Security teams are constantly looking to identify those cyber threat actors that pose the most serious risk. Unfortunately, identities are often fragmented across the dark web ecosystem. This is by design. Threat actors create separate IDs for different spaces to minimize the damage of a single successful identification. But security teams have a workaround in PGP public keys and forum signatures.
PGP (Pretty Good Privacy) public keys can be leveraged as identifiers rather than just raw text. Likewise for forum signatures. Both act as persistent, high-fidelity anchors that help investigators pivot as they seek to link disparate accounts into a broader and more cohesive network.
Advanced PGP Metadata Analysis
In the hunt for cyber threat actors, organizations like DarkOwl rely on a variety of advanced techniques for correlating the disparate data. One of them involves advanced PGP metadata analysis. The strategy is built on the idea that embedded metadata generates unique fingerprints correlating to a threat actor’s environment. DarkOwl recommends analyzing:
- Self-Signature Timestamps – PGP keys contain timestamps indicating when they were created. Analysts can always look for multiple accounts across different platforms utilizing keys created around the same time.
- Configuration Artifacts – In addition to timestamps, PGP keys also contain artifacts that can be identified by sophisticated tools. Once identified, the artifacts can help reveal a threat actor’s workflow.
- User ID Leaks – even when threat actors rely on pseudonyms, they tend to use the same email format or comment field across different identities. Security experts call these sorts of things user ID leaks.
- Subkey Binding – Sometimes a threat actor will rotate his primary key but continue using the same subkey for encryption across multiple accounts. Identify subkeys and what they are bound to, and an investigator can start connecting the dots.
Advanced PGP metadata analysis can generate excellent results when implemented properly. But it takes time and experience to master. A skilled investigator can leverage PGP metadata to identify and link cyber threat actors who otherwise remain hidden.
Forum Signature and Behavioral Correlation
Text and images appearing with posts are viewed within cybersecurity as forum signatures. They often contain static identifiers that, when scraped and indexed at scale, more clearly point to cyber threat actors. Once again, there are three things DarkOwl specifically points to:
- Vouch Chains – Reputation is everything on the dark web. To boost their reputations, threat actors often include a list of partners or public keys (in their signatures) creating what are known as ‘vouch’ chains. Investigators can build a social graph by following these chains.
- URL Shorteners and Image Hosts – Threat actors are known to use third-party image hosts and URL shorteners within their signatures. Both EXIF data and tracking pixels gleaned from it can point to an actor’s true IP or general geolocation.
- Linguistic Fingerprinting – Cyber threat actors are like anyone else in the sense that they have a specific style consistent within their signatures and forum posts. Think of things like slang words and consistent typos. Natural language processing (NLP) and linguistic fingerprinting can help link data from multiple streams to a single threat actor.
Both PGP metadata and forum signature analysis can reap very good results on their own. But when combined by way of cross-platform correlation techniques, they help security teams create a hub-and-spoke model that reveals entire networks of cybercriminal activity.
When the two practices deploy at that scale, they become a powerful tool in the effort to link seemingly disparate data across a full range of dark web sources. They become a dragnet of sorts that undermines the efforts threat actors make to remain anonymous.
