's going on in a consistent way. So now, with those three realities, let's look at the strategy for optimizing disruptive impact. Baseline, Collection and Exposure – A Reprise And now we return to our three-part strategy, starting with baseline. I am going to continue to use the payment cards example. You really want to understand where those cards are. And by where I mean, not just markets versus forums on card markets, but in what sort of context. That can tell you a fair amount about what there is to be worried about. As a risk management approach, how should you allocate your resources to understand what's going on with your organization's data on the dark web? You have to establish a baseline. Also, what kinds of cards? Credit cards, debit cards? What brand types? We talked about freshness, validity – getting in the cyber criminals’ minds and thinking about it from their perspective can help you establish a clear baseline so that you know what really is exceptional and what deviation looks like. What might provide early warnings for a point of sale breach or a specific targeting of your institution? COPYRIGHT© 2018 INFORMATION SECURITY MEDIA GROUP, INC.

Lots of times, organizations jump into just looking at what's out there and without a baseline, you don't really know if it's different and if you should be paying significant attention to it. The second is collection. And this goes in parallel with the baseline. But a baseline can be established on its own. Then, developing a strategy around getting data to look at what is happening on those markets and forums. There are a number of different ways to do that. Here at Terbium, we have our automated crawler and that's what we specialize in – collecting that data and getting it in a way that is consistent, active and actionable. The third is the exposure. This is, again, a risk assessment approach and the question is: where is your organization's data out there and what does that mean for your organization? With payment cards, as you can imagine, there is a shelf life, some cards aren't valid anymore and they were replaced with newer cards. It's rare. It is rare that we see a specific organization's cards all bundled together. It's usually distributed. So understanding that, what is the change in that exposure? That might mean that there is some specific targeting or remediation that needs to happen. And that's where getting ahead of the supply chain is really valuable. If you can catch the cards before they're used – when they're listed in real time – if you can catch them then and understand what's happening, not only can they be locked down, but that fraud never happens. Instead, right now, we're waiting for that fraud to happen and then detect it. But if you catch it early and you can stop it upstream on the supply chain, that's really effective. In order to do that, however, you have to go through these three steps. Beat the Adversary by Working Together The last thing that I'll say is I haven't met you. I don't know you, but imagine that we're in this together, because we are. There are three things that we have to use to combat fraud on the dark web: automation, analytics and partnerships. I say that with a challenge, because that's how cyber criminals are operating. They are automating their processes. They are definitely using analytics and they are 100% collaborating with each other. So we have to start there, too. Here at Terbium Labs, we have worked on automation. We built the analytics and we're looking for partners. To find out more, ask questions, download free resources and certainly to partner with us, please visit us at: https://terbiumlabs.com/.

COPYRIGHT© 2018 INFORMATION SECURITY MEDIA GROUP, INC.

COPYRIGHT© 2018 INFORMATION SECURITY MEDIA GROUP, INC.