Scan the dark web for threat intelligence

It may be possible to glean valuable security insights by monitoring the dark web.

dark web hacker tablet malware
Thinkstock

Although awareness of the importance of cybersecurity is spreading, the number of successful cyber-attacks continues to grow with every passing year. Globally, almost 1.9 billion data records were compromised in the first half of 2017, up 164% compared to the last six months of 2016, according to Gemalto’s Breach Level Index report.

Many companies are struggling to secure their data in the face of ever more sophisticated phishing scams, and the rise of a multitude of threats, from botnets to ransomware. Establishing solid visibility over your potential attack surfaces, and gathering reliable intelligence about threats is a vital step for any organization trying to close down the risk of a data breach. One avenue to valuable threat intelligence that’s not well understood is the dark web.

What is the dark web?

While the deep web merely refers to websites that aren’t indexed by search engines, the dark web is generally made up of sites that require anonymizing software like Tor to access. It is used by people suffering under repressive regimes, but it also hosts sites dedicated to illegal activities, such as the sale of stolen data, drugs, or weapons. You can also find tools and tutorials on how to exploit specific vulnerabilities to steal sensitive data.

If a cybercriminal hacks into your organization and exfiltrates some customer records, or a disgruntled insider decides to try and sell some stolen intellectual property, there’s a good chance they’ll turn to the dark web to do it. It stands to reason, therefore, that monitoring the dark web can help you to boost your security and identify breaches and vulnerabilities.

The race against cybercriminals

Cybersecurity professionals are locked into a race with cybercriminals to see if they can shut down vulnerabilities before they’re exploited and it’s a race that many of them are losing. According to some fascinating research by Recorded Future, 75% of all disclosed vulnerabilities appear online before they’re listed in the National Vulnerability Database (NVD) with a median of seven days prior notice. That’s quite a head start for cybercriminals.

By monitoring the reporting of these vulnerabilities and the development of exploits for sale on the dark web, organizations may be able to close the mitigation gap. With access to the same information as the cybercriminals, InfoSec pros are forewarned about likely angles of attack and can focus resources on effective vulnerability management and rapid patching.

Monitoring of the dark web may also uncover insider recruitment attempts or rogue employees trying to sell data or credentials. Insiders are being actively recruited on the dark web in growing numbers, according to Gartner analyst Avivah Litan. While it may be prudent to monitor employee behavior internally and using anomaly detection to flag suspicious activity, it’s also smart to keep an eye on the dark web.

Monitoring the dark web

Working out whether your data is being sold on the dark web is challenging, but it’s worth trying. The dark web isn’t as vast as the media sometimes makes it out to be. There are a few steps you might consider:

  • Monitor for mentions of your organization, names, email addresses, and sensitive assets.
  • Search for mentions of your wider industry, software you employ, and related data.
  • Try to infiltrate closed forums and communities.
  • Hire a firm or license a tool to monitor the dark web on your behalf.

As you might expect, there’s a great deal of secrecy on the dark web, and many forums will be difficult to access without the right knowledge. It may also be difficult and time-consuming to separate the actionable intelligence from the noise. That’s why there’s a growing number of dark web researchers and services springing up that can provide you with intelligence reports for a fee.

If you have the resources to hire in expertise and do your own dark web research, it may help you to neutralize threats more rapidly than reliance on a third-party, but expertise is in short supply. Whichever route you choose, dark web monitoring is a smart move that can help you gather tangible threat intelligence and bolster your cybersecurity defenses.

[Note: Towerwall is not a service provider that offers dark web-related services.]

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Fall 2018 issue of Security Smart