Dark Web Monitoring

April 22, 2021

What is Dark Web Monitoring?

Dark web monitoring is the process of searching for, and tracking, your organization’s information on the dark web. Dark web monitoring tools are similar to a search engine (like Google) for the dark web. These tools help to find leaked or stolen information such as compromised passwords, breached credentials, intellectual property and other sensitive data that is being shared and sold among malicious actors operating on the dark web.

Think of the internet as three sections:

  • The surface web, which is indexed by search engines and visible to all internet users — including news and information about products and services
  • The deep web, which is made up of sites that are legitimate but not indexed by search engines, such as banking, SaaS and internal apps that are password-protected and not crawled by search engines
  • The dark web, which is made up of heavily encrypted websites hosted on servers that are not indexed by search engines

The anonymity provided by the dark web is appealing to people who want to buy or sell stolen digital credentials, credit card numbers and other personal information, as well as ransomware kits, hacking-as-a-service, and illicit goods such as drugs, fake IDs and counterfeit currency.

Businesses that monitor the dark web can find out if they’ve been breached or find indicators that they are likely to be breached, as well as possibly learn who is attacking them and what methods the attackers may use.

How to Expose the Open, Deep, and Dark Webs

Download this white paper to learn how Falcon X Recon can help identify potentially malicious and criminal activity across the dark web.

Download Now

How Does Personal Information Get On the Dark Web?

Most of the personal data for sale on the dark web is acquired through phishing, social engineering, malware, data breaches or any combination of those methods. Full sets of data about a single person, including name, date of birth, social security number, address, etc., are packaged (referred to as “fullz”) and sold. Fullz can cost $30, depending on the value of the victim’s assets and the current market demand.

Many threat actors take it a step further and all package all the personal information they steal from an organization(s) and sell it in bulk.

What Does It Mean If Your Information Is On the Dark Web?

There are two ways to answer this question. For consumers, the revelation that their information is available on the dark web usually means they should change all their passwords, keep an eye on their credit reports and consider replacing their credit cards. The reality is that, after years of huge data breaches where up to 148 million records have been stolen in a single breach, everybody’s personal information, or at least some of it, has been for sale for a while — even if an identity theft victim is only just hearing about it now. So while consumers should take the protective measures mentioned below, they shouldn’t panic.

Businesses, however, need to respond much more aggressively. They are the guardians of their customers’ data and if they expose those customers to risk, they have failed. At stake is litigation, lost brand reputation, regulatory penalties and auditing costs — and the increased risk of future attacks as stolen logins are used in credential stuffing or other attacks.

Why Use Dark Web Monitoring?

Compromised credentials are not the only thing that businesses need to worry about on the dark web. Chatter and activity on the dark web can tip off a business that it is under attack, has already been attacked, or is associated with some other activity that poses a threat to the business, such as a breach at one of its supply chain partners. As part of an overall security strategy, dark web monitoring is akin to sending a canary into a coal mine.

In addition to scanning for data breach information, a dark web monitoring service can be used to classify risks from unknown sources. Businesses that receive alerts when their data appears on the dark web can connect those mentions to other threat sources, and use that information to profile and mitigate threats faster.

The types of risks that can be exposed through a dark web monitor include:

  • Third-party breaches
  • Data dumps to hacking forums and criminal chatrooms
  • P2P leaks
  • Accidental leaks
  • Brand misuse
  • Impersonations
  • Domain Spoofing
  • Potential threats

Who Needs Dark Web Monitoring Services?

The short answer: Everybody. Any organization that is charged with protecting sensitive customer data, or that possesses valuable intellectual property, or is a popular target for hacktivists, nation-state actors or criminal activity is a good candidate for a dark web monitoring tool.

A better question is “Is dark web monitoring worth it?” Dark web monitoring provides visibility into threats that traditional security tools are not able to discover. Organizations that are committed to protecting their business and customers with a comprehensive security strategy should evaluate the potential benefits of deploying dark web monitoring in their security stack.

How Does Dark Web Monitoring Work?

Dark web monitoring continuously searches the dark web and pulls in raw intelligence in near real time. Millions of sites are monitored for specific information (e.g., corporate email addresses), or general information (e.g., the company name and industry).

CrowdStrike Falcon X Recon™ threat intelligence solution provides easy wizards that save security teams from wasting time building complex queries while simultaneously minimizing false positives and noise. Results are displayed as user-friendly cards with information on the original threat actor posts, the actor and the site. This information can be viewed in its original language or translated into another. The translation is supplemented with augmented dictionaries, including slang.

When a threat is discovered, users can create a customized alert that notifies team members and anyone else in the organization who is relevant to the threat, such as marketing, legal, human resources or fraud teams.

Features of Dark Web Monitoring

1. Threat intelligence. The data captured by the dark web monitoring solution can be fed into automated threat intelligence systems and used to enrich that data.

2. Threat hunting. Threat hunters can use dark web monitoring to speed their hunting and develop a more comprehensive understanding of attackers and their methods.

3. Faster incident response. Investigation and response workflows can be used to mitigate threats as rapidly as possible.

4. Integration into security platform. The data collected can be sent to other systems to formulate more accurate insights from the entire security stack.

How to Protect Your Information From the Dark Web?

The steps to protect your data from the dark web are the same as protecting your data from any type of exfiltration: secure your endpoints, filter your traffic and segment your network.

  • Conduct security awareness training regularly
  • Educate users about risks common to remote work, especially on BYOD
  • Use password managers and have a password expiration policy
  • Implement single sign-on and multifactor authentication
  • Implement and prioritize a vulnerability management program
  • Segment the network to prevent lateral movement
  • Enable unified visibility into the entire environment