Why Should Threat Intelligence Teams Care About Dark Web Security?

Why Should Threat Intelligence Teams Care About Dark Web Security?
10 minute read

The dark web can be useful for finding valuable data that informs the types of threats a company is facing as well as supporting a more nuanced understanding of its risk profile. However, data related to dark web security can be hard to find and is often unreliable. As-a-service offerings, data dumps and general chatter about an organization can all be very valuable data points that can inform a robust security posture for threat intelligence teams. However, validating each data point is crucial to avoid wasted resources. The number of resources required to find the data in the first place and then to validate will be significant. 

It’s essential that security teams focus their dark web efforts appropriately. While there is plenty of criminal activity on the web, focusing on the specific threats to your business will allow you to cut through the noise and understand your organization’s unique risk profile. In this post, we'll discuss where security teams should focus their dark web intelligence efforts to maximize effectiveness in addressing key attack techniques.

Valuable Data Used for Dark Web Security

The dark web can be used for gathering data on things such as hacking as a service, data breaches and intelligence gathering on the latest scams that could affect a company or its customers. In this section, we'll walk through a few categories of dark web activity that are useful for threat intelligence teams to understand and remain knowledgeable about.

Intelligence on As-a-Service Offerings 

One of the dark web trends that came into prominence in 2017 and has increased in popularity ever since is ‘as-a-service offerings.’ These services involve a seller advertising their product or service on dark web marketplaces and forums and listing prices for each type. Phishing kits are perhaps the most prominent of these offerings and offer lucrative financial rewards for developers. These types of services are only increasing in popularity. Today it is estimated that 6,000 criminal marketplaces sell a total of 45,000 malware-related products and services.

Understanding how these kits work and what threat they could pose to your organization is vital to ensure sufficient monitoring is in place to pick up any activity attributable to this type of attack vector. ZeroFox has observed large and small companies being targeted with these types of attacks. It is critical to monitor the dark web to find early warning if your organization is a target.

Malware-as-a-Service Techniques

In the wake of the increasing threat of ransomware attacks, malware-as-a-service has become a valuable tool for both buyers and sellers who develop and pursue cyber exploits. When providing this service, the only consideration for sellers is scalability, particularly when the buyer is likely to have limited technical skills. In 2019, polymorphic malware - malware that constantly changes its identifiable attributes to evade detection - accounted for almost 94% of all malware. This type of malware allows for the potential of sustained attacks, resulting in a higher chance of receiving the ransom payout. Finding new types of malware for sale can be helpful for security teams to assess whether its current security infrastructure is sufficient should it become a target - while taking into consideration its potential for future mutations. 

Phishing Kit Detection

The demand for phishing kits has increased significantly in recent years. Like other as-a-service offerings, sellers will advertise the contents of a phishing kit on a marketplace or forum and subsequently provide instructions on deploying it. The kits are designed to be easy to use, and generally, the buyer will only need a hosting platform in order to deploy. Gathering intelligence on how these kits work can be valuable in drafting an effective detection and removal strategy of these sites. 

Similarly, valuable intelligence can be found from discussion forums on the dark web of the latest techniques being used to launch a more traditional phishing campaign - such as smishing, vishing and spear phishing. This can be useful to ensure training for employees on how to spot a phishing attempt is up to date and current. 

Zero-Day Exploits

Selling zero-day exploits on the dark web is a lucrative business, as sellers can make significantly more money selling this way rather than through official bug bounty programs. An example of this is when a Zoom vulnerability that allowed remote-code execution on Windows computers was reportedly for sale on the dark web for $500,000 in April 2020. The high-value zero-days are generally advertised for sale on password-protected marketplaces or sections of forums. The first challenge with this is gaining access and then maintaining it. Validating the vulnerability (where sometimes it isn’t even known what the vulnerability is until it has been paid for) is the second and most difficult challenge. Part of this validity assessment requires knowledge of the reputation of the person advertising the exploit, which can be yet another challenge. There are a lot of scams on the dark web and this needs to be considered - which is why it is inadvisable to pay for these exploits. There are other ways to get information on zero-days without paying for it on the dark web. Once acquired, an organization can then put additional defense measures in place until a patch is available. 

Dark Web Security on Industry-Related Scams 

Gathering data on emerging or current scams affecting a specific industry can be helpful in proactively implementing controls to protect a company’s customers from them. For example, keeping up to date on banking, credit card and other financial scams and fraud is invaluable for the financial sector. Financial services companies are highly targeted by criminals for the monetary value they hold and the volume of customer data they keep. Dark web marketplaces sell all manner of finance-related illicit products such as leaked credit card numbers, prepaid gift cards or credit cards, online login credentials, instructions on bypassing a bank’s security controls and fraudulent loans. 

Identification of Leaked Data

Determining whether your company’s or your customers’ data has been leaked on the dark web can be crucial. The sale of personal data on the dark web has become hugely popular over recent years in the wake of so many high-profile data breaches. Login details, bank account numbers, medical records, passwords, passport numbers, driving licenses, address details and more are all highly valuable pieces of data for criminals. Protecting this type of data is vital from a regulatory perspective. The impact of stolen data being sold on the dark web - either the company’s or its customers’ - can be significant and include identity theft, fraud, emotional distress, debt, reputational damage, revenue loss and regulatory sanction. 

Awareness of Attack Planning and General Chatter 

Ensuring awareness of your company’s exposure on the dark web will help to determine whether it is a target for a potential attack. Gaining regular insight into whether the company is being discussed in forums is ideal for gauging sentiment on the dark web and pre-empt any nefarious activity. 

Dark Web Security Challenges

Whilst there is undoubtedly valuable data that can be used to inform a company’s dark web security strategy and response, there are significant drawbacks to gathering this data.  Firstly, the contours of the dark web are continuously changing to avoid detection and evade law enforcement, which makes sustained access a significant obstacle. Much of the most valuable data is in hard-to-access communication channels or forums that require carefully crafted and maintained personas to avoid detection or exposure. Interacting with some of these communication channels and forums carries a risk to the person and infrastructure used to carry out the information collection. Logging of IPs and other rudimentary defensive measures are common and there is an increased likelihood of targeting the systems used to access these forums. 

Secondly, the reliability of data is always dubious. To extract valuable data requires a sustained effort to monitor, track and understand individual personas on the forums of interest - and finding those forums in the first place can be a challenge in itself.  But determining the reliability of the data is critical to deciding what action should be taken. It has to be proportionate to the risk it presents whilst avoiding overreacting or underreacting. For example, unnecessary panic and a negative customer experience could be caused if it was communicated that customers’ details had been found in a third-party data breach, but actually, that data dump was compiled from old breaches. Conversely, not communicating to customers that their data has been breached leaves them at risk of fraud. Thus, reliability is key to determining what level of remediation - if any - is required.

In order to conduct this reliability assessment, a significant resource may be required depending on what the data is. Adding this to the resource required to find it in the first place means the whole process is labor-intensive, with no guarantee of the work paying off. Establishing the context of the data here is crucial to validating it so it can be incorporated into the company’s broader dataset. 

The Value of Dark Web Security for Threat Intelligence Teams

Ensuring awareness of your company’s exposure on the dark web will help to determine whether it is a target for a potential attack. Gaining regular insight into whether the company is being discussed in forums is an ideal way to gauge sentiment on the dark web and pre-empt any nefarious activity, or at least provide time to harden defenses and take mitigation actions. The time spent gathering the data and subsequent analysis must be weighed against its potential benefit. All of this needs to be done while taking into consideration that any remediation actions are likely to be reactive. The data may already be out there, and the damage may have already been done. Actions may need to focus around root cause analysis and how existing controls failed, which in itself can be valuable by leading to the implementation of a more robust security framework. 

Published data on the dark web is invaluable. For many companies, allowing it to continue to be a blind spot is risky at best. Monitoring the dark web has the potential to unveil data and intelligence that simply couldn’t be found anywhere else. The first challenge is maintaining an appropriate persona and finding that data in the first place - and the second is validating its reliability. Both will require a lot of time, effort and skill to initiate and sustain for the future. While monitoring the dark web is time-consuming, it has become a necessary element of any strong threat intelligence program. Understanding where to focus those efforts is critical to finding and addressing threats at scale. Learn more about the TTPs threat actors leverage on the dark web and where to focus dark web security efforts in our research report, Fact vs. Fear: Dark Web Trends Security Teams Need to Focus On.

Tags: Deep & Dark Web

See ZeroFox in action