In recent years, the “Dark Web” has become mainstream. In the past, this collection of forums, chat rooms, marketplaces and tools populated by cybercriminals and other types of threat actors, used to be known mainly to law enforcement agents, security professionals and fraud teams, who were responsible of protecting organizations from the threats that emanated from these circles.
The dark web is so well-known today, and is featured not only in movies and television shows, but even in Disney cartoons (“Ralph Breaks the Internet”) as a major plot device. However, the dark web hasn’t only become popular in the eyes of the general public, but in the security industry itself.
Many organizations are steadfast in their belief that dark web monitoring is a critical part of their security operations and the security industry is happy to fuel that belief. While in some cases and industries it is indeed important to monitor the dark web, where the intelligence can help shape threat mitigation strategies, what most organizations do not realize (and the security industry won’t tell them) is that it is often not the case.
To understand which industries can truly benefit from dark web monitoring we must first understand what it is – and what it isn’t.
The dark web isn’t defined by where sites are hosted. While there’s a popular belief that the dark web exists solely on the TOR network, many dark web sites are hosted on regular servers, available for anyone to access with the right URL, just like any other site. Furthermore, while most people would define the dark web as sites that cannot be found through search engines, in reality, you could find many of them through Google if you know the right keywords.
What truly defines the dark web is the content and the type of individuals who visit it. After all, if a forum is dedicated to financial crime and populated by cyber criminals, it doesn’t matter where it’s hosted or whether you can find it on Google. The type of content is the deciding factor, and in most cases the content that you can find in a specific dark web source is focused on one “bad” area. There are dark web sites dedicated to fraud, sites dedicated to specific aspects of cybercrime such as spamming or malware coding, as well as sites dedicated to other things like Jihad or pedophilia.
These sites are platforms for threat actors to connect and therefore they usually group into communities. There is little connection between the cybercriminal circles of the dark web and the circles populated by pedophiles. Each of these communities is aimed at a certain goal – for Jihadists, it’s the publishing and the consumption of radicalizing materials, for pedophiles it’s the access to disturbing materials.
For cybercriminals, it’s the facilitation of their work. Cybercrime is technical and pulling off something as simple as a Phishing attack, for example, requires a lot of ingredients. These circles enable criminals to find partners that can fill in these gaps. Instead of learning how to code a malware, thanks to the dark web they can just buy it off someone who already knows how. Instead of flying out to a country to physically steal credit cards using skimmers, they can find someone who has already obtained them and pay them for the data. Dark web communities are set out to achieve these specific goals and each of these communities is built around that.
This is the reason why dark web monitoring is only relevant to certain industries. The dark web communities that are relevant to cyber security, mainly those of cybercriminals, are geared towards making its members money (while APT groups use tools that can be found in the dark web, they have very loose affiliation with these circles). These members spend many years perfecting and honing their craft, therefore it makes more sense for them to focus on things that will generate a steady income, such as operating ransomware or performing fraudulent transactions, rather than one-off projects such as hacking into organizations, where every network, and that challenges that come with it, are different.
While such projects do happen when the reward is big enough (the data that they have is valuable and could be easily transformed into money, such as credit card data), the community as a whole is geared towards targeting certain types of organizations, that your organization may not be part of.
As much of the focus of cybercriminals is fraud, financial services companies such as banks and credit card issuers are among the industries that can greatly benefit from monitoring the dark web. It’s not just about finding the dark web conversations where your organization is mentioned, but learning how fraudsters work in general so the fraud team is able to build effective fraud mitigation strategies.
Another industry where dark web monitoring would be relevant is online services. These companies, the likes of Facebook, Google, Uber, Bitcoin exchangers and gambling sites, have many consumer accounts and there’s a clear incentive for criminals to compromise them. Most other industries, such as manufacturing, B2B service companies, or government agencies, are simply not as lucrative.
Naturally, threat actors will take advantage or try to take advantage of any unsecure organization they come across. There is still money to be made gaining access to internal data and selling it online in these circles. However, any intelligence finding in the dark web of that nature will be a complete random luck that the intelligence vendor has no control of.
Most of the on-going findings from the dark web for such organizations are “employee credentials” – compromised credentials published in data breaches, associated with one of the organization’s employees. While there is some value to be had from the detection of such credentials, it may still not be a good enough reason to subscribe to a dark web monitoring service. There are services that focus solely on employee credentials detection, that are a much cheaper alternative.
As there aren’t a lot of interesting findings for many companies, in order to still show value, intelligence vendors often try to spice things up with generic reports on threat actors and threats, without real context or relevance to the organization.
Is it possible that a dark web monitoring service will find an important database leak, even to an organization that isn’t usually targeted by cybercriminals? Yes. The question is, what are the chances of that happening, is it worth the premium of paying so much to monitor the dark web, and wouldn’t that money be better spent on security solutions that are more effective for that specific organization?