3.22.23 > Mary Frantz

We are a global economy, and the internet has been a driving force in creating that economy.  The internet is a vast information exchange environment that in the last three decades has grown exponentially from government- and business- focused usage to become a household necessity. Internet usage spans the entire socio-economic and demographic spectrum, and organizations and individuals Worldwide depend upon stable and secure access to the internet to remain solvent, and in the case of individuals, physically survive. It has also almost eliminated physical distance from our ability to learn and grow using in-person communication, collaboration, learning and intellectual growth.

Yet, while discussing the cyber world, a world in which all of us participate in (you are using it to read this article right now) a basic understanding of these layers is shunned as “technical jargon”, even by those who live and breathe in it every day via their smart devices, home networks, business software, and more. In the United States, cyber criminals depend upon consumer’s lack of knowledge and private enterprises’ largely unregulated ability to implement and provide only minimal or even no cyber resiliency despite having a clear understanding of the devastation an attack could cause.  We all depend on stable, fast, and secure access to all layers of the internet. Therefore, it seems reasonable that we should understand and learn about the cyber world to have reliable, safer online experiences for both enterprises and individuals.

There are three levels of the internet: Clear (surface web), Deep, and Dark. The levels are based upon accessibility and purpose. The three internet layers are used by everyone, including both ethical and unethical actors.

The Clearnet, often referred to as the surface web or visible web, is easily accessible through a number of well-known search and browser engines freely available on or “built in” to electronic devices.  The Clearnet is the smallest portion of the internet and requires that accessible sites be indexed in order to enable global-search capabilities.  The Clearnet’s goal is ease of accessibility and searchability.

The Deepnet, or Deepweb, is the second largest area of the internet that is accessible – if the exact address or location is known, and may require authorization and authentication to access.   Deepweb sites are not indexed and cannot easily be accessed or found through searches. The Deepweb is easily accessible – if a Deepweb site is known – using the freely available browsers and search engines available on most electronic devices. The Deepweb utilizes the public internet for ease of access, but purposely limits accessibility to its resources to those with whom it chooses to share. The Deepweb’s goal is ease of accessibility but not searchability.

The Darknet comprises the largest portion of the internet.  The Darknet hosts social networks, storage, and other services that are accessible only by those with knowledge of exact addresses and/or specific software, via proxy networks connecting through a series of logical and physical relays. The Darknet was designed to provide user anonymity owing to its peer-to-peer network structure, in which encryption and proxying allows for encrypted and obfuscated communication. The Darknet is primarily used for anonymity, but it does not guarantee anonymity. The Darknet is used by a wide variety of people and services, including non-criminal end users and legitimate operations that prefer, or rely upon, the anonymizing capabilities of the Darknet. The Darknet is necessary for both government and citizens to be able to communicate freely. The Darknet’s goal is anonymity.

Because of the ability and the embedded infrastructure to enable anonymity, the Darknet is often only associated with illicit activity. The cybercriminal underground, however, exists and thrives on all three levels of the internet, and more increasingly operates right next to non-criminal users in the clear, visible web.

Cyber criminals utilize all three levels of the internet in order to reach the largest possible markets to offer potential sources, buyers, collaborators and victims in order to sell illicit/stolen goods and services, cause political and social chaos, attract and groom innocent victims into exploitation and hate groups, and develop malware, and more

Recent geopolitical changes have made the Clearnet even more palatable and profitable for threat actors in specific countries and regions of the world. On the Clearnet, threat intelligence researchers often find threat actor Gmail accounts, links to sale sites, forums, published dumps, sale and testing of malware, bots, and more. As one ransomware gang pointed out on a popular forum, paraphrasing, “It’s hard to threaten to publish data about a recent exploit if the only ones that can see it on the darknet are ourselves.”

While there are thousands of social media sites frequented by threat actors and other criminal entities, many threat actors routinely communicate in forums, chatrooms or on the Clearnet using services such as Reddit, Twitter, VK, GitHub, Telegram, WhatsApp, SnapChat, WeChat, Discord, Steam, Twitch and others. They collude, comment on cyber events, and use Gmail for general communication with almost as much frequency as Proton Mail. In addition, nations who censor internet activity, such as Russia, China, North Korea, and Iran, have infrastructure restrictions and do not permit encrypted communications that inhibit government monitoring and censorship unless authorize.  Therefore, the amount of cross-regional chatter concerning selling of malware, samples of stolen data for sale, and the recruiting of access brokers and ransomware collectors, occur outside of the Darknet, in plain sight.

Threat actors are attracted to environments and thrive where local law enforcement turns a blind eye on illegal Clearnet activities, provided, however, that those activities are not directed against peers, citizens or state-owned assets. This is more general behavior protocol and not necessarily memorialized in a charter for threat actor behavior. Therefore, threat actors who target U.S. or citizens of other nations may often do so on the Clearweb and Deepweb without fear of reprisal or criminal apprehension within their own country boundaries. Most threat actor groups are more worried about their peers exposing them due to internal spats and nation-state loyalties, as occurred when groups split up and turned on each other based upon loyalties associated with the Russia’s invasion of Ukraine.

Within all three levels of the internet, many have tried to categorize the threat actors according to type and purpose. For threat intelligence researchers, two points are abundantly clear: 1) the criminal behavior lines have become increasingly blurred because threat actors don’t stay within one lane; and 2) the criminal underworld has evolved into a far more sophisticated division of labor and structure than  existed even a decade ago. For example, malware developers now sell or even franchise their wares to ransomware gangs, and to more sophisticated APTs (Advanced Persistent Threats), including nation-states and quasi-governmental organizations. Also, in the past decade a very sophisticated, hierarchical cybercriminal ecosystem has evolved into a more formalized division of labor for each layer, especially for ransomware-as-a-service (RaaS) financial and operational models. Affiliates and access brokers, more commonly associated with the RaaS models, are hired out by others, including nation-states.  The cyber crime organizations mirror similar criminal organizational structures in the non-cyber world.

The evolution of a hierarchical threat actor ecosystem, combined with a destabilized bitcoin (BTC) market has also resulted in a greater reliance on local currency and USD. There has been a substantial increase in the purchase of data dumps for use in various exploits by Chinese hackers in USD, Yen and Rubles. Furthermore, given the more sophisticated ecosystem, especially for ransomware, and the ability to trace bitcoin wallets, Darknet markets rely on crypto-mixers such as Wasabi Wallet and Chipmixer that provide sophisticated middleware services, including money-laundering between the buyer and sellers (vendors), that are difficult to trace. As a result, wire fraud in U.S. banks has seen a sharp increase  spurred by the lower value of BTC, deregulation and lack of enforcement against commercial banks.

Ransomware groups, whose organizational capabilities have adapted and evolved to a high degree of sophistication, still capitalize on “low hanging fruit” for quick hit-and-runs with a chance for quick money at the end. These “hit-and-runs,” together with ransomware attacks, typically comprise the last stage of more sophisticated attacks, and are emblematic of endgame bottom-fishing following a much earlier compromise. The ransomware collection agents, the ones who call you to collect, rarely have the data, that data usually stolen by another threat actor group and has long since used or sold the data without every attaching true attribution to the source. Yet, many companies still pay the ransom to avoid publishing data.

Sophisticated threat actors know to not release the data to a darknet market, many of whom are monitored by law enforcement, for at least two years. Stolen information stolen where there not yet a ransom or no notification has higher value – because it is not being monitored by the company or the consumer. Understanding the value of stolen sensitive data can be enhanced by analogizing it to “aging” fine wines. To preserve exfiltrated data’s value acquired during a publicly disclosed ransomware event, it is often not released for sale on a Darknet market until as much as two to three years after the compromise. The data is far more valuable to a threat actor if the victim doesn’t know it has been compromised, has become complacent after a notification, or only has identity or threat protection for less than two years.  In addition, ransomware groups are often brought in to cover the tracks of a more sophisticated attack, and the payment from the victim often pales in comparison to the payment from other threat actors.  What better way to eliminate or hide evidence of compromise than to sell  access to a lower end attacker who will  than to wipe and encrypt?

Geopolitical changes have promoted new and dangerous alliances between China, Russia, North Korea, and Iran in the cyber and non-cyber worlds. These new marriages of political or economic convenience have resulted in a sharp increase in the number of cyber incidents for consumers, and small, medium and large organizations, and governmental entities. The recruitment into these cyber gangs for all levels of work is prominent on all three layers of the internet.

Everyone relies, directly or indirectly, on all three levels of the internet. Organizations who understand their external exposure, and have secure and efficient systems, are almost always better off in both the short- and long-term. Being secure doesn’t have to be expensive, and, if done right, it can save money and create very lean, efficient organizations. Most of our laws and regulations focus on the minimum necessary to protect data.

Those that just meet the minimum requirements, or find work-arounds, simply do not understand that it is absolutely necessary to observe and follow the spirit of the laws and regulations, because every breach in the United States hurts everyone—not just the direct target.

And let’s be clear, if we choose to pooh-pooh the spirit of existing laws and regulations, and what they are trying to accomplish, then it is just a matter of time before more laws and regulations are created. Is that what we want? Or do we want to finally address the problem without playing games and avoiding our responsibilities?  Do we avoid filing and paying taxes because its’ too complicated?

The more resilient the entity, and the more proactive and aggressive it monitors and protects itself, the greater the benefit to our financial system, consumers, the insurance market and our country as a whole.  We can do this, we shouldn’t need prescriptive laws, or better enforcement through the courts tied to a legal system based upon sanctions and upon proven damages and not on proactive behavior.

Cyber criminals depend upon a lack of consumer knowledge, minimal risk or cost of sanctions, and our dependency on maintaining access to all three levels of the internet at all costs. The good news is that all of the factors that have allowed the proliferation of cyber criminals in all levels of the internet are within our control to change and make us, and our nation, more secure and efficient. All we need is the collective will to act.


Mary Frantz is the CEO of Enterprise Knowledge Partners, LLC (EKP). She has performed and led advanced ethical hacking (red teams), security assessments, managed multiple incident investigations for companies. She was the primary technical cyber expert in the Equifax, Yahoo and many other high profile breaches and security incidents. Mary holds 4 bachelor degrees and two masters degrees and various active and non-active certifications in systems auditing, ethical hacking, penetration testing, forensics, engineering and architecture. She is a national advocate and mentor of women and minorities in STEM, a Board Officer for the Minnesota Academy of Science, board advisor for the Minneapolis Cyber Summit, and an elected School Board Director for MN District 719.

You can connect with Mary on LinkedIn at https://www.linkedin.com/in/maryfrantz