CHASING FOXES BY THE NUMBERS: PATTERNS OF LIFE AND ACTIVITY IN HACKER FORUMS presented at BlackHatEU 2016

by Christopher Ahlberg,

Summary : Cyber criminals, hacktivists, and the occasional state actor tend to congregate in underground forums and come in many forms - in clear, deep, and dark web, focused geographically and linguistically, and focused by areas - carding, reverse engineering, hacking, etc.
In this presentation we analyze a very large corpus of forum posts from surface and deep web spanning more than 3 years - including forums originating in the United States, Russia, Palestine/Gaza, Ukraine, Iran, China (in local language), etc. Based on this corpus we establish a series of patterns of actor behavior that can be used for targeting illicit behavior and actors, establish research pivot points, and detect actor focus on products, technologies, and vulnerabilities.
The analysis will lay out techniques for how to analyze forum and actor behavior based on meta data analysis, without detailed human analysis of individual messages/posts. We will demonstrate how we can use the below techniques to establish patterns both inside and across forums (tracking actor traversals of the web), and crossing boundaries of clear/deep/dark web.:
Natural language processing
Temporal pattern analysis
Social network analysis, etc.