Shedding light on the dark web: Bluestone Analytics helps law enforcement agencies investigate and shut down illegal activity

Accelerates criminal investigations

With Elastic, security and intelligence analysts get results in a matter of seconds regardless of the data’s age or source.

Saves time when connecting to new data sources

Bluestone Analytics uses Elastic to quickly add intelligence data from a source or application without needing to build a new set of software and connections.

Gives security clients peace of mind

Elastic helps Bluestone Analytics enable clients to conduct searches in a safe and secure environment without needing to download a dark web browser or expose themselves to harmful content.

Leading expert in dark and deep web analysis deploys Elastic Enterprise Search and Elastic Observability to accelerate the pursuit of drug smugglers, arms traders, hackers, and other criminals.

The origins of the dark web are shrouded in mystery, but its uses are well known. From illegal drug and weapon sales to human trafficking and ransomware sharing, these networks support illegal activities worth over four billion dollars and are a top target of law enforcement agencies worldwide.

Bluestone Analytics, a CACI company, is an international leader in dark web analysis. Its technology suite, DarkBlue Intelligence, enables clients, including national security and intelligence teams, to search open-source intelligence (OSINT) and unveil the identities of criminals operating on the dark web.

Fast-changing technologies and recent geo-political events have added to the challenge. Jason Nack, Head of Technology, Bluestone Analytics, says, “Traditionally, the dark web is associated with drug trafficking, illegal weapon sales, and hacking. In recent years, this includes sales of the opioid fentanyl and a rapidly expanding ransomware threat.”

The Russia-Ukraine war has also triggered a surge in activity. “The dark web is increasingly used to share open-source intelligence including stolen battle plans, sabotage handbooks, and the names and addresses of officers in both militaries,” says Nack.

Transforming unstructured data into actionable intelligence

As online criminals change tactics to shake off law enforcement, Bluestone Analytics must keep up with the fast-moving trends such as hacking tutorials and cryptocurrencies vital to modern criminal activity. “The dark web has been around for more than a decade and is growing at an alarming rate,” says Nack. “Being able to access these hard-to-get datasets at scale and with persistence is fundamental to our mission.”

Bluestone Analytics has also expanded its service beyond the dark web to infiltrate other open web sources which host illicit activity. This adds to the volume of data that it must collect and process.

The best way to find what you're looking for on the dark web is to have all the data in one place and then search it.

– Jason Nack, Head of Technology, Bluestone Analytics

To make this possible, Bluestone Analytics developed its DarkBlue Intelligence Platform, a cloud-based tool that enables clients to search, analyze, and visualize data via an intuitive interface. Elastic Enterprise Search and Elastic Observability form the heart of the solution.

From the start, all of our core search and observability capabilities have been powered by Elastic, including Kibana, which is used to visualize and search the data that we ingest.

– Jason Nack, Head of Technology, Bluestone Analytics

Bluestone Analytics runs its solution on AWS cloud and uses Elastic Agents and Fleet to collect and process data. AWS is the preferred cloud provider for Bluestone Analytics as it's easy to set up with Elastic and the integrations work seamlessly. Nack’s team can set up data schemas, policies, and templates just once to ingest almost any kind of structured or unstructured data.

The beauty of Elastic is that it saves hours of time that we would otherwise spend installing a specific set of software and connections for different applications. Being able to add documents and data sources with minimum effort is a killer feature for us.

– Jason Nack, Head of Technology, Bluestone Analytics

Elastic APM and Real User Monitoring (RUM) are the most recent additions to the Bluestone Analytics’ Elastic environment. This JavaScript Agent provides detailed web application performance metrics and error tracking. It has built-in support for popular platforms and frameworks, and an API for custom instrumentation. The Agent also supports distributed tracing for all outgoing requests.

Pursuing criminals, protecting clients

With Elastic, Bluestone Analytics clients can search data and records without browsing the dark web itself. “Many of these pages include unpleasant and disturbing content. There’s also the risk that you might expose yourself to malware. With DarkBlue Intelligence, powered by Elastic, you can search everything in a text-based, safe environment without having to download a dark web browser to your machine.”

DarkBlue Intelligence supports searches in multiple languages and writing systems, including Chinese, Japanese, and Korean. “Elastic also includes Boolean operations and fuzzy matching which adds to the overall speed and accuracy of client searches,” says Nack.

Filter functionality in Elastic Enterprise Search helps clients close in on their targets. Using keyword fields on targeted selectors, analysts and investigators can perform exact matching to narrow results. Elastic index mappings are also set up to enable both full-text searches and exact matching so users can explore data in ways that match the needs of the investigation.

– Jason Nack, Head of Technology, Bluestone Analytics

In addition, Elastic enables Bluestone Analytics to archive its data indefinitely. “Organizations and individuals on the dark web change their identities and communication methods over time. Our clients can easily look at historical data to draw a line that connects these shifting personas,” says Nack.

Investigators can reach back as far as they need to complete their inquiries. “Some people need the data we've just collected to be processed and available straight away,” says Nack. “Others are after information from several years ago. No matter when the information is from, Elastic Enterprise Search is so fast that results are available in a matter of seconds.”

Bluestone Analytics also works with specialist organizations to extend the platform and further bolster cybercriminal identification capabilities. Several leading crypto analyst firms have recently added their expertise to the platform. “Given the rise of cryptocurrencies, our intelligence tools now have the ability to investigate and analyze these types of transactions,” says Nack.

Quick and seamless incorporation of new data sources is yet another example of how Elastic helps future-proof the Bluestone Analytics platform.

“We really appreciate the way Elastic’s core functionality has expanded over the years,” says Nack. “The way that it ingests data and the underlying search technology is incredibly scalable and flexible. It means that we can stay one step ahead of the dark web and open web activities that pose a threat to the public.”

The dark web evolves quickly, and every moment counts when a law enforcement agency is seeking the right information. With Elastic, Bluestone Analytics is able to provide potentially life-saving insights to the right people regardless of how the dark web changes, making a huge difference in the fight against crime.

Above all, Elastic supports the company’s mission to provide clients with everything they need to protect the U.S. and the safety of its citizens.

Our clients trust us, and we trust Elastic. It has always been the best search and observability technology to discover, pursue, and engage criminals who rely on the dark web to obscure their identities and conduct illicit activities.

– Jason Nack, Head of Technology, Bluestone Analytics

"This material consists of CACI International Inc general capabilities information that does not contain controlled technical data as defined within the International Traffic in Arms Regulations (ITAR), Part 120.10, or Export Administration Regulations (EAR), Part 734.7-10. (PRR ID711)"