Full Report
Dark web activity can hide in plain sight within everyday network traffic. Corelight's NDR platform brings deep visibility, AI-driven detection, and behavioral analytics to uncover hidden threats across your network. [...]
Analysis Summary
# Tool/Technique: Dark Web Threat Detection using NDR
## Overview
This summary focuses on the techniques and tools related to detecting threats originating from or targeting the dark web (ransomware, data exfiltration, insider activity) using Network Detection and Response (NDR) solutions. The core idea is leveraging network traffic analysis to uncover adversarial activity that utilizes anonymizing networks like Tor.
## Technical Details
- Type: Technique/Framework (NDR Application)
- Platform: Enterprise Network Environments (All platforms supporting network traffic)
- Capabilities: Real-time traffic monitoring, behavioral analytics, historical data retention, anomaly detection, automated alerting.
- First Seen: Contextually ongoing, with baseline establishment periods (e.g., 30 days mentioned for NDR).
## MITRE ATT&CK Mapping
Since this focuses on the *detection process* using NDR rather than a specific offensive tool, the mappings listed are representative of the threats being hunted:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (e.g., Tor)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- T1048 - Exfiltration Over Alternative Protocol
## Functionality
### Core Capabilities
- **Network Baselining:** Learning normal 30-day network traffic patterns to accurately distinguish anomalous behavior.
- **North-South Traffic Analysis:** Inspecting external communications for indicators of dark web interaction.
- **Lateral Movement Monitoring:** Tracking internal device communication for signs related to dark web threats.
### Advanced Features
- **Tor Traffic Signatures:** Identifying traffic via default Tor ports (9001, 9030, 9050).
- **Tunnel Analysis:** Monitoring tunnel logs for irregular patterns (compressed TLS headers, unique negotiation behaviors, long sessions, high bandwidth usage).
- **Anonymization Node Tracking:** Flagging connections to known Tor entry nodes, relays, bridges, and Obfourscator (obfs4) nodes.
- **Anomaly Flagging:** Detecting new external IPs, excessive peer connections, and suspicious file transfer protocols or traffic to unusual domains.
- **Data Exfiltration Detection:** Identifying unusual outbound traffic potentially masquerading as normal to dark web marketplaces.
## Indicators of Compromise
- File Hashes: N/A (Focus is on network behavior)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Communication with Tor entry/exit nodes or bridges.
- Traffic on default Tor ports (9001, 9030, 9050).
- Connections to unknown external IP addresses after baseline.
- Traffic destined for unusual domains associated with dark web activity.
- Behavioral Indicators:
- Encrypted traffic patterns deviating from the baseline.
- High bandwidth usage associated with tunnel activity.
- Frequent switching between multiple external IPs.
- Irregular Transport Layer Security (TLS) negotiation behaviors.
## Associated Threat Actors
Threat actors commonly utilizing anonymization tools like Tor for C2 or data exfiltration, such as Ransomware groups or state-sponsored actors engaging in data theft. (No specific groups named in the text.)
## Detection Methods
- Signature-based detection (Suricata signatures mentioned).
- Behavioral detection (AI/Machine Learning algorithms detecting anomalies).
- Dynamic alerts for specific port usage.
- Metatdata analysis (connection, protocol, TLS certificates).
## Mitigation Strategies
- Position NDR sensors strategically (high-value assets, core network, edge environments).
- Analyze North-South traffic specifically for external communications.
- Actively analyze the 30-day network baseline period to ensure threat activity is not erroneously classified as "normal."
- Implement alerts for traffic exhibiting Tor characteristics or accessing known anonymization infrastructure.
## Related Tools/Techniques
- **Anonymizing Tools:** Tor browser, Invisible Internet Project (I2P), Freenet P2P networks.
- **NDR Platforms Mentioned:** Corelight’s Open NDR Platform with Investigator.
- **Traffic Analysis Standards:** Suricata (for signature matching).