Merlin Stottmeister (right) / Photo: BSI

Merlin, you gave a presentation and were honoured at the 19th IT Security Congress. Tell us about the day.

It was a fantastic experience. You don’t get the same feedback when you take part in an online event, but when I walked away from the lectern, I could see that the presentation had been well received thanks to the number of e-mail and LinkedIn messages. I couldn’t keep up with them all! I’m so happy that the topic was met with such interest. The fact that I was allowed to hold a presentation was an honour in itself as I was up against 170 others who submitted content, but I was the one selected to speak at this important event. I’m so pleased to have been awarded second place in The Best Student Awards, but I’ll be much happier when what I said becomes the trigger to tackle real problems in businesses.

What exactly was your thesis about?

Basically, I built a search engine that systematically searches the clearnet, deepweb and darknet for globally defined security vulnerability IDs in the CVE program. CVE means Common Vulnerabilities and Exposures. My platform makes it possible to find relevant information related to published vulnerabilities on the part of the internet that’s visible to the public, and the part that isn’t. The software also makes darknet monitoring possible.  The information found can be incredibly important for businesses as they are falling victim to cybercriminals more often even though they have the technical means to protect themselves against direct attacks. Legitimate VPNs and supplier accesses are both potential gateways. If a supplier or business partner falls victim to a cyberattack, the criminals are able to misuse the VPN accesses they find. In this case, the tool can send an alert as soon as your business partner’s data is published on the darknet.

What’s next for you?

We are currently working on creating an offering for our customers. On the one hand, the tool can find solutions faster because it is nearly impossible for IT managers to maintain an overview of all the communication regarding a vulnerability. and on the other, companies and organisations will be made aware of content appearing on the darknet much earlier.

What exactly is the darknet?

The darknet is a part of the deepweb that is not indexed by search engines. You can only access it using specialist software.

What do we need it for?

Basically, the darknet is a digital space that allows people to communicate relatively anonymously, which is why so many people use it. Think about autocratic countries where opposition crackdowns are common or countries where there is no freedom of religion or speech. People fearing reprisals use the darknet to stay in contact, share information and help each other out.

However, most people connect the darknet with the criminal underworld, That's not the case?

No, it is. The anonymity attracts criminals. That’s the flip side as lurking in the shadows is hugely beneficial to these people.

So, as an IT security consultant, are you hunting cybercriminals on the darknet?

Not exactly, but if you know what you are doing, you can find the right sites and get an idea about what’s to come. Cybercriminals use the darknet to offer their services. Like ransomware gangs, who market themselves by showing off about how long they have been operating without being detected.

How does this kind of business work?

We’ve probably all heard about it in the media by now. A group successfully hacks an organisation and then the business or public institution is blackmailed into paying a ransom otherwise their data will be published. In most cases, the hackers want to get paid in Bitcoin.

Are corporate data sold on the darknet?

Yes, and it is something that is becoming much more common, especially when it comes to economic or political information. There are people on the darknet who are driven by economic espionage.

Does your interest in the darknet help you in your work?

Say for example a business is hacked and they get in touch with our Cyber Defence Centre. The Incident Response Team may ask me to check if any of that company’s data have appeared on the darknet yet. If it has, they want to know which and where? These are the most important questions to answer and if you don’t know what you are doing, there is no way you’ll be able to answer them. If you do, you can often bring light into the darkness.