An international cybersecurity research team has developed an AI system that predicts business targeted cyberattacks from forum discussions on the dark web

The dark web refers to the underbelly of the internet, cut loose from search engine indexes and accessible only via specialist browsers like Tor.

Darkweb or deep-web marketplaces and forums are well known for being the go-to place for purchasing illegal drugs, guns, and forged documents online.

The same forums and marketplaces are often teeming with hackers anonymously discussing vulnerabilities and selling malicious software that exploits them.

Popular Russian hacking site FreeHacks has 5,000 active members who enthusiastically discuss techniques like “carding” (the term for credit card theft attacks) and “phreaking” (breaching someone’s security network).

Until now, their discussions have not been analysed at scale.

Firms at risk

Large organisations such as Equifax, Verizon, and Gmail have all been subject to recent data breaches, while some are perpetrated internally, a 2017 Verizon investigation report revealed that 75% of breaches are perpetrated by outsiders exploiting known vulnerabilities.

Organisations are increasingly in need of tools to proactively identify if they will be attacked, and monitoring dark web discussions to predict future attacks had been touted as a potential solution to infiltrations.

In a new paper published this week, a team of researchers from Arizona State, UNS, and USC universities, Cyber Reconnaissance, and Lockheed Martin Laboratories, detailed a new system, named DARKMENTION, that they have created to predict such attacks.

DARKMENTION works by learning association rules that correlate attack indicators to real-world cyberattacks, and was built under contract with IARPA’s Cyberattack Automated Unconventional Sensor Enrivonment (CAUSE) program.

Specifically, it matches forum discussions on popular platforms and illicit marketplaces with data from over 500 historical records of real-world cyberattacks, sourced from cyber-threat intelligence firm CYR3CON.

Machine learning

DARKMENTION currently collects data from more than 400 platforms, which is then filtered by machine learning models to remove data related to drugs, weapons and other irrelevant discussions.

From this real-time monitoring, the system then reasons about the likelihood of future threats, generates warnings, and then submits them to a security operations centre (SOC).

The researchers say the system is ‘timely, actionable, accurate, and transparent’, and is already producing warnings an average of three days in advance of attacks, significantly outperforming existing baseline systems.

“DARKMENTION specifically predicts enterprise-targeted attacks and the periods in which those threats are predicted,” the paper reads.

“Although the problem is difficult, our system proves to be useful as a tool that helps SOC teams to identify risks, potential sources of risk (vulnerabilities or threat actors) and context on which it builds its reasoning in a timely, actionable accurate, and transparent manner.”