The dark web refers to web pages that are not indexed by search engines. Under the cloak of anonymity, cybercriminals and threat actors can operate, selling an array of tools and services that can be used to wreak havoc on organizations. There\u2019s a lot for CISOs to come to grips with and here are 10 things to be aware of when navigating the dark web.\n\nNew dark web services pop up every day\n\nThe number and variety of cybercrime services available on the dark web are growing, according to Ivan Shefrin, cybersecurity expert at Comcast Business. This includes botnets, easy-to-deploy commodities, stolen credentials, simple exploits and sophisticated exploits such as access to privileged systems like Active Directory and unpublished zero-day exploits.\n\nBotnets are cheap and easy to use, so they continue to be among the most common cybercrime commodities sold on the dark web. \u201cThese large networks of compromised computers and IoT devices can be used for a variety of malicious cyber activities, including DDoS attacks, e-commerce click fraud, ransomware and crypto mining. Since it\u2019s become relatively easy to repurpose bots across different types of attack vectors, this has led to the creation of a botnet black market,\u201d Shefrin says.\n\nStolen credentials have replaced exploits as the most common method of gaining initial access to internal environments, impacting what\u2019s in demand on the dark web. \u201cAmong the most sought-after are valid credentials for remote desktop access, which saw a large increase during the COVID-19 pandemic,\u201d says Shefrin. \u201cThe dark web is everyone\u2019s go-to source for gaining initial access to victims\u2019 networks.\u201d\n\nSome spaces are by invitation only\n\nThere's a whole ecosystem on the dark web for the sale of vulnerabilities and exploits against corporate systems, many of them invitation-only, according to Gareth Owenson, an experienced dark web researcher and Searchlight Cyber CTO.\n\nThe way it works is that criminals undertake some reconnaissance on the clients and the target network and will know what systems and networks they\u2019re running when they turn to the dark web. \u201cThey go on to these marketplaces looking for vulnerabilities for those particular systems. And when they find them, they pay a price for an exploit which works against that vulnerability,\u201d says Owenson.\n\nA supply chain exists for designing attacks against corporate networks, where criminals will buy different services and technical goods from other actors, some of which are individuals and others are serious, organized criminal groups on the dark web. \u201cThe actors behind an attack may not access the organization\u2019s network directly themselves. They may pay someone else to do that because that person has bought a vulnerability on the dark web to gain the access,\u201d he says.\n\nKnowing the right people or paying for access is usually the most common way to gain access to invite-only forums, according to Ryan Estes, intrusion analyst at WatchGuard Technologies. \u201cYou could also build trust with members of these groups or forums, but that is usually something that law enforcement officials acting undercover do,\u201d he says.\n\nRennie Westcott, Intelligence Analyst with Blackbird AI says access to invite-only places is typically done through third-party data providers. \u201cMost organizations will not have a risk tolerance that permits employees to access invite-only deep and dark web forums.\u201d\n\nHowever, experienced professionals at organizations with a high-risk tolerance can certainly see benefits through trawling deep web forums for things like exposed credentials and TTPs relevant to their organization\u2019s security infrastructure. \u201cResearchers will typically create fake personas tailored to the site they\u2019re looking to access\u2014this is where language skills and the ability to assimilate into fringe communities are essential,\u201d he adds.\n\nThere is bad stuff, and crackdowns mean it\u2019s harder to trust\n\nLaw enforcement may infiltrate groups and pull together enough detail to identify the group running the site or group members may make a mistake and accidentally post their email address in the real world and be identified and arrested.\n\nHowever, one of the challenges for law enforcement in taking out these groups is that they rotate their infrastructure. A recent law enforcement crackdown saw a coordinated takedown of many, many servers because if they miss one single server, the whole thing stays running, says Owenson. \u201cSo, if all enforcement goes after one server, they've got servers all over the world that automatically fill in and replace when those servers are taken down,\u201d he says.\n\nLaw enforcement agencies in many countries, including the Australian Federal Police (AFP), are actively policing the dark web through sophisticated techniques, targeted operations and new policing powers such as network activity and data disruption warrants. They target the illicit sale of personal data, malware and cybercrime tool development and sales, as well as \u2018cybercrime-as-a-service\u2019. \u201cThe goal is to identify, disrupt and prosecute cybercriminals domestically, and through international law enforcement partnerships,\u201d an AFP spokesperson says.\n\n\u201cJoint domestic and international law enforcement actions have led to significant arrests and seizures of criminal assets and illicit funds and have enhanced the safety and security of the online environment for Australians,\u201d the spokesperson says.\n\nSome of the major operations include the takedown of Genesis Market that offered stolen credentials and access to compromised devices, and the shutdown of \u2018DarkMarket,\u2019 which had almost 500,000 users, more than 2,400 sellers and more than 320,000 transactions.\n\nLaw enforcement agencies will also need to respond to major breaches with dedicated task forces to monitor and minimize the misuse of sensitive and personally identifiable information (PII). Another example is Operation Guardian, delivered in partnership with state and territory police and the Australian Cyber Security Centre, which was established after major Australian breaches to Optus, Medibank and Latitude. \u201cOperation Guardian works to disrupt criminal conduct, including the potential sale of PII on the dark web, and prosecute those responsible,\u201d the spokesperson says.\n\nThere is a lot for sale on the dark web\n\nMaybe not everything, but just about everything is available in the way of illicit and illegal goods including drugs, firearms, and poisons as well as exploits, vulnerabilities, access, tools, techniques and stolen data are commodities sold on the dark web.\n\nData is the most common commodity sold on the dark web, according to Nirmit Biswas, senior research analyst at Market Research Future. \u201cAccount credentials, credit card information, addresses and social security numbers have all been hacked. Someone might not even realize they've been hacked, yet their company and employee information could be sold,\u201d Biswas says.\n\nAccording to the Privacy Affairs Dark Web Price Index, attackers can make a lot of money from stolen personal information on anything from credit cards to Netflix accounts. Currently, the going rate for stolen credit card information with a balance of up to $1,000 is only $70, while cards with a balance of up to $5,000 cost $110. \u201cThe index shows how cheap it is to get data on the dark web,\u201d says Biswas.\n\nSpecific niches are in \n\nWhat was once a small, unknown area of the internet has grown into a formidable power, according to Biswas, and attackers are innovating to stay ahead of defenders in the cat-and-mouse game.\n\nIt\u2019s become more diversified and more comprehensive, and one area that is seeing growing interest is ransomware attacks that are spurring criminal activity on the dark web.\n\nCybercriminal syndicates will publish the stolen data if a ransom isn\u2019t paid. They will also make it easier for other criminals to search that data for staff and customer emails. This is intended to increase the reputational harm to an organization, thereby increasing the possibility they will pay the ransom.\n\n\u201cAnd because ransomware material is so popular, hackers are taking photographs from ransomware collections and botnet log files and publishing them in the hopes of increasing their reputation and renown,\u201d Biswas says. Many marketplace sellers also provide zero-day exploits that have yet to be found or publicized. \u201cIn other cases, when companies reveal software vulnerabilities, the operational exploits become accessible on darknet forums and markets,\u201d he says.\n\nAnother area on the up is marketing lead databases, which have been available on the dark web for some time, but the aggregate amount has increased dramatically in recent years, according to Biswas. Although the data may be publicly available on social media or in business directories, it\u2019s scraped and reposted. And it may not even be 100% accurate. \u201cBut it still exposes a vast number of individuals to phishing scams, corporate fraud, and social engineering,\u201d he says.\n\nData breach standardization is becoming the norm, explains Sarah Boutboul, intelligence analyst at Blackbird AI, helping bad actors engage in more targeted searches for the particular information they\u2019re seeking on the dark web. It means that data breach activity has become more organized in hacking forums, chat apps, and paste sites. \u201cThreat actors increasingly request and share data that fit specific categories, leading to a more structured landscape for illicit data trading,\u201d Boutboul says.\n\nAnd you can use the dark web to buy more dark web\n\nNot surprisingly, the dark web also sells the technical tools and information to set up another dark web. \u201cThere are many dark webs already,\u201d says Douglas Lubhan, VP of threat intelligence at BlackFog. \u201cBasically, any network that is shielded from internet search engines and restricts access to it is a dark web. You could layer upon layer if you choose to,\u201d he says.\n\nDark web usage is going up\n\nThe number of users across relays has increased in 2023, and the number of relays themselves has increased, according to Tor metrics, suggesting dark web usage is on the rise.\n\nThere are a few well-known forums offering vulnerability and exploit auctioning, bartering or selling, according to WatchGuard\u2019s Estes, which include the Russian Anonymous Marketplace (RAMP), exploit[.]in and xss[.]is.\n\nEstes says these forums are also vectors for recruitment efforts by ransomware groups and offer hacking tips for sale. \u201cIn some cases, users will sell access information to organizations in what are called IABs (initial access brokers). The dark web is a hodgepodge of cybercriminal commerce,\u201d he says.\n\nAnd there are new domains coming online all the time. \u201cWe observe a handful of new ransomware double extortion pages a month; in some cases, these are rebrands of previously known ransomware groups. So, as some websites go down, others arise (rebrand). The volume of dark web domains has remained stagnant, even though the overall traffic has increased recently,\u201d Estes says.\n\nMany are perfectly innocent\n\nEstes agrees that there are legitimate purposes for using anonymizing tools like Tor. In some cases, some organizations create both a clear web and a dark web domain. \u201cThe most obvious reason for this is to allow users who don\u2019t use Tor to access their website,\u201d says Estes, citing FBI and X (formerly Twitter) as two examples.\n\nIn terms of malicious sites, there have been cases where a ransomware group creates a typo-squatted domain or dark web domain that mirrors a victim's website. \u201cThey then provide instructions or more blackmail attempts to further coerce victims into paying. ALPHV\/BlackCat and Lorenz are examples of these,\u201d Estes says.\n\nSome of the legitimate uses of anonymizing technology like Tor, include when journalists, activists and others need to host content anonymously and protect their communications from governments or oppressive regimes. Owenson acknowledges Tor has legitimate uses for privacy and circumventing censorship; however, his research suggests the vast majority of activity is criminal in nature.\n\nOwenson believes the problem is that those who run the Tor network, despite hosting illicit activities, do not actively police sites due to its ideological commitment to anonymity. \u201cThey\u2019ve expressed that they have no interest in censoring any part of the dark web.\u201d\n\nIt\u2019s still mimicking the corporate world\n\nThe dark web is increasingly becoming corporate in various areas, such as hacking, recruitment and technology services. Cybercriminals will create look-a-like mobile applications, websites and social media profiles of executives and companies that appear exactly like the real thing.\n\n\u201cIt could be a banking app that looks like your bank but isn\u2019t. If you download it or visit a site and submit your username and password, you will be impacted. If it\u2019s a fake social media profile, cybercriminals may share manipulated information that impacts the company brand and stock price,\u201d says Blackbird AI\u2019s Boutboul.\n\nIn addition, dark web forums are adopting enterprise-style stricter access controls due to heightened law enforcement actions. \u201cAdmins scrutinize newcomers more carefully, demanding references and verification tokens. Some platforms require significant cryptocurrency payments upfront,\u201d Boutboul says. \u201cCybercriminals are responding to increased law enforcement activities by enhancing their own security measures.\u201d\n\nHow can organizations combat the threats the dark web poses?\n\nThere are a range of tools and services that scan the dark web looking for organizational threats and vulnerabilities but it\u2019s a constantly moving target. \u201cDark web surveillance is a constantly changing field that requires continual updates and tweaks to stay successful,\u201d Biswas says.\n\nAn effective dark web monitoring system should provide broad visibility into the dark web without having to enter it. \u201cThis keeps admin users from placing themselves in danger or being exposed to provocative content. Keywords relevant to your organization should be highlighted by the solutions. You may then watch the threat as it evolves in order to respond accordingly,\u201d he says.\n\n\u201cThere is no one dark web monitoring solution for all use cases; some are entirely automated, others require a team of specialists to manage, and some rely on machine learning and artificial intelligence to give accurate and relevant information,\u201d Biswas says.