Shedding light on the dark web: CACI’s DarkBlue Intelligence Suite helps law enforcement agencies investigate and shut down illegal activity

The origins of the dark web are shrouded in mystery, but its uses are well known. From illegal drug and weapon sales to human trafficking and ransomware sharing, these networks support illegal activities worth over $4 billion and are a top target of law enforcement agencies worldwide.

CACI is an international leader in dark web analysis. Its DarkBlue Intelligence Suite platform enables clients, including national security and intelligence teams, to search open-source intelligence (OSINT) and unveil the identities of criminals operating on the dark web.

Fast-changing technologies and recent geo-political events have added to the challenge. Cory Everington, head of the DarkBlue Intelligence Suite, says, “Traditionally, the dark web is associated with drug trafficking, illegal weapon sales, and hacking. In recent years, this includes sales of the opioid fentanyl and a rapidly expanding ransomware threat.”

The Russia-Ukraine war has also triggered a surge in activity. “The dark web is increasingly used to share open-source intelligence including stolen battle plans, sabotage handbooks, and the names and addresses of officers in both militaries,” says Everington.

As online criminals change tactics to shake off law enforcement, DarkBlue must keep up with the fast-moving trends such as hacking tutorials and cryptocurrencies vital to modern criminal activity. "The dark web has been around for more than a decade and is growing at an alarming rate," says Everington. "Being able to access these hard-to-get datasets at scale and with persistence is fundamental to our mission."

DarkBlue has also expanded its service beyond the dark web to infiltrate other open web sources which host illicit activity. This adds to the volume of data that it must collect and process.

To make this possible, DarkBlue developed its DarkBlue Intelligence Suite platform, a cloud-based tool that enables clients to search, analyze, and visualize data via an intuitive interface, as well as securely access the live dark web through managed attribution. Elasticsearch and Elastic Observability form the heart of the solution.

DarkBlue runs its solution on AWS cloud and uses Elastic Agents and Fleet to collect and process data. AWS is the preferred cloud provider for DarkBlue, as it's easy to set up with Elastic, and the integrations work seamlessly. The DarkBlue team can set up data schemas, policies, and templates just once to ingest almost any kind of structured or unstructured data.

The latest tool in the DarkBlue Intelligence Suite, CluesAI, is a prime example of this seamless integration. Harnessing the powerful deep and dark web data maintained in Elastic, CluesAI uses generative AI, best-in-class Anthropic large language models (LLMs), and AWS Bedrock to increase the speed at which analyst and investigators can deanonymize threat actors through automated intelligence reports. By cross-referencing potentially identifying information and reporting back on the results, CluesAI saves analysts and investigators countless hours of running down leads.

Elastic APM and Real User Monitoring (RUM) are also among recent additions to the DarkBlue Elastic environment. This JavaScript Agent provides detailed web application performance metrics and error tracking. It has built-in support for popular platforms and frameworks and an API for custom instrumentation. The Agent also supports distributed tracing for all outgoing requests.

With Elastic, DarkBlue clients can search data and records without browsing the dark web itself. "Exploring the dark web comes with real risks, from disturbing content to malware exposure. With DarkBlue Intelligence, powered by Elastic, users can safely search in a secure, text-based environment without downloading a dark web browser."

DarkBlue supports searches in multiple languages and writing systems, including Chinese, Japanese, and Korean. "Elastic also includes Boolean operations and fuzzy matching which adds to the overall speed and accuracy of client searches," says Everington.

Filter functionality in Elasticsearch helps clients close in on their targets. Using keyword fields on targeted selectors, analysts and investigators can perform exact matching to narrow results. Elastic index mappings are also set up to enable both full-text searches and exact matching so users can explore data in ways that match the needs of the investigation.

In addition, Elastic enables DarkBlue to archive its data indefinitely. "Organizations and individuals on the dark web change their identities and communication methods over time. Our clients can easily look at historical data to draw a line that connects these shifting personas," says Everington.

Investigators can reach back as far as they need to complete their inquiries. "Some clients need immediate analysis of new data they've manually scraped and ingested into our database," says Everington. "Others are looking for information from years ago. Elasticsearch delivers results in seconds, no matter the volume or age of the data."

DarkBlue also works with specialist organizations to extend the platform and further bolster cybercriminal identification capabilities. Several leading crypto analyst firms have recently added their expertise to the platform. "Given the rise of cryptocurrencies, our intelligence tools now have the ability to investigate and analyze these types of transactions," says Everington.

Quick and seamless incorporation of new data sources is yet another example of how Elastic helps future-proof the DarkBlue platform.

"We really appreciate the way Elastic continues to scale with us," says Everington. "Its flexible and reliable ingestion and search capabilities allow us to adapt quickly to emerging threats on the open and dark web."

The dark web evolves quickly, and every moment counts when a law enforcement agency is seeking the right information. With Elastic, DarkBlue is able to provide potentially life-saving insights to the right people regardless of how the dark web changes, making a huge difference in the fight against crime.

Above all, Elastic supports the company's mission to provide clients with everything they need to protect the US and the safety of its citizens.

"This material consists of CACI International Inc general capabilities information that does not contain controlled technical data as defined within the International Traffic in Arms Regulations (ITAR), Part 120.10, or Export Administration Regulations (EAR), Part 734.7-10. (PRR ID711)"