Norse discovers stunning Dark Net attack patterns
By Byron Acohido, ThirdCertainty
One of the most powerful technologies for spying on cyber criminals lurking in the Dark Net comes from a St. Louis-based startup, Norse Corp.
Founded in 2010 by its chief technology officer, Tommy Stiansen, Norse has assembled a global network, called IPViking, comprised of sensors that appear on the Internet as vulnerable computing devices. These “honeypots” appear to be everything from routers and servers, to laptops and mobile devices, to Internet-connected web cams, office equipment and medical devices.
Security & Privacy News Roundup: Stay abreast of key developments.
When an intruder tries to take control of a Norse honeypot, Norse grabs the attacker’s IP address and begins an intensive counterintelligence routine. The IP address is fed into web crawlers that scour Dark Net bulletin boards and chat rooms for snippets of discussions tied to that IP address.
Analysts correlate the findings, and then IPViking displays the results on a global map revealing the attacking organization’s name and Internet address, the target’s city and service being attacked, as well as the most popular target countries and origin countries.
Stiansen grew up tinkering with computers on a Norwegian farm, which led him to a career designing air-traffic control and telecom-billing systems. After immigrating to the U.S. in 2004, Stiansen began thinking about a way to gain a real-time, bird’s-eye view of the inner recesses of the Dark Net. The result was IPViking, which now has millions of honeypots dispersed through 167 data centers in 47 countries.
Norse recently completed a major upgrade to IPViking, which has led to some stunning findings. Stiansen explains:
3C: Can you tell us about your most recent major milestone?
Stiansen: We have managed to do a tenfold (increase) to where we can now apply millions of rules in our appliance.
3C: So more rules allows you to do what?
Stiansen: It allows us to have a lot more threat data and apply a lot more intelligence to a customer’s traffic. We can start applying more dynamic data. Our end goal is to apply full counterintelligence onto traffic. Meaning when we see a traffic flow coming through our appliance we will be able to see the street address, the domain, the email address used to register this domain. We can see who a packet is going to, and the relationship between the sender and receiver, all kinds of counter intelligence behind actual traffic, not just for blocking but for visualization.
3C: That level of detail was not available earlier?
Stiansen: Nope. This is something we’ve pioneered. This is our platform that we built so we can enable this (detailed view) to actually happen.
3C: So what have you discovered?
Stiansen: We’re learning that traffic and attacks coming out of China isn’t really China. It’s actually other nations using China’s infrastructure to do the attacks. It’s not just one country, it’s the top 10 cyber countries out there using another countries’ infrastructure.
3C: So is China getting a bad rap?
3C: Who’s responsible? Russia? The U.S.? North Korea?
3C: What else are you seeing?
Stiansen: We’re also seeing how hackers from certain communities are joining together more and more. The hacking world is becoming smaller and smaller. Iranian hackers are working with Turkish hackers. Pakistani and Indian hackers, they’re working together. Indonesia hackers and Iranian hackers are working together.
3C: Odd combinations.
Stiansen: It’s weird to see these mixes because there’s no affiliation, there’s no friendship between the countries on a state level. But the hacker groups are combining together. The borders between hackers have been lifted.
3C: What’s driving them to partner, is it money or ideology?
Stiansen: All of the above. That’s the thing, the people who have similar ideologies find each other on social media and start communicating with each other. And the people with the financial means and shared goals meet each other, that’s the evolution. And when they do that, they become really powerful.
More on emerging best practices