The dark web is a haven for cybercriminals and other darknet threat actors who could not care less about the harm they cause in the pursuit of their goals. These darknet threat actors often use pseudonyms and aliases to help hide their identities. A perceived shield of anonymity protects them from detection and prosecution. But the shield is not as strong as many of them think.
Today’s security teams are relying more heavily on open-source intelligence (OSINT) to bridge the attribution gap. In other words, OSINT investigations help intelligence analysts connect a dark web persona and its associated illicit activities to a real-world identity.
A real-world identity is known in the security business as a surface web persona. It is the identity a threat actor utilizes on traditional internet channels. It can prove invaluable in physically identifying a threat actor for investigative and prosecutorial purposes.
Digital Signatures and Persistent Indicators
Nothing done online can be completely obscured. Every operation leaves traces behind. So even the most skilled threat actors can be found by paying attention to reused elements across different platforms. Elements are often reused for convenience’s sake. The problem for threat actors is that they leave unique digital signatures behind. Though signatures can be tracked.
A good example is the Pretty Good Privacy (PGP) key. Darknet threat actors frequently used the keys on forums and marketplaces. They are good tools for encrypting communications across multiple platforms. But the public key is almost always posted on a threat actor’s profile or signature.
To make things easier, a threat actor might use the exact same public key on multiple platforms. He might use it in a GitHub repository and to encrypt his email. If security analysts can connect the dots, a PGP key can lead them right to their target.
OSINT comes into play by leveraging all publicly available sources, be they darknet or traditional internet, to find threat actors and build profiles on them. Thorough investigations can find digital signatures and persistent indicators, then link them to pseudonyms and aliases.
Accounting for the Human Element
Above and beyond digital signatures and persistent indicators are typical human behavior. OSINT investigations account for the human element by paying attention to things like behavioral patterns and linguistic style.
For example, nearly all of us follow a consistent and distinct writing style when composing emails, text messages, etc. Threat actors do the same thing as they communicate across forums and chat channels. Investigators can turn to OSINT sources to analyze text for:
- Unique vocabulary
- Spelling and punctuation
- Grammar and syntax
By comparing everything from forum posts to chat logs and individual manifestos, an investigator can link a dark web pseudonym or alias to a known surface web identity. They can compare what appears on the darknet with similar content on traditional social media and blogs.
A Multilayered Approach to Attribution
There is so much more to discuss about OSINT techniques and dark web attribution. However, the point here is that harnessing OSINT to link pseudonyms with real world identities requires a multilayered approach. It’s the very approach taken by DarkOwl, a leading provider of open source intelligence and threat actor profiling.
DarkOwl experts say that diligence wins the day. Successful attribution is not something that happens overnight. It is also not a one-off practice. Successful security teams must continually harness all their OSINT resources to keep up with threat actors working equally hard to remain anonymous. But it can be done. With the right tools, proven strategies, and a willingness to work, effective attribution is possible.
