What is Dark Web Monitoring? How to Adapt to Emerging Threats

8 minute read

In today’s threat landscape, continuous monitoring of deep and dark web channels should be a central part of any security stack. These channels encompass a portion of the internet that provides a level of privacy and anonymity that is very appealing to threat actors. It’s a “safe place” for malicious activity to run rampant and includes a wide range of illicit activities ranging from trafficking stolen personal information to illegal weapon and drug sales.

The surface web can be indexed by search engines and is much easier to monitor. However, the deep web refers to online sites and content that traditional search engines cannot index. The following subset includes the dark web; this refers to the content that can only be accessed through user-specific software, configurations or authorizations. These channels are concealed from search engines and permit users to hide IP addresses. 

The deep web is much larger than the size of the surface web, because it includes a massive amount of content that is not accessible to search engines. This includes information in password-protected online databases and sites protected by CAPTCHA technology. However, the dark web includes only a few thousand sites and is a relatively small portion of the deep web. In reality, many more digital threats appear on the surface web than on the dark web. However, lack of quantity is not necessarily a lack of danger. Many severe threats to organizations can only be found on the dark web. That means that an effective threat intelligence program must include dark web monitoring as part of a comprehensive approach to visibility across digital channels.

Monitoring Aspects of Surface, Deep and Dark Web Channels
Aspects of Surface, Deep and Dark Web Channels

Threat actors operate in all three of these areas, so it’s imperative to look expansively. It’s essential to have a firm understanding of what dark web monitoring entails and what this strategy provides security teams who are continuously adapting to emerging threats.

Benefits of Dark Web Monitoring 

Deep and dark web monitoring helps to provide immediate detection and remediation of cyber threats. This can include threats tied to data leakage, planned and operationalized attack campaigns, and the sales and marketing of breached data such as stolen credit cards, account information, PINs, passwords, social security numbers and more.

However, the deep and dark web is vast and includes encrypted sites, forums, marketplaces and covert networks such as Tor, I2P and ZeroNet. These networks constantly evolve and require continuous effort and dedicated resources to monitor high-value marketplaces and communication channels. Deep and dark web monitoring and protection are becoming more prevalent as threats continue to increase each year

Example of Dark Web Covert Network Browser
Example of Dark Web Covert Network Browser
Example of Dark Web Illicit Marketplace Activity
Example of Dark Web Illicit Marketplace Activity

Effective monitoring should include a wide range of deep and dark web channels as well as automatic threat detection and alerts based on risk and severity. This equips a team of specialized threat intelligence analysts with curated and complete contextual analysis and reporting. Keep in mind; however, this often requires a platform built for this sort of threat detection that enables teams to take quick action when necessary.

Real-World Dark Web Monitoring

In the screenshot below, you can see an encrypted site ending in “tor.onion” This is a commonly used, top-level domain that is accessible through Tor. Because of their anonymity, .onion sites are often used by adversaries for nefarious purposes. In this example, a threat actor has access to stolen login credentials and is selling them on this dark web marketplace. The adversaries posted data includes customer credentials for a ZeroFox protected entity, which is an online banking portal site. This puts customers at risk of compromising their sensitive information, including account details and financial records. Additionally, this opens the door to fraud, phishing and more. If exploited, this can also result in regulatory penalties, irreversible damage to the brand’s reputation and strained customer relations. 

What is Dark Web Monitoring: Example of “tor.onion” Encrypted Site
Example of “tor.onion” Encrypted Site

As highlighted in our latest report, Fact vs. Fear: Dark Web Trends Security Teams Need to Focus On, since the second half of 2019, ZeroFox has observed and tracked over two dozen primarily Tor-hosted leak sites stood up by ransomware gangs to dump the data of non-compliant victims. Besides data exposure, some groups tested other tactics alongside their successful ransomware distribution like Distributed Denial of Service (DDoS) attacks, victim shaming through social media advertisements, cold-calling victims who refuse to pay, and messaging customers not just corporate representatives, of targeted companies with extortion threats.

ZeroFox Reporting on Dark Web Ransomware Leak Sites in 2020
ZeroFox Reporting on Dark Web Ransomware Leak Sites in 2020

An effective security team must monitor and maintain access to thousands of deep and dark web channels. The screenshot below illustrates this level of diligence. You can see the AI-based analysis has detected the leaked credential threat and automatically alerted the security team. Additionally, investigative threat analysts should provide further context based on years of tradecraft experience once they receive this information. With the insight this alert provides, financial service providers can take the necessary steps to inform account-holding customers, quickly resolve the situation and mitigate the risk. In this example, the ZeroFox platform automated this process by performing checks on specified credentials through our Active Directory integration. This allows our team the ability to disable login passwords proactively or require a password reset when a compromised credential alert is detected for users’ email addresses.

ZeroFox Platform: Compromised Credentials Alert
ZeroFox Platform: Compromised Credentials Alert

Content itself cannot be taken down from the deep and dark web. However, proactive mitigation efforts and specialized policy rules configured in an automated platform can help teams gain early warning into emerging threats and secure critical assets before damage is done.

Key Features of Dark Web Monitoring

Dark web monitoring is vital for many reasons. However, there are two very specific areas that threat intelligence analysts seek to monitor:

Attack planning and emerging threats

Cybercriminals use dark web forums and chat rooms to discuss potential targets, to recruit accomplices and to exchange information about Tactics, Techniques and Procedures (TTPs) for conducting attacks. Threat actors also use marketplaces on the dark web to buy and sell exploit kits, hacking services, tools for conducting Distributed Denial of Service (DDoS) and phishing attacks, just to name a few. 

If you monitor “attack chatter” on the dark web, you may be able to uncover: 

  • Specific mentions of your organization, brands and executives as potential or actual targets of attacks. 
  • Discussions of vulnerabilities in, or planned attacks against, software applications, devices and infrastructure components used by your organization. 
  • New TTPs that could successfully victimize your employees or circumvent your security controls. 

There are even documented cases of cybercriminals and state-sponsored hackers using dark web forums to recruit company and government agency insiders to help them carry out fraud, conduct insider trading and more.

Evidence of ongoing and successful attacks

Dark web forums and marketplaces can provide evidence of attacks in various stages of execution. In forums and chat rooms, you might find discussions of vulnerabilities found in the infrastructure of specific organizations. In hacker marketplaces, you might find items for sale that were captured from your employees and databases, including sensitive personal information and login credentials. You might discover deep web marketplaces selling pirated content and other copyrighted materials to illegal resellers. Paste sites and repositories on the dark web often contain stolen software code and intellectual property such as engineering designs.

Next Steps for Effective Dark Web Monitoring 

A sound deep and dark web monitoring and protection solution should enable teams to:

  • Maintain awareness over these channels,
  • Harden defenses and proactively mitigate the threat, and
  • Gain visibility into early warning signs of attack planning and chatter.

You can’t monitor the dark web successfully without the right technologies, but you also need trained people. This includes analysts with the right experience and skills to overcome the barriers to access information found on the dark web as well as to deploy, train and tune search and analysis tools. Experts also add context to findings so risks can be mitigated quickly by removing vulnerabilities and strengthening defenses.

Request a demo of the ZeroFox platform today to discover how we can help your team gain protection coverage across the deep and dark web, as well as manage other security risks emerging on your organization’s public attack surface.

See ZeroFox in action