Malicious actors use online discussion forums to facilitate the exchange of knowledge, often out of the public’s eye. In this blog, we study the transmission of knowledge that takes place on public and private forums. This leads us to question how the participant selection mechanisms of forums influence the transmission of knowledge. This transmission is crucial for the learning and development of skills, and therefore the extent of the threat that malicious actors pose on organizations like yours.
Of public and private forums
Online discussion forums frequented by malicious actors are in most cases public. This means that anyone can create an account and participate in the discussions. The image below is an example of a public forum with a pop-up that actually invites anyone to join the site for free.
Other forums are private and therefore impose controls on data access. These forums require :
- An introduction by one or more members of the forum or;
- Proof of expertise or;
- A monetary payment
Private forums, by their very nature, are seldom studied and understood. They have a reputation for being better schools for crime, and for facilitating the sharing of more advanced knowledge, between skilled malicious actors. But is this really the case?
Data and methods
We collected all the messages exchanged between users of two discussion forums, one public and the other private. These forums were selected based on their size and popularity to ensure that we would have ample data to analyze. All messages from the sections dedicated to learning criminal techniques were analyzed using a model developed by Garrison and al. (2001). This model puts forward that the transmission of knowledge is accomplished through a four-step process presented in the table below. Each discussion thread on a forum can reach level 1 (triggering event), 2 (exploration), 3 (integration) or 4 (resolution). A forum with threads reaching the level 4 regularly would be indicative of a forum where knowledge transfer is higher.
Transmission of knowledge in public and private forums
Our analysis first suggests that there is knowledge transmission in public forums. This transmission of knowledge is however hampered by the low levels of discussions. Indeed, only 8% of discussion threads on public forums reached the 4th level – the resolution stage – and therefore the creation and sharing of delinquent knowledge.
By comparison, private forums reach the 4th and last stage in 37% of the threads. In addition, in the case of private forums, participants reach the second stage in almost all threads (97%), and the integration stage in 40% of cases. For the latter, this represents almost 4 times more often than in the case of public forums.
Efficiency in the transmission of knowledge
The time needed to reach stage 4 in the public forums is significant, with, on average, 196 days between the start of a thread and the resolution. In comparison, private forums only need an average of 60 days to reach the stage 4. In terms of messages, the reverse is observed with an average of 2.2 messages to reach stage 4 on public forums versus 4.6 messages in the case of private forums. This suggests that discussions leading to level 4 are more important on private forums, and therefore that knowledge is possibly more advanced and sought after. The table below presents statistics on the resources invested in achieving level 4 in public and private forums.
Sources of knowledge transmission
Public and private forums rely on their participants to impart knowledge with each other. In some forums, a small group of participants act as mentors to participants. In others, this role is shared among all participants who are both teachers and students.
The GINI coefficient is a measure widely used in economics to understand the concentration of power, wealth or knowledge in a population.
- A GINI score close to 1 means that all participants play a mentoring role, and therefore that knowledge is distributed from and to many participants.
- A GINI score close to 0 means that only one participant plays the role of mentor, and therefore controls knowledge.
The figure below shows that on private forums, the GINI score is much closer to 1 than on public forums. The role of mentor is therefore distributed across a greater number of participants. The knowledge shared will therefore likely be more diversified, and access to varied expertise will be more widespread. On public forums, it seems that a very small circle of participants act as mentors, and the forum therefore relies on the active presence of these selected few individuals to operate. The removal of these participants could have a significant impact on the forums’ ability to create and share knowledge.
Conclusion
The first contribution of this research is to demonstrate how knowledge is created and shared in both public and private forums. In both cases, our analysis demonstrates that forum participants come together to solve problems, and share the best solutions. As such, forums are indeed schools of crimes, and security professionals therefore need to pay attention to these forums to better understand current and future cyberthreats.
The main contribution of this research however is that privsate forums appear to be playing a different role than public forums. Private forums operate on another level, and generate much more insights into malicious activities. Private forum participants appear to be more able or willing to resolve problems, and to create and share knowledge. We perhaps for the first time sought to quantify the difference between public and private forums.
This finding suggests that security professionals need to have access to these forums to fully understand the criminal underground. Because of the access control, it may be difficult for many security professionals to gain access to these forums. As such, going through a digital risk protection service provider that has bought or earned access to these forums represents an interesting alternative. These providers like Flare Systems invest in access to these private settings to bring forward the most useful intelligence on cyberthreats. To be as effective as possible, you should therefore ensure that your provider is active on these private forums, and provide you with a feed to the latest and greatest problem solving discussions on the clear and dark web.
