Before we begin, let’s get the elephant in the room out of the way – the Dark Web in and of itself, like any technology infrastructure, is not a bad thing. Ben Jones, CEO of Searchlight Security, shares how, just like the broader internet, it can be a force for good (an anonymizing medium where those journalists and activists whose views could lead to imprisonment or death can communicate in relative safety), as well as evil.Â
What do you think the Internet is? The Wikipedia definition offers a decent balance of technical and average user explanation: “The Internet is the global system of interconnected computer networks that uses the internet protocol suite to communicate between networks and devices. The Internet carries a vast range of information resources and services, such as the inter-linked hypertext documents and applications of the World Wide Web, electronic mail, telephony and file-sharing.†So far, so good. But that description only scratches the surface. Think of the Internet as an iceberg: it stretches far below the surface. And that’s problematic from a cybersecurity perspective because, just like an iceberg, what you can’t see could hurt you.
Beneath the visible tip of the internet iceberg, that which you see when you use search engines to locate information sits the Deep Web. This makes up most of the iceberg mass and consists of everything hidden from search engine indexing or ‘crawling.’ Much of this comprises databases that organizations don’t want to be made readily accessible and are 100% legitimate. However, part of it is the Dark Web, only accessible using specialist resources, home to threat actors and cybercriminals across the globe.
While the smallest segment of this information iceberg perhaps presents the biggest danger. It’s here that criminal threat intelligence is available in volume: credentials, IP addresses, open ports and personal information that can be used in facilitating attacks against your organization. Here’s the thing, investing in both threat intelligence and technology is an accepted and crucial part of cybersecurity strategy. However, Dark Web monitoring is often overlooked. That has to change.
See More: Why Data Privacy & Compliance Is a Year-Round Event
Dark Web: Home to Ransomware Gangs and Initial Access Brokers
These dark corners of the internet hold the criminal markets where stolen and compromised data is sold that is the focus of my attention today and should be for almost every CEO and CISO alike.
Why so? Take the ransomware threat that has exploded into the boardroom of every organization serious about cybersecurity across the last couple of years. It should come as absolutely no surprise that the criminal gangs behind these attacks, Conti, Grief and Lockbit, are all active on the Dark Web. Not only do such threat groups recruit ‘affiliates’ who take on the reconnaissance and compromise parts of ransomware attacks in return for a share of the ransom, but it is also where both initial access brokers and remote desktop protocol brokers ply their trade. These brokers have marketplaces where stolen credentials and account compromises are packaged and often auctioned off to the highest bidder. These packages allow ransomware affiliates to efficiently and effectively get an initial foothold within your networks.
The Real Cost of Dark Web Invisibility to Your Organization
While it depends very heavily on where a compromised organization is located, how many employees it has, and its profitability, there’s a package for all budgets when it comes to the credentials market. A good rule of thumb is that lower-level, lower-privileged employee credentials will typically be at the bottom of the pricing spectrum, and admin access to an organization’s network will cost much more. The outcome of these auctions and sales can be crippling for an organization targeted by a ransomware gang or other criminal endeavor. Beyond the ransomware threat, the Dark Web will trade in DDoS attacks on a rental basis and sell ‘vulnerability exploit kits,’ for example.
But what if you had visibility into those dark corners of the Dark Web? What if you could be warned when access credentials for your organization were up for sale? Monitoring provides this warning that an attack may be imminent.
Where Does Dark Web Monitoring Fit In a Cyber-defense Strategy?
While Dark Web monitoring won’t prevent a data breach that has already happened, it will shine a light on credentials and other information that has made its way to the criminal networks that operate within. You shouldn’t think of it as a replacement for existing cyber defenses but rather an augment that brings the visibility needed to head off threats you wouldn’t otherwise know about – before they have been acted upon.
Dark Web monitoring isn’t threat intelligence in the traditional sense. Generic threat intel usually involves the study of criminal actors, the domains they use, their IP addresses and signatures. This data can then be ‘plugged into’ your firewalls and network detection systems. No, Dark Web monitoring differs because it’s very much concerned with detecting attack precursors before an exploit can be executed. Both types of intelligence are essential to organizations large and small but are essentially solving different problems in different ways.
Like generic threat intelligence, it is possible to gain threat visibility in-house but is equally, if not more so, expensive and challenging to do effectively. The truth is that massive expertise and infrastructure is required to collect and analyze relevant Dark Web data internally. This is why most organizations will look to a third-party solution directly or through a managed security service provider (MSSP). The key is to couple good cyber-defensive capabilities with proactive scanning of potential threats so that you can identify them at the earliest opportunity.Â
See More: Are You Protected Against “Phygital†Attacks?
The RoI of Dark Web Monitoring
Once you start thinking about a monitoring solution as the perfect fit with a proactive cybersecurity strategy, getting a grip on RoI becomes much easier. In fact, given that such monitoring can be thought of as a workable – and with today’s ever-evolving threat map, an essential – detection and prevention mechanism, it’s a no-brainer.
Data breaches and ransomware have huge organizational costs when they occur, from GDPR fines to ransomware demands or the costs of having your organization shut for months. An investment in Dark Web monitoring pales into insignificance by comparison. I’ll leave you by asking the same question, as posed by the title of this article: is your organization monitoring the Dark Web yet? Hopefully, by now, you’ll have come to the conclusion that it should be.
Do you think you need to monitor the dark web yet, or is it too soon for your organization? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!