Financial institutions should continuously monitor the dark web to identify threats and prevent breaches, Searchlight Cyber advises in a new study. Credit: Peterscode / Getty Images The banking sector is increasingly being targeted by initial access brokers on the dark web, according to research by Searchlight Cyber. The dark web intelligence company has also found evidence of insiders sharing information on their organization or being recruited by cybercriminals on the dark web, and of threat actors undertaking infrastructure reconnaissance to target financial service supply chains. But these threats, hidden in plain sight on the dark web, also present banks with a great opportunity, the company said in a new study. "With dark web intelligence that alerts them to potential malicious activity while criminals are still in the 'pre-attack' stage of their operations; security teams can adjust and improve their defenses based on what might happen in the future, not just respond to things that have happened in the past," it said. The research is based on an investigation by Searchlight Cyber analysts using dark web data gathered from 2020 to date. Initial access brokers target banks The vast majority of activity observed against the banking sector on the dark web consisted of posts from initial access brokers, offering to sell access to banking systems to third party threat actors. The researchers found a variety of different types of access advertised on dark web hacking forums such as Exploit, XSS, and BreachForums. "For security teams, data on initial access broker activity can be a valuable source of pre-attack intelligence," the company said. The researchers also observed ransomware groups interacting with some of these posts. Bank security teams and independent security researchers can use these posts to analyze the capabilities and assess the threat level of the actors posting and interacting with them. Among the initial access brokers posts, those offering remote network access via Remote Desktop Protocol (RDP) and virtual private networks (VPNs) were the most common. The exploitation of a privileged accounts could potentially lead to malware or ransomware being deployed on the system, control over operating infrastructure, access to sensitive databases and file storage, and the harvesting of confidential information used to blackmail the victim into paying a ransom. Searchlight Cyber also found several posts offering to sell web shells, which can be used to install backdoors into a compromised system, or remote code execution (RCE) access, which when exploited enables the attacker to make an application execute code they choose, rather than doing what the application should be doing. Insider threat activity on the dark web The researchers also observed two main insider threats leveraging the dark web. The first involves employees with access to an organization's systems advertising it on the dark web, while in the second threat actors try to recruit malicious insiders on the dark web. "For a security team that has to consider malicious insiders with privileged access as part of their threat model, these posts do provide a valuable starting point to investigate and mitigate the risk of compromised employees," Searchlight Cyber said. The cybersecurity firm advised that security teams should also be aware of, and monitoring, employees using tools such as Tor to access dark web networks, communicate with the wider cybercriminal underworld, or to leak data. "In addition to monitoring dark web forums for malicious insiders, traffic between Tor and the company network can also be used as an early warning sign of a potential insider threat," it said. Threat actors also use the dark web to collaborate and plan their paths of attack, and monitoring for this can provide an opportunity to stop a breach, it said. "These two tactics are significant because they are the only ones that focus on the period of time before the network is breached," Searchlight Cyber said. Banks and financial institutions should also monitor the dark web for details of key suppliers, as this can help them identify when they are being targeted by threat actors. "For example, continuously searching for employee credentials, IP addresses, company datasets, devices, and software can alert the enterprise to suspicious activity against their supplier that may indicate a potential attack," it said. Related content news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Regulation Regulation news UK data regulator warns that data breaches put abuse victims’ lives at risk The UK Information Commissioner’s Office has reprimanded seven organizations in the past 14 months for data breaches affecting victims of domestic abuse. By Michael Hill Sep 28, 2023 3 mins Electronic Health Records Data Breach Government news EchoMark releases watermarking solution to secure private communications, detect insider threats Enterprise-grade software embeds AI-driven, forensic watermarking in emails and documents to pinpoint potential insider risks By Michael Hill Sep 28, 2023 4 mins Communications Security Threat and Vulnerability Management Security Software news SpecterOps to use in-house approximation to test for global attack variations The new offering uses atomic tests and in-house approximation in purple team assessment to test all known techniques of an attack. By Shweta Sharma Sep 28, 2023 3 mins Penetration Testing Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe