Data About Your Company On The Dark Web

Uploaded on 2018-06-08 in NEWS-Cybersecurity News, FREE TO VIEW

Any company wishing to stay on top of its security obligations will find getting a window into what happens on the Dark Web will prove invaluable.

The Dark Web, the part of the web not indexed by search engines such as Google and used for nefarious purposes, isn’t actually that big.  One estimate suggests are only around 7,000 sites on the TOR network, while the FBI has said there are only around 800 criminal Internet forums worldwide.

But while there may not be massive amounts of these forums, it is where the vast majority of underhanded online activity takes place. 

Luckily, a new wave of companies such as Webhose, RepKnight, Terbium labs, Massive, Recorded Future, Sixgill, Hold Security, and AlienVault are adding a new layer to traditional threat intelligence and trying to make the dark web as easily searchable as any normal, Google-able website. But what value does dark web monitoring bring to organisations and their security posture?

Why should companies monitor the Dark Web?
The main benefit to monitoring the dark web is that it can give you early warning signs that you’ve been compromised, well before you may have found any tell-tale signs internally. The average time to discover a breach in systems is now 57.5 days, according to FireEye, but as soon as a criminal has exfiltrated data they are likely trying to hawk your wares online.

Much of the illicit activity that goes on is either talking about exchanging questionable goods on forums or actually exchanging ill-gotten information on sites such as PasteBin, which means there can be plenty of indicators that an organisation has been compromised. 

Is your company being spoken about on dark web forums, or are some of your employees’ (or worse, customers’) email addresses being shared on a data dump site? It could well be time to investigate your systems and look for indications of a breach.

“The go-to use case is companies wanting to know if they're being mentioned in the context of vulnerabilities,” says Webhose CEO, Ran Geva. “User accounts or vulnerabilities being sold on the dark web -- you want to know if you're exposed.”

Spun out of Israel-based social media monitoring service Buzzilla in 2016, Webhose takes information from both the dark and regular web and turns that into a machine-readable data feed (usually JSON or XML) that can then be parsed and analysed. Its customers include Salesforce, IBM, and departments within the US government.

One use case Geva is particularly keen on is employing Webhose to track cryptocurrency payments relating to illegal activity.

Given that all Bitcoin payments are housed within the OpenLedger, it can be relatively easy to identify which accounts have been associated with criminal dealings, for example the exchange of your company’s data, which can then be used as evidence in the future.

“Once I have a wallet address, I can explore what address sent money to this address, anyone who has sent money to this account is liable.”

While actually identifying owners of wallets can be difficult, Geva says many inexperienced criminals use public exchanges such as Coinbase where you have to make your identity known, leaving a breadcrumb trail for investigators.

Dark web monitoring can also help your security teams be more proactive. A study by Recorded Future found 75% of all disclosed vulnerabilities appear online before they’re listed in the National Vulnerability Database (NVD), on average a week earlier. The sooner a vulnerability is known to your company, the sooner you can fix it.

A 2016 report by Gartner suggested disgruntled employees are being recruited by criminals on the dark web to help use their insider knowledge to inflict damage on their employers and get revenge for whatever slight they’ve suffered. Being aware of any potential insider threat before they’ve acted could save a company a heap of trouble.

What kind of data should companies be looking for on the Dark Web?
Companies should be looking for data related to their organisation. At the very top level, this can simply be a mention of the company in general dark web communications, as being mentioned in criminal forums could often mean criminals are either interested in targeting you or perhaps already have your data.

The next stage beyond that is to look for internal information. This can include usernames, emails, but also company-related documents or personally identifiable information of employees or customers. Searching information-dump sites such as Pastebin is especially important for this part.

The third aspect of dark web monitoring is actively monitoring for exploit kits, malware, and other potential threats that aren’t specifically targeting your organization but could pose a threat.

“Enhancing visibility and gathering relevant, actionable intelligence from dark web sources helps security teams strengthen their security posture and put in place appropriate defense measures before adversaries can strike,” says Jose Miguel Esparza, Head of Threat Intelligence at Blueliv.

Companies of all shapes, sizes, and industries can find value in scouring the dark web. FishTankBank, a UK eCommerce site dedicated to selling aquariums and related equipment, began utilizing dark web monitoring after being hacked.

“As we dug into how the initial attack happened, we were informed that some of our sensitive data was posted on the dark web and this is likely where the hack originated from,” says owner Max Robinson. “We check for mentions of our brand and work with a consultant on a frequent basis so we can monitor it to help avoid any more issues like this from occurring.”

Combining deception technology and Dark Web monitoring
As with any new security trend, it is unlikely to be the magical silver bullet that renders your organisation impenetrable. It is merely another tool which may be helpful in the constant tit for tat between legitimate businesses and cyber criminals. And if used in conjunction with other security tools, it can be very useful indeed.

To augment dark web monitoring, companies can start to combine monitoring with deception technology and honey pots. These can come in the form of unique fake accounts within legitimate datasets which can act as a beacon in the noise of large data sets, or entirely fake data sets in decoy databases.

“These kinds of deception tactics are useful if the results are monitored effectively and analyzed to extract actionable conclusions,” says Blueliv’s Esparza. “It might help you in finding out what adversaries are doing with your stolen credentials and better understand the underground ecosystem.”

Criminals may already be moving away from the desktop Dark Web
In the same way the workforces of legitimate companies are becoming increasingly mobile-first, cyber-criminals are conducting more of their activities on the go. But this switch can make gleaning intelligence from the Dark Web harder.
A 2017 study by IntSights found a 30-fold increase in mobile dark web activity over the preceding 12 months, with the likes of Discord, Telegram, and WhatsApp being used to “trade stolen credit cards, account credentials, malware, drugs and to share hacking methods and ideas.”

The report claimed that Discord is “becoming the go-to-app for mobile Dark Web discussions”, while downloads of TOR’s mobile application, ORbot, stand at over 10 million.

“While the use of messaging apps for illicit activity has been on the rise for some time, the closure of Alphabay, Hansa and suspected compromise of Dream Market... has shaken confidence in more traditional dark web channels,” the report said.

This growing trend means the monitoring of criminal activity will become a more challenging task, admits the report, unless more advanced methods of data collection are developed.

“Cyber-criminals have been using instant messaging software like Jabber for years and using end-to-end encryption to avoid the interception of messages from third parties, so this is not really something new,” says Blueliv’s Esparza.

Radware security researcher Daniel Smith warns that while criminals constantly moving to new platforms is par for the course, it’s gaining the initial access that is the hard part, as once you’re in you can start to harvest information.

“In the case of discord and other apps, you need an invite to join. Other criminal forums on the Darknet sometimes require you to commit a crime before joining. That’s a major ethical barrier and most companies don’t want to cross the line.”

IDG Connect:

You Might Also Read:

What Is the Dark Web? Can You Access It?:

Is Your Data Being Sold On The Dark Web?:

 

« Chinese & Russian Hackers Target S. Korea Ahead Of US / N. Korea Summit
Backlash: Facebook's Data-Sharing With Chinese Firms »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Ripjar

Ripjar

Ripjar is a global company of talented technologists, data scientists and analysts designing products that will change the way criminal activities are detected and prevented.

PubNub

PubNub

PubNub enables developers to build secure realtime Mobile, Web, and IoT Apps.

Claranet

Claranet

Claranet are experts in modernising and running critical applications and infrastructure through end-to-end professional services, managed services and training.

Maticmind

Maticmind

Maticmind is an ICT System Integrator providing solutions and specialized skills in Networking, Security, Unified Communications & Collaboration, Datacenter & Cloud and Application.

Oznet Cyber Security

Oznet Cyber Security

Oznet Cyber Security is dedicated to offering integral solutions oriented to the support and security of information.

Method Cyber Security

Method Cyber Security

Method offers a Cyber Security Risk Management training course for those responsible for the security of industrial automation, control and safety systems.

Touchstone Security

Touchstone Security

Touchstone Security is a company with a passion for technology, a hyper-focus on cybersecurity, and a special affinity for cloud technology.

Early Birds

Early Birds

Early Birds is a Business to Business (B2B) marketplace for Innovators (Startups/Scaleups) and Early Adopters to exchange value early on.

Stratejm

Stratejm

Stratejm, a Next Generation Managed Security Services Provider, brings innovation and thought leadership to the fight against cyber criminals.

Bionic

Bionic

Bionic is an agentless way to get control over your increasingly complex applications so you can manage, operate, and secure them faster and more efficiently.

TXOne Networks

TXOne Networks

TXOne Networks offer cybersecurity solutions to protect your industrial control systems to ensure their reliability and safety from cyberattacks.

Bytes Technology Group

Bytes Technology Group

Bytes is a leading provider of world-class IT solutions. Our growing portfolio of services includes cloud, security, licensing, SAM, storage, virtualisation and managed services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Tuta

Tuta

Tuta (formerly Tutanota) is an all-in-one email, calendar and contacts app which protects your data with full end-to-end encryption and it requires zero personal information.

NewsGuard Technologies

NewsGuard Technologies

NewsGuard provides transparent tools to counter misinformation for readers, brands, and democracies.

Fortress SRM

Fortress SRM

Fortress SRM protects companies from the financial, operational, and emotional trauma of cybercrime by improving the security performance of its people, processes, and technology.