Deep and Dark Web Monitoring: Tracking the Evolving Landscape

When you think of the dark web, you might envision a masked man selling stolen identities from their basement, the dramatic intertwining of underground hacker groups and state actors’ plots to destroy companies and/or society as seen in Mr. Robot (highly recommend), or a great place to buy cheap prescription drugs. Perhaps you’ve seen a cliche picture of an ominous looking iceberg.  Basically, you’ve heard of some pretty bad stuff out there.

All joking aside (please consult your doctor for any medications), there’s no need to panic. For many seasoned security professionals, the threats on the dark web are familiar and very real. The dark web is another tool that bad actors can use and is an important digital landscape to monitor for risks. It is designed for anonymity, and is not inherently good or evil.  Privacy advocates claim it has a noble mission, and arguably it does achieve some good. Prime example: journalists use the dark web among other tools to research safely, collect tips, and publish in countries without a free press, providing truth to power in some of the most dangerous parts of the world.

Defining surface, deep and dark web

First a few definitions. The internet is composed of different “layers”:

  • Surface web – Indexable, searchable (and findable) sites and web content. Anything that a search engine can find is accessible on the surface web.
  • Deep web – Not indexed or searchable web sites and content, typically requiring authentication.
  • Dark web – A portion of the web that requires use of special protocols and/or browsers and that provides some level of anonymity for users.

Traditionally, when people referred to the dark web they probably meant web traffic that was only accessible through The Onion Router, aka Tor.  Tor was developed on behalf of the US Navy with the goal of secure government communications.  The Tor browser utilizes multiple relays, i.e. routing traffic through multiple servers, effectively obfuscating your IP address from destination sites and anyone monitoring traffic.  The websites that are only accessible via Tor, ending in the .onion top level domain, still account for most of the content on the dark web. This includes notable sites like the Dream market and Valhalla.

The changing landscape of the dark web

With some high profile takedowns of popular onion sites, like the Silk Road, some sites are attempting new strategies for remaining anonymous yet accessible to their target audience.  There are several new darknets like I2P and ZeroNet that have emerged to improve upon aspects of Tor, again, many of them with wholesome goals, that have now become playing fields for cyber criminals.  We also see many move to deep web, invite-only sites, which offer services like stolen credit cards for sale. Further, many of these sites will advertise on the surface web through paste sites or on social, which are often quickly taken down.

More important than understanding the increasingly blurred lines between surface, deep, and dark is to understand the evolving technology and tactics threat actors are using, and the new risks posed to your business, people and customers.

Types of threats we encounter on the dark web

When it comes to identifying threats to your brand on the dark web, the sites with that often pose the greatest risk to your business are the hardest to gain access to or even identify. For many modern businesses that lack the institutional knowledge and skills required to monitor and find these risks in house, it can be difficult to know where to start.

ZeroFox continuously scans millions of dark web posts, offering brands and businesses of all sizes dark and dark web monitoring. Specifically, some of the most relevant threats we find include:

  • Physical threats, doxxing, and chatter against top executives, public servants/figures, and journalists
  • Consumer data for sale or exposed, often credit card dumps and credentials leaks
  • Distribution of copyrighted materials, movies, music and TV
  • Hacking techniques, vulnerabilities, and planned attacks on cyber forums
  • Illegal sales of drugs, counterfeit/stolen goods, proprietary technology

In summary

When it comes to deep and dark web monitoring, it can be difficult to go at it alone. With a broad range of sites and content, monitoring and identifying threats to your business is a full-time job. Tools like ZeroFox offer comprehensive deep and dark web monitoring, alerting your team to early warning signs and threats posted on these channels, giving your team the critical visibility and contextual analysis you need to understand your threat landscape.