Oh2024 may have seen one of the most significant data breaches of all time, with three billion personal data records spread across dark web sites, according to Tech Informed. These included social security numbers and many other pieces of data, proving that the dark web is no longer, and has potentially never been, simply a lurking threat. Responding to the active marketplace in this area means watching out for whether your company’s credentials or proprietary information exist there and reacting appropriately if they do.
Monitoring the dark web allows you to:
- Plan your cybersecurity strategy and take action to secure your system
- Make changes to your system to prevent further breaches
- Be ready for the potential fallout of data breach publicisation
- Perform digital risk management on specific dark web dangers
So, read on to learn more about this process and how to maximize its potential benefits.
The Importance of Monitoring Dark Web Sites
On the dark web, many uses exist for a large quantity of user data. Each of them could be devastating to an individual or company, and so the issue requires oversight to ensure as little damage occurs as possible.
For example, hackers and “data brokers” often sell bundles of stolen information, including logins and credit card details. Malicious actors will buy these, using bots to test the logins to see which ones allow them to log into specific, commonly-used websites such as Microsoft or Google. Sometimes, sellers pair these logins with session cookies or email access data, allowing criminals to get past multi-factor prompts.
Bundles like these are frequently seen in scams where the business is tricked out of large amounts of money, and the more powerful the login, the more expensive it is. For example, top-level access or C-suite data can cost thousands of dollars for a single working password.
If a hacker gets access to the email address of someone in control of a lot of money, such as a CFO, they can then use fake emails to request a wire transfer from their account or a corporate account. If they exploit a sense of urgency or trust, then it is even easier.
For these reasons, many firms must undergo regulatory audits to prove they are taking reasonable steps to protect themselves. For example, organizations in the areas of:
- Finance
- Law
- Healthcare
- Insurance
- Education
At the same time, proving that you are monitoring the potential of a data breach means that you can reassure customers or clients of your efforts to keep their data safe.
Fallout of Late Business Threat Detection
If a malicious actor accesses customer data and the breach is not reported in a reasonable time, companies may face millions of dollars in fines. Insurance company Embroker even estimates that the average cost of a data breach worldwide approached $5 million.
At the same time, once a breach goes public, shareholders may sue the company for not taking appropriate steps, while your reputation will typically plummet among customers. If you instead quickly take action and then handle the breach in a shorter space of time, you can ensure that you both mitigate the issue and have more control over how you reveal it to the public. Of course, the best option is to prevent it in the first place, but that isn’t always possible.
Other things you can expect following a major breach and the data hitting the dark web include:
- HIPAA and GLBA audits
- Insurance claim scrutiny or denial
- Loss of client trust
- Media exposure
You should also take action to inform the authorities. However, ensure that you work with your legal counsel to ensure you take all appropriate steps. Data breach notification laws nationwide vary and are applied at the state level.
Map the Dark Web Attack Surface for Security
Before a breach occurs, and after its discovery, companies should generally follow the voluntary guidelines and best practices developed by NIST, the National Institute of Standards and Technology. However, you can prevent some of the challenges inherent in this process by making a complete list of all the information that a hacker could potentially exploit.
You can then use this data as a checklist of things to watch to see if it turns up for sale or discussion.
A solid list of items to use for this includes:
- Corporate domains and subdomains
- Legacy company names or references
- Emails of high-priority leak targets
- Merger partner websites or emails
- Supply-chain partner domains
- Data suggesting access to physical systems
You should review and update this watchlist once every few months, especially when you establish or renew web domains. You can then stay up-to-date about what is available online.
You should also open dialogues with partners to ensure you stay apprised of their efforts in this area. For example, it may benefit you to start including contractual clauses to share information on third-party leak disclosures within 24 hours to allow the other party to prepare their own security process.
Even if you close down emails and domains, keep these on the list of assets you pay attention to. If you find a legacy email on the dark web, it may be a sign that a breach happened further back in time, helping you potentially pinpoint the time someone accessed it.
Deploy Always-On Dark Web Monitoring Tools
Use automated tools to scan online areas that you think might host information relevant to you, including:
- Public dark web spaces
- Invite-only or private forums related to dark web adjacent topics
- Telegram or Discord groups with similar data
- Specific leak sites
You may also need to use tools to decrypt or translate non-English or encrypted chat, depending on your access to the online space.
Use this information alongside machine learning models to determine when information might be related to you. Then, set up alerts that will inform you if your data starts to appear there.
Once you have discovered at least one breach, you should use the same models to work out whether the data is new or if you have already seen it online. If you have, you can record its existence, but you do not need to inform your customers of the existence of the data, as you should have already handled that breach.
Be aware, however, that you may find not only the logins of customers, but also new information related to each one. If you have previously uncovered only users’ names, but then later discover their passwords or 2FA information, this is a significant escalation that will need your attention.
Of course, you should also expect any accounts you use to face regular bans, so use VPNs and other methods of hiding your identity to allow you to watch these locations for as long as possible.
Track New and Emerging Dark Web Threats
According to Dark Reading, the phishing kit Darcula recently received an upgrade, empowering it with AI to make it even easier for the least technical hackers to use. This example is only one of a wide range of expanding online issues that could cause further problems.
These “dark web phishing kits” automate the process of creating deceptive data, such as emails or websites, empowering individuals and organizations wishing to pursue malicious agendas.
Keep your eyes open for new dark web shops or other emerging spaces that may empower you to find new breaches. Doing this is especially useful as law enforcement shuts down locations, and you must constantly migrate from server to server.
Many cybercriminals are also openly using social media platforms to distribute stolen data. The ease with which people can open accounts on areas like Reddit and Twitter means that they can distribute stolen data and coordinate their attacks much more easily, so it is often essential to monitor these channels too.
Look out for more niche marketplaces, too. These “boutique” dark web locations specialize in more unique illicit goods, but they are much more careful about who they let in. For this reason, it may be challenging to access their environment.
Other types of data you may want to watch out for, but which may be harder to abuse, include:
- Internet-of-things credentials collections
- Cloud token bundles
- Ready-made “keys” to corporate networks
- Supply-chain phishing information related to your partners
- AI-generated voice recordings of executives or other VIPs
While these may not be immediately useful, keeping an eye on them and sharing their existence with your team will help you to ensure any future advancements do not come by surprise.
Using Human Analyst Validation
While automated alerts are vital to scour through all the data available online, having human analysts to verify any details avoids errors due to false positives. Give them the tools they need to contextualize all the data they receive and work with them to develop a system of prioritizing any data they receive.
For example, you should immediately receive information from them on especially harmful data. You should also empower them to test leaked logins and other data, so you don’t alarm anyone if the data is false.
On the other end of the scale, if they discover high-level staff logins that allow direct access to your system, they need to be able to contact those who can take action immediately to secure your system.
Whenever they make these decisions, you should document them. You can then reflect on them, adjusting your response guidelines so your organization can learn more with each potential incident.
Avoid Dark Web Monitoring Pitfalls
In contrast to the problem of raising every issue without cross-checking, leading to false alerts, you need to be aware that all breaches are potentially hazardous. It does not matter if a login is “minor” or that of a partner or supplier, as a malicious actor could use all of these access paths to cause you issues further down the line.
Also, don’t overlook the existence of session cookies. If people buy these and try to access your website, your system may consider them “already logged in” and allow them access. Use these as an opportunity to learn of a breach and think about how to avoid the issue of session cookies as a vector of attack.
Be aware that you are not the only non-malicious actor scanning these sites. People online may also be police, for example, using fake account data to catch criminals. If you see a new data set that may relate to you, test it before taking action.
Then, when you discover real breached data, don’t wait to inform your legal team. If you take too long, it could make it harder to respond appropriately, and you may have less time to take the action the law demands of you.
Of course, when you discover the data, cleanse the original credentials. Do not wait for someone to abuse their access, as you may not stop them from taking malicious action in time. Leave that work to law enforcement.
Creating a Response Workflow
Once you have discovered a breach, your team will need to prioritize it. As such, create a severity matrix, making it clear what the response should be based on facts such as:
- User role
- Data sensitivity
- Leak age
- Credential type
- Context of discovery
You should then have a pre-approved password-reset system for everyone in your organization so that analysts can secure accounts without needing new sign-offs. Alternatively, completely disable compromised accounts and require them to use multi-factor authentication to prove their identity.
Your next steps should include
- Freezing outgoing transfers
- Alerting legal and compliance teams
- Documenting every step of your response
- Measuring your time to detection and time to contain
- Preparing to announce the breach
Seize the Advantage and Avoid the Dangers of the Dark Web
Having a rapid response playbook allows you to reduce your detection-to-resolution time to well below the industry average. Similarly, maintaining compliance with regulations helps you avoid escalation by government entities and helps your legal team with potential future lawsuits.
Empist can deliver constant oversight of dark web sites, so you need not worry about interacting with the space yourself. We can also help with other security matters 24/7 and work with you to match our efforts with your unique needs. So, contact us today to secure your organization from the worst of the Internet.