Hitchhiker’s Guide to the Dark Web: A Primer

6 minute read

While you may not yet have read our Hitchhiker’s Guide to the Dark Web, I wanted to take this opportunity to suggest that you do. And that you share it with friends and colleagues who may not have the same level of technical expertise as you. It was created specifically to demystify the dark web for people who aren’t cybersecurity experts. Most enterprises, and organizations in general, are exposed to cyber threats and have to deal with the associated risks. And most people that work for them are probably curious about this dark side of the internet.

Most everything I see about the dark web in the media and elsewhere is focused on how it’s a really scary place – that it is where online criminals hang out, sell stolen stuff, launder money, and carry out their nefarious activities. While this no doubt is true, it is a limited view that lacks context – and ignores the parts of the dark web designed to protect vulnerable populations. Furthermore, the dark web FUD (fear, uncertainty, and doubt) doesn’t actually help people in corporate C-suites, and generally in non-technical business roles, better understand how they can proactively protect their organizations from such risks. So here’s a brief look at how the dark web works, originally came about, and why. It might surprise you.

How the dark web works

The dark web is an awful lot like the web that we all use regularly (known as the “surface web”). You can browse. You visit websites. You get information, socialize, and buy things. The big difference is that in the underground economy, this all happens in a separate, somewhat secret, portion of the internet that uses different “plumbing” (software infrastructure) than what’s used on the surface web.

The Dark Web:

Figure 1: The Internet Iceberg, source: AON

To access the dark web, however, you need to use a different browser than what you use today – the TOR browser. With a TOR browser, you can access websites and forums that you can’t visit with a standard browser – those that don’t use the .com, .org or .gov suffix but purposefully use the .onion suffix. These websites can be hard to find, however. They are not indexed by Google or other search engines and therefore, can’t be found using standard online search methods. What makes the TOR browser so special and why onion?

TOR is short for “The Onion Router.” The TOR browser works with a separate set of plumbing on the internet invented in the mid-1990s using a technology called “Onion Routing.” More on this shortly, but in summary, by using a TOR browser and its associated network, people are provided with an exceptional level of anonymity in everything they do online. So at its core, TOR was one of the earliest technologies built to offer digital privacy to web users. 

TOR: why was it created?

Oddly enough, the U.S. government created Onion Routing in the 1990s with the goal of addressing the “lack of security on the internet and its ability to be used for tracking and surveillance.” In 1995, researchers at The U.S. Naval Research Lab (NRL) looked at how to enable anonymous communications over the internet, creating internet connections that didn’t reveal who was talking with whom, even to a party that might be monitoring that interaction. Their original purpose was to give government agencies a means to communicate across the internet without fear of eavesdropping or surveillance.  

Figure 2: The Onion Router

The NRL came up with an idea for achieving this by sending encrypted data through a distributed network of relays (routers). The “onion” name comes from the fact that the technology wraps each interaction with layers of encryption that are “peeled off” as it passes through each relay, just like an onion. The result was that “each node only knows the location of the previous node along with the location of the next node. The current node does not know if the previous node is the originator or just another node, ensuring that the sender’s identity is kept anonymous.”

Evolution of the dark web

Initially, as TOR was distributed for use by the general public, its privacy-focused capabilities were used for noble purposes. When autocratic governments oppressed citizens,limiting freedoms – of speech, self-expression, among others – the TOR developers provided individuals with access to blocked websites, empowering them to communicate and share ideas on social media with anonymity to address real fears of reprisal. In 2010, it was used broadly by individuals during the Arab Spring.

More recently, of course, it has become better known for the illicit activities that take place on the .onion sites that proliferate the dark web. Among these are online marketplaces (you can think of them as being just like Amazon, except for illegal stuff) where purchases are made anonymously, negotiated using encrypted messaging tools, and paid for with cryptocurrency.

There are also sites where information that is stolen from organizations (often sensitive personal data of their customers) through data breaches is packaged and sold to criminals who will monetize it in various ways. These tactics often harm not only the organization that has been victimized by adversaries – but also the customers of these organizations. Across the underground economy, there are ecosystems  where criminals can buy various kinds of sofware-as-a-service (SaaS) offerings that enable non-technical cyberciminals to deploy ransomware, phishing, malware, and other types of effective attacks.

Digital privacy matters

Since the creation of TOR, the topic of digital privacy has become increasingly top-of-mind for people, organizations, legislators, and Big Tech. Today, there is broad recognition that internet users (which is the majority of people) need certain rights to digital privacy. But this has become very complicated. The delicate balance between increasingly more personalized services from online service providers (think Facebook) and honoring people’s right to digital privacy seems to have swung way too far in the direction of the Wild West. 

There has been greater recognition, however, in recent years that this trajectory cannot continue. People must have a right to digital privacy and that needs to be accommodated and respected by those that provide online services and monetize them. In executing on digital transformation strategies, organizations have learned the importance of developing and maintaining a trusted relationship with their customers online – and respecting their digital privacy is part and parcel to achieving that goal.    

How to protect your organization

As we all know, “knowledge is power.” Understanding the dark web – and distinguishing fact from fear-mongering – is a good first step towards determining what to do next. Every organization faces cyber threats as business increasingly originates online, in shared spaces outside the corporate perimeter.. It is imperative to maintain a level of threat intelligence and digital risk protection against malicious activity that can originate from the dark web, its environments, and its actors. Do check out our Hitchhiker’s Guide to the Dark Web and share it with colleagues.

Ultimately, you are responsible for protecting the digital privacy of your customers, employees, and other stakeholders. Every organization faces vulnerabilities that result in onerous risks to the trusted relationships between the brand and its customers. That is where ZeroFox comes in. We are the #1 company in digital risk protection services that protects organizations, brands, people, and IP from compromise. Click here if you want to learn more. What have you got to lose?

CTA for Hitchhiker's Guide to the Dark Web

See ZeroFox in action