As monikers go, the “dark web” has certainly lived up to its name. A vast swath of the internet accessible only through special software that keeps users anonymous and untraceable, it is the preferred realm for criminals, threat actors and others who take part in a bustling online underground. Unfortunately, the dark web also poses threats to businesses that are as varied and significant as they are veiled in secrecy.
The dark web is just one piece in a larger threat intelligence puzzle that encompasses social media, commercial and domain databases, and the open web. But it is a singularly difficult place to navigate and understand, even as industries increasingly realize it houses threats too big to ignore. Large organizations with a global presence are particularly vulnerable since security protocols vary by country, and threat actors can target the weakest link in an expanded attack surface to infiltrate the company.
With the right strategic approach, however, it is possible to gain valuable threat intelligence from the dark web that can be used to protect your organization.
Assessing Dark Web Risk
Understanding how the dark web works is the first step in enlisting it as an intelligence source and a means of cyberrisk mitigation. While gaining threat intelligence is never easy, cultivating even rudimentary visibility into the dark web requires special, anonymizing software like the Tor browsing protocol. A VPN connection is also preferred to increase anonymity. Once inside, you are in a virtual hall of mirrors where information is hard to analyze and everyone’s identity is masked.
The only sure thing in the dark web is that many of the people you interact with are criminals. That means threat intelligence analysts should be careful not to inadvertently reveal their identity and flag the organization for retaliation. And since corporate security leaders are not usually armed with law enforcement credentials and warrants as they start asking questions and looking for information, there can be a constant balancing act of forming relationships with these criminals without breaking the law yourself.
Even under the best of circumstances, there are no neon signs pointing to specific threats against your organization. It is more like a disparate collection of anonymous clues about the kinds of industries and data that might be targeted, and a vague sense of the attack vectors and malware tools that might be used. Some threats may be tactical—commodity malware, say, or counterfeit products—that represent day-to-day hassles for the organization. Others may be strategic threats like intellectual property theft, industrial sabotage, and other significant and long-term assaults on an organization’s operating model.
The Value of Dark Web Visibility
As opaque as the dark web may be and as challenging as it is to conduct threat intelligence there, it is possible to gain plenty of actionable insights that can protect the organization. For instance, intelligence collection about commodity malware services being sold on the dark web can inform a company’s security operations center (SOC) about current malware threats that they may soon be facing. The SOC can gain similar insights by learning about malicious tactics, techniques and procedures (TTPs) being marketed or discussed on the dark web.
The extraction or scraping of user credentials and personally identifiable information (PII), meanwhile, is prolific on the dark web. Thankfully, a company’s intelligence professionals can search for data pertaining to the organization’s employees or customer base—emails, names, addresses, credit card numbers—and use this collected information to bolster a company’s automated and manual defenses and counter fraudulent activities.
In the case of insider threats, a company’s security team can also scour various listings and forums on the dark web to see if anyone is trying to sell proprietary organizational data. This knowledge can sharpen strategy and operations against the insider threat group. Similarly, insight on possible counterfeit products or intellectual property infringements being sold on the dark web can help companies strengthen business operations activities to better guard against similar counterfeiting in the future.
In general, a glimpse into the dark web has revealed specific vulnerabilities and targets across several industries, including:
- Insider threats, counterfeit products and commodity malware against the consumer and industrial products industry
- Black market trading, commodity malware and industrial control systems breaches against the energy and resources industry
- Money laundering, financial fraud and brand damage against the financial services industry
- Pharmaceutical counterfeiting, device sabotage and commodity malware against the life sciences and healthcare industry
- Trafficking in weapons and narcotics and espionage against the public sector
- IP theft, pirated products and stolen accounts against the technology, media and telecommunications industry
Dark web risk is also governed by an overarching logic—a nexus of motivation and vulnerability—that can help an industry or organization gauge its level of risk. In the financial services sector, for instance, the potential for monetary gain fuels high motivation among criminals, but protections tend to be broad, so the vulnerability is low and balances out the overall level of risk. By contrast, the health care industry spends relatively less on cybersecurity, so vulnerability is relatively high, along with the motivation of criminals who value highly sensitive medical and personal data that can be stolen from such companies. That makes the overall dark web risk to health care somewhat greater when compared to financial services.
With this kind of visibility and insight, threat intelligence analysts can focus on likely vulnerabilities and targets in their own organizations. If there is a lot of activity on the dark web about preferred malware to target valuable pharmaceutical IP or patient data, for instance, a drug company can proactively audit itself for the presence and vulnerability of that kind of information and harden its defenses.
The dark web will not give up its secrets easily and even the leading threat intelligence will only reveal part of the picture. Visibility, then, is not the same as absolute clarity. But even a partial picture of the teeming marketplace of tools and targets that threaten businesses can help leaders understand how to better prepare themselves to deal with the cyber threats they may face.