Norse discovers stunning Dark Net attack patterns

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

One of the most pow­er­ful tech­nolo­gies for spy­ing on cyber crim­i­nals lurk­ing in the Dark Net comes from a St. Louis-based start­up, Norse Corp.

Found­ed in 2010 by its chief tech­nol­o­gy offi­cer, Tom­my Stiansen, Norse has assem­bled a glob­al net­work, called IPViking, com­prised of sen­sors that appear on the Inter­net as vul­ner­a­ble com­put­ing devices. These “hon­ey­pots” appear to be every­thing from routers and servers, to lap­tops and mobile devices, to Inter­net-con­nect­ed web cams, office equip­ment and med­ical devices.

Secu­ri­ty & Pri­va­cy News Roundup: Stay abreast of key developments.

When an intrud­er tries to take con­trol of a Norse hon­ey­pot, Norse grabs the attacker’s IP address and begins an inten­sive coun­ter­in­tel­li­gence rou­tine. The IP address is fed into web crawlers that scour Dark Net bul­letin boards and chat rooms for snip­pets of dis­cus­sions tied to that IP address.

Ana­lysts cor­re­late the find­ings, and then IPViking dis­plays the results on a glob­al map reveal­ing the attack­ing organization’s name and Inter­net address, the target’s city and ser­vice being attacked, as well as the most pop­u­lar tar­get coun­tries and ori­gin countries.

Stiansen grew up tin­ker­ing with com­put­ers on a Nor­we­gian farm, which led him to a career design­ing air-traf­fic con­trol and tele­com-billing sys­tems. After immi­grat­ing to the U.S. in 2004, Stiansen began think­ing about a way to gain a real-time, bird’s-eye view of the inner recess­es of the Dark Net. The result was IPViking, which now has mil­lions of hon­ey­pots dis­persed through 167 data cen­ters in 47 countries.

Norse recent­ly com­plet­ed a major upgrade to IPViking, which has led to some stun­ning find­ings. Stiansen explains:

3C: Can you tell us about your most recent major milestone?

 Stiansen: We have man­aged to do a ten­fold (increase) to where we can now apply mil­lions of rules in our appliance.

 3C: So more rules allows you to do what?

 Stiansen: It allows us to have a lot more threat data and apply a lot more intel­li­gence to a customer’s traf­fic. We can start apply­ing more dynam­ic data. Our end goal is to apply full coun­ter­in­tel­li­gence onto traf­fic. Mean­ing when we see a traf­fic flow com­ing through our appli­ance we will be able to see the street address, the domain, the email address used to reg­is­ter this domain. We can see who a pack­et is going to, and the rela­tion­ship between the sender and receiv­er, all kinds of counter intel­li­gence behind actu­al traf­fic, not just for block­ing but for visualization.


Tommy Stiansen
Tom­my Stiansen

3C: That lev­el of detail was not avail­able earlier?

Stiansen: Nope. This is some­thing we’ve pio­neered. This is our plat­form that we built so we can enable this (detailed view) to actu­al­ly happen.

3C: So what have you discovered?

Stiansen: We’re learn­ing that traf­fic and attacks com­ing out of Chi­na isn’t real­ly Chi­na. It’s actu­al­ly oth­er nations using China’s infra­struc­ture to do the attacks. It’s not just one coun­try, it’s the top 10 cyber coun­tries out there using anoth­er coun­tries’ infrastructure.

 3C: So is Chi­na get­ting a bad rap?

 Stiansen: Correct.

 3C: Who’s respon­si­ble? Rus­sia? The U.S.? North Korea?

 Stiansen: Everyone.

 3C: What else are you seeing?

Stiansen: We’re also see­ing how hack­ers from cer­tain com­mu­ni­ties are join­ing togeth­er more and more. The hack­ing world is becom­ing small­er and small­er. Iran­ian hack­ers are work­ing with Turk­ish hack­ers. Pak­istani and Indi­an hack­ers, they’re work­ing togeth­er. Indone­sia hack­ers and Iran­ian hack­ers are work­ing together.

3C: Odd combinations.

 Stiansen: It’s weird to see these mix­es because there’s no affil­i­a­tion, there’s no friend­ship between the coun­tries on a state lev­el. But the hack­er groups are com­bin­ing togeth­er. The bor­ders between hack­ers have been lifted.

 3C: What’s dri­ving them to part­ner, is it mon­ey or ideology?

 Stiansen: All of the above. That’s the thing, the peo­ple who have sim­i­lar ide­olo­gies find each oth­er on social media and start com­mu­ni­cat­ing with each oth­er. And the peo­ple with the finan­cial means and shared goals meet each oth­er, that’s the evo­lu­tion. And when they do that, they become real­ly powerful.


More on emerg­ing best practices

5 data pro­tec­tion tips for SMBs
What SMBs need to know about CISOs
Pro­tect­ing your dig­i­tal foot­print in the post pri­va­cy era