Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How the Dark Web Can Give Organizations Actionable Insights

The dark web – and the threats that hide within – is becoming a more pressing concern for organizations of all kinds every single year. From data breaches to COVID-19 scams to an ever-growing list of new attack techniques, the malicious actors that call the dark web home will increasingly impact businesses, governments and organizations of all kinds.

But, with the right guidance, the dark web can also serve as a source of understanding that can result in actionable data and intelligence. As Sun Tzu said: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

 So, to learn more about what organizations can learn from the dark web, we spoke to Ziv Mador, Vice President of Security Research at Trustwave SpiderLabs. As the leader of a team of elite researchers that infiltrates, monitors and exposes dark web crime in defense of hundreds of organizations around the world, Ziv has a unique understanding of the dark web, how it operates and what we can learn from it.


Defining the Dark Web

To begin, it helps to understand what the dark web is: web sites and forums that use Tor network domains and other peer to peer networks. To access it, you would need to use the free Tor browser that protects the anonymity of users. While anonymous web usage has legitimate purposes, it can also be exploited by criminals for all manner of nefarious activity.

“Parts of the dark web are really like the open web, in the sense that anyone who uses a Tor browser can access it. For example, ecommerce sites that require no authentication, as long as the users know how to look for them,” Ziv said. “It’s used to sell drugs, illegal weapons, ammunition, money and document counterfeiting, and more.”

Many of the sites on the dark web which require no authentication are like e-commerce sites, and some are highly profitable. Silk Road, for example, made over a billion dollars in revenue at one point, before being shut down by the FBI.

Other parts of the dark web are the closed forums, that are often used by groups of actors who share a common interest, such as malware development, credit card sniffing and trading and other activities. Many of these actors are cyber criminals

“The dark web is very active,” Ziv adds. “There are many posts – and new information being added –every day.”


Using the Dark Web as An Early Warning Indicator

Cybercrime will generally fall into one of two categories. The first is attacks, like bots or viruses and others, that target the masses by trying to infect as many people as possible, and then attempt to monetize their efforts, for example with ransomware demands.

Of more concern for organizations are targeted attacks – that might be aimed at a specific establishment or at a sector in general. For example, criminals might be attempting to steal customer information, steal intellectual property like source codes or research, or they might be attempting to demand ransoms… the attack techniques are almost endless.

Monitoring the dark web can be beneficial to organizations because it can provide an early warning of targeted attacks, according to Ziv.

“Sometimes when cybercriminals want to target a specific company or sector, they will try to do homework,” Ziv said. “To break into a specific network, for example, they might need to know what kind of security software that network has, so they might be on the dark web looking for other malicious actors with experience compromising that network or sector.”

Organizations can work with security providers, or use tools like Sixgill and DarkOwl, to try to set up alerts notifying them of this kind of activity. For example, organizations might want to know when their brand, or the names of any of their top executive are mentioned. They can also glean useful intelligence by focusing on geographic areas and sectors, like the banking sector in Hong Kong, as one example.


Monitoring the Dark Web to Detect and Recover from Attacks

Another benefit to organizations can be using dark web monitoring to help recover from an attack or detect a breach. An organization can be compromised and not even be aware of it for an extended period of time, sometimes half a year or longer. During those times, criminals have access to networks, data, and other valuable assets.

Dark web monitoring can help uncover these compromises by showing that information is for sale on the dark web – or being discussed by dark web actors. For example, they might be selling credit card information, email addresses or social security numbers. There’s even a market for illicit remote connections and malicious backdoors – uncovering these compromises can help alert organizations to the problem , remediate that breach and help them learn how the attack happened.

Another benefit to dark web monitoring: learning about new or emerging attack techniques that might be targeting an organizational sector in general. E-commerce sites using the same CMS system might all be susceptible to a new exploit, for example. Dark web monitoring can help you identify new coming attacks that might impact your organization.


Internal vs. External Monitoring – What Are the Pros and Cons?

While monitoring the dark web can certainly help safeguard organizations, it’s not easy. The most sophisticated of criminals will avoid leaving obvious clues or will use direct communication. Security researchers have tools and technique that they’ve developed over the years to infiltrate the dark web… especially the closed forums that the most dangerous malicious actors will use to plan attacks against a specific organization.

“We have a foothold in many forums using techniques that we’ve developed carefully over the years,” Ziv said. “IT teams won’t necessarily have the time or bandwidth to be able to replicate that.”

Another challenge for internal IT teams is how dark web actors communicate. Often, they used specialized jargon that only dedicated researchers will understand. Another consideration are language barriers: dark web communication often takes place in languages other than English and attempts to use translation services like Google are easily detected—and widely known by the dark web criminals.


What Are the Obstacles?

For organizations that want to set up an internal dark web monitoring operation, the first step is hiring the right people. There are very few IT practitioners with the needed experience and skills – and most of these in-demand candidates are being heavily recruited by security or law enforcement organizations.

Also, it takes time to build the team you’ll need… and it can cost quite a bit. What’s more, even after all that time and effort, there’s no guarantee of success. You might spend years recruiting and building your team, only to find that you’re not achieving the level of security that you’ll need to protect our organization.

And while monitoring resources can generate a lot of data, properly configuring your alerts and then deciphering the data you receive is the key.

“Like any intelligence system, the wider of a net you cast, the more information you’ll capture,” Ziv said. “It can be messy… you might get many, many alerts every day. To find indications of a coming attack, you have to comb through that data very carefully.”



The Underground Economy

What happens after cyber thieves successfully compromise businesses? If you think siphoning sensitive data instantly leads to money in their account, you're wrong. What proceeds is series of anonymous paths they can take to ultimately reap their reward. In this comprehensive guide, the Trustwave SpiderLabs team provides you with a view into the deep abyss of the dark web--where the criminally minded operate to hide their tracks from law enforcement.


Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More