The dark web – and the threats that hide within – is becoming a more pressing concern for organizations of all kinds every single year. From data breaches to COVID-19 scams to an ever-growing list of new attack techniques, the malicious actors that call the dark web home will increasingly impact businesses, governments and organizations of all kinds.
But, with the right guidance, the dark web can also serve as a source of understanding that can result in actionable data and intelligence. As Sun Tzu said: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
So, to learn more about what organizations can learn from the dark web, we spoke to Ziv Mador, Vice President of Security Research at Trustwave SpiderLabs. As the leader of a team of elite researchers that infiltrates, monitors and exposes dark web crime in defense of hundreds of organizations around the world, Ziv has a unique understanding of the dark web, how it operates and what we can learn from it.
Defining the Dark Web
To begin, it helps to understand what the dark web is: web sites and forums that use Tor network domains and other peer to peer networks. To access it, you would need to use the free Tor browser that protects the anonymity of users. While anonymous web usage has legitimate purposes, it can also be exploited by criminals for all manner of nefarious activity.
“Parts of the dark web are really like the open web, in the sense that anyone who uses a Tor browser can access it. For example, ecommerce sites that require no authentication, as long as the users know how to look for them,” Ziv said. “It’s used to sell drugs, illegal weapons, ammunition, money and document counterfeiting, and more.”
Many of the sites on the dark web which require no authentication are like e-commerce sites, and some are highly profitable. Silk Road, for example, made over a billion dollars in revenue at one point, before being shut down by the FBI.
Other parts of the dark web are the closed forums, that are often used by groups of actors who share a common interest, such as malware development, credit card sniffing and trading and other activities. Many of these actors are cyber criminals
“The dark web is very active,” Ziv adds. “There are many posts – and new information being added –every day.”
Using the Dark Web as An Early Warning Indicator
Cybercrime will generally fall into one of two categories. The first is attacks, like bots or viruses and others, that target the masses by trying to infect as many people as possible, and then attempt to monetize their efforts, for example with ransomware demands.
Of more concern for organizations are targeted attacks – that might be aimed at a specific establishment or at a sector in general. For example, criminals might be attempting to steal customer information, steal intellectual property like source codes or research, or they might be attempting to demand ransoms… the attack techniques are almost endless.
Monitoring the dark web can be beneficial to organizations because it can provide an early warning of targeted attacks, according to Ziv.
“Sometimes when cybercriminals want to target a specific company or sector, they will try to do homework,” Ziv said. “To break into a specific network, for example, they might need to know what kind of security software that network has, so they might be on the dark web looking for other malicious actors with experience compromising that network or sector.”
Organizations can work with security providers, or use tools like Sixgill and DarkOwl, to try to set up alerts notifying them of this kind of activity. For example, organizations might want to know when their brand, or the names of any of their top executive are mentioned. They can also glean useful intelligence by focusing on geographic areas and sectors, like the banking sector in Hong Kong, as one example.
Monitoring the Dark Web to Detect and Recover from Attacks
Another benefit to organizations can be using dark web monitoring to help recover from an attack or detect a breach. An organization can be compromised and not even be aware of it for an extended period of time, sometimes half a year or longer. During those times, criminals have access to networks, data, and other valuable assets.
Dark web monitoring can help uncover these compromises by showing that information is for sale on the dark web – or being discussed by dark web actors. For example, they might be selling credit card information, email addresses or social security numbers. There’s even a market for illicit remote connections and malicious backdoors – uncovering these compromises can help alert organizations to the problem , remediate that breach and help them learn how the attack happened.
Another benefit to dark web monitoring: learning about new or emerging attack techniques that might be targeting an organizational sector in general. E-commerce sites using the same CMS system might all be susceptible to a new exploit, for example. Dark web monitoring can help you identify new coming attacks that might impact your organization.
Internal vs. External Monitoring – What Are the Pros and Cons?
While monitoring the dark web can certainly help safeguard organizations, it’s not easy. The most sophisticated of criminals will avoid leaving obvious clues or will use direct communication. Security researchers have tools and technique that they’ve developed over the years to infiltrate the dark web… especially the closed forums that the most dangerous malicious actors will use to plan attacks against a specific organization.
“We have a foothold in many forums using techniques that we’ve developed carefully over the years,” Ziv said. “IT teams won’t necessarily have the time or bandwidth to be able to replicate that.”
Another challenge for internal IT teams is how dark web actors communicate. Often, they used specialized jargon that only dedicated researchers will understand. Another consideration are language barriers: dark web communication often takes place in languages other than English and attempts to use translation services like Google are easily detected—and widely known by the dark web criminals.
What Are the Obstacles?
For organizations that want to set up an internal dark web monitoring operation, the first step is hiring the right people. There are very few IT practitioners with the needed experience and skills – and most of these in-demand candidates are being heavily recruited by security or law enforcement organizations.
Also, it takes time to build the team you’ll need… and it can cost quite a bit. What’s more, even after all that time and effort, there’s no guarantee of success. You might spend years recruiting and building your team, only to find that you’re not achieving the level of security that you’ll need to protect our organization.
And while monitoring resources can generate a lot of data, properly configuring your alerts and then deciphering the data you receive is the key.
“Like any intelligence system, the wider of a net you cast, the more information you’ll capture,” Ziv said. “It can be messy… you might get many, many alerts every day. To find indications of a coming attack, you have to comb through that data very carefully.”
The Underground Economy
What happens after cyber thieves successfully compromise businesses? If you think siphoning sensitive data instantly leads to money in their account, you're wrong. What proceeds is series of anonymous paths they can take to ultimately reap their reward. In this comprehensive guide, the Trustwave SpiderLabs team provides you with a view into the deep abyss of the dark web--where the criminally minded operate to hide their tracks from law enforcement.