Why you need a dark web expert on your security team

Australian CISOs must be prepared to infiltrate dark web sites to get an early bead on potential compromises of their corporate information, a security specialist has warned as a string of Australian brands manage the ramifications of having sensitive data published online.

Financial-services provider MyBudget and sportswear brand In Sport recently joined logistics giant Toll Groupin having corporate data published on the dark web by cyber criminals intent on squeezing a ransom out of the companies. Reports suggested that up to 200GB of Toll Group data alone had made its way to dark web forums, where cyber criminals congregate to sell and exchange the spoils of their hacks.

Volumes of enquiries have increased steadily in recent months, said Arni Hardarson, head of assurance at security consultancy Pure Security, as cyber criminals take advantage of the remote-working vulnerabilities created by the COVID-19 pandemic.

Appropriately managing the fallout of a data breach, therefore, now requires information-security managers to be able to evaluate the company’s exposure in online forums.

Toll Group did just this when it launched an investigation into its dark web exposure that saw it “focused on assessing and verifying the specific nature of the stolen data that has been published”.

Dark web data leaks have become common enough that businesses should be building them into their breach response plans, Hardarson advised.

But he warns that getting visibility into the murky world of the dark web is about more than just clicking on a link. “You can’t just roll up to the dark web and start searching for pages,” he told CSO Australia, “because you can’t really find websites unless you already know about them. And, more often than not, you need to have some credibility on the dark web to get access to those forums in the first place.”

Australian government urges better dark web competency

Increased competency in dark web navigation was flagged as a key capability in the Australian government’s Industry Advisory Panel Report, whose 60 recommendations include a call to “increase the Australian Cyber Security Centre’s ability to disrupt cyber criminals on the dark web and to target the proceeds of cyber crime”. “Law enforcement agencies are struggling with the challenges posed by policing a borderless crime, the dark web, and the sophisticated tools employed by domestic and international cyber actors,” the report said.

With a new cyber crime incident alert reaching the ACSC every 10 minutes, the sheer volume of incidents has become overwhelming—and following the trail onto dark websites makes investigations even more complicated than conventional efforts.

“Crimes are often committed across multiple jurisdictions because it makes it harder to investigate and prosecute the perpetrators,” the report said, noting that “new tools and capabilities are likely to be required to address criminal threats on the dark web.”

Businesses understand that an early lead about a potential leak of credentials could be a lifesaver if, for example, it gives security staff a heads-up to reset all of their employee passwords.

How to build up your dark web detection capabilities

Yet for businesses that just want to get on with their business, building and maintaining dark web skills internally may prove challenging—meaning that many firms are likely to turn to external security consultancies with the knowhow and dark web reputation to get the job done effectively.

Fortunately, Australian companies may be in a particularly good position to find specialists to help their dark web intelligence efforts.

The APAC region is the fastest-growing source of ethical hackers in the world, a recent analysis by bug-bounty firm Bugcrowd found in gauging the sentiment of 3,493 past and present participants in corporate bug-bounty programs. Respondents reported a surge in demand for career hackers in recent months, as the COVID-19 pandemic laid bare new corporate vulnerabilities and businesses began searching for appropriate skills as a result.

This trend had not only posed new opportunities for ethical hackers but was going a long way towards normalising appreciation of the new perspectives—and skills that they can bring.

“It’s going to take time to shed the social stigma around hacking, but we’re already starting to see the mainstream media portray hackers as ‘helpers’,” says Bugcrowd participant and ethical hacker Rachel Tobac of SocialProof Security. “I hope the increase in positive representation continues to change the old-fashioned sentiments about hacking.”

Many people were struggling to discern hackers from cyber criminals—but as a hacker, she says, “I’m hired by people and organizations to use the methods that criminals use to break into their systems so that they can protect themselves before criminals can successfully do what I do.”

That’s a logical argument that has traditionally been hard for many companies to swallow, but the rising tide of cyber security compromise is making proactive security strategies more palatable to even the most risk-averse companies.

By enlisting the support of skilled hackers, Pure Security’s Hardarson said, companies can be much better prepared for the inevitable instance where their sensitive data is leaked. “This is where threat intelligence comes in,” he said. “You can track a threat actor, understand his behaviour and understand where he posted data—and whether there is going to be a second leak as well.  …  We have seen cases where a business managed to get the data down within a minute when it was exposed. It can be successful, but it should always be part of the process of being more proactive with your security.”