Shining a light on the dark web

27 November 2019

If you were given a pound for every time you saw a cybersecurity or hacking story, the chances are you’d have given up work now and be lounging by a pool in somewhere like Dubai, the city in which I currently sit writing this article.

No, I’m not on holiday and neither have I retired – I’ve just spent a few days at the GITEX conference witnessing how almost every 5G and IoT presentation is punctuated with tales of, you guessed it, cybersecurity.

We know that hacking has long been the bête noire of the IT sector and it’s not going to go away anytime soon, if ever. However, what’s less talked about is where enterprises’ data actually ends up and how it changes hands.

One such marketplace is the dark web, a network which allows users to explore the internet anonymously without a tracked IP address.

 According to Marc Laliberte, senior security analyst at WatchGuard Technologies, the dark web or dark net itself isn’t necessarily a threat to enterprises because it’s relatively easy to identify and block access to it from corporate networks. However, there’s a “but” coming.

“The real danger the dark web poses to companies is the information exchange that it facilitates,” he says. “Cyber criminals can use dark web marketplaces and forums to anonymously sell and share stolen data like user credentials, PII and trade secrets.”

James Maude, head of threat research at Netacea agrees and says the dark web offers a degree of anonymity and privacy that makes it a natural breeding ground for various forms of criminal activity. “From Hacking as a Service (HaaS) to databases of stolen credentials, there are a variety of threats that can affect enterprises,” he adds.

The dark web sounds like such an ominous title, you’d be forgiven for thinking the entire thing is a nefarious set up. However, it may surprise you that it was built with good intentions.

“The dark web is often misrepresented as a cesspit of criminal activity, with forums selling everything from passports to drugs and even guns,” adds Maude. “However, it was born from a dream of privacy and freedom of speech, in a time where governments increasingly saught to control and monitor internet use. In many cases, the dark web allows individuals to discuss ideas openly in countries with oppressive governments or whistle blow on corruption.” 

Laliberte points to the fact there are “actually a few different dark web networks” like The Onion Router (Tor) and the Invisible Internet Project (I2P). Tor, the most popular flavour of dark web networks, was originally created with the help of the US government.

“The United States Naval Research Laboratory and the Defence Advanced Research Projects Agency (DARPA) both had a hand in developing the technology behind the dark web with the goal of protecting intelligence communications from agents embedded in foreign nations,” Laliberte says. “As with most useful tools, it didn’t take long for cyber criminals to hop on board too.” 

Julien Patriaca, cybersecurity expert at Wallix says that while Tor was originally developed as a means for the US government to privately explore the internet, it has evolved to become a not-for-profit “company” and is freely available to the public.

“The overall goal is to create a sense of freedom and animality for the user allowing them to browse with complete freedom and privacy,” he says. “In more regulated regions we also see the dark net used as a way to avoid censorship as users have access to the entire open web, which otherwise would be restricted through government firewalls.”

Regardless of where it came from, we are now in a very different place to when it was created because it tends to be used for ill-gotten gains.

However, Patriaca says it’s easy to label the dark web as a threat due to anonymity it instils but it is not the network itself which is a threat. “Not everyone who uses the dark net is seeking to do so for criminal intentions, however, due to the elevated level of security and the ability to browse freely and anonymously it has become a hot bed for cybercrime,” he adds. “A virtual black market has opened on the dark web making it easier for hackers to collaborate, share tactics and to buy and sell goods, data and intellectual property that would otherwise be illegal. While to some extent this promotes criminal activity, it is not the network but the hackers and cyber criminals who use it that enterprises need to safeguard against.”

One of the biggest risks is breached customer data and customers’ personally identifiable information (PII), appearing for sale on a dark web forum

One of the biggest risks is breached customer data and customers’ personally identifiable information (PII), appearing for sale on a dark web forum

Cybercrime is on the rise and it is a serious threat to businesses of all sizes, so Patriaca says “as we continue to evolve in today’s digital society”, hackers will continue to look for new ways to penetrate the network with or without the communication available on the dark net. “Therefore, businesses need to ensure their security protocols are evolved and can adapt to meet these threats,” he says.

Still, if the network itself poses no direct harm to enterprises, here’s why they should still care about it.

“There are few worse feelings as a business executive than receiving a call (from the authorities) to inform you that they’ve found your organisation’s data for sale on the dark web,” says Laliberte. “An entire industry is now built around dark web scanning.  That is, looking for stolen information on the dark web as another means to identify when you may have been the victim of a breach.

He adds that “any data that is valuable to your business” is valuable to an attacker and everything from trade secrets to customer records are potentially profitable targets for cyber criminals. “Even something as simple as your authentication database can be worth a lot to the right person though,” he says. “Credential re-use is still rampant in all industries, which means a password dump can compound into even more breaches down the line.”

So, what’s the worst that can happen?

That very much depends on the business, argues Maude, however, one of the biggest risks he says is breached customer data and customers’ personally identifiable information (PII), appearing for sale on a dark web forum.

“Many businesses invest heavily in security technologies to prevent backdoors in databases and systems being exploited to steal information, while neglecting the front door such as customer login forms,” he continues. “These front doors are often vulnerable to credential stuffing. In this instance, attackers take combinations of usernames and passwords – that are readily accessible for purchase on the dark web – to directly hijack customer accounts.”

For Patriaca, the worst outcome for a business is the loss of intellectual property to cyber criminals. “This can be a major catastrophe, not only impacting a business’s day-to-day operations but if this information is passed on or sold to a competitor the long-term impact could be detrimental. Customers could lose trust in the business and if you have a unique proposition in the market this will no longer be the case, significantly impacting revenue and business opportunities.”

For any industry or business to succeed, the old adage “supply and demand” has to be examined. We know the dark web is flourishing, but just how do you put in an order for what you want?

That’s where HaaS comes in.

“Cyber-crime in general is becoming increasingly commoditised with off-the-shelf tools and networks available for purchase or hire, says Maude. “In the case of credential stuffing, tools that fully automate attacks against large enterprises start at around $20 and come complete with training and support packages. The barrier to becoming a cyber-criminal has never been lower and the use of the Dark Web makes it increasingly hard to track perpetrators. As a result, cyber-crime is a low risk and potentially high reward occupation.”

Patriaca adds that not only is HaaS as “a real threat and although hacking is predominantly an illegal action the notion is growing in popularity. “The idea behind this is to hire a hacker, gain access to a botnet or purchase a toolkit in order to breach an organisation and while it is a potential threat to businesses, it is mostly larger organisations that are targeted as a result as it can be an expensive service,” he says.

What’s more, the hackers are after one thing: data. “Attackers are becoming increasingly sophisticated in monetising data and accounts,” says Maude. “Hackers will target subscription services, compromising and reselling accounts. They will target loyalty points schemes to steal points and rewards. If you post content, such as videos or articles, hackers may steal this to repost and monetise with ad revenue. They will even scrape pricing information, goods availability and item descriptions to resell to other businesses.” 

In Patriaca’s view, anything which details customer data is a high target – and data is vastly becoming one of the hottest commodities and organisations are willing to pay for it.

“Most often we see data which includes personal home addresses, phone numbers, birth names and dates as well as personal bank details and credit card numbers sold online,” he says.

Laliberte says that while HaaS is a very real threat, he argues that the bigger threat is from marketplace items that enable low-skill hackers to carry out their own damaging attacks. “Things like Ransomware as a Service, where a skilled attacker creates and maintains the infrastructure for an evasive ransomware attack, enable anyone to launch an attack and potentially earn a hefty profit,” he says.

Now, that the potential threats have been made clear, it’s important to know what software/technologies are being used to combat it?

“It’s actually fairly straight forward to block access to most of the dark web protocols like Tor and I2P,” says Laliberte. ‘Most UTMs and NGFWs include application control services that can fingerprint and block access to dark web networks from corporate machines. Keeping corporate data off the dark web is a whole different story though. Organisations need a layered approach including technical protections and user training to stand a chance. At a minimum, companies need multiple layers of malware detection that includes technologies capable of detecting evasive threats using behaviour analysis paired with detection and response services to identify threats that slip through the cracks.”

Maude argues that while the dark web might seem like a worry to enterprises, it’s important to remember that the risks it poses are not fundamentally different to those addressed by common security best practices.

“The one security protocol the dark web should drive enterprises to invest in, is protection against stolen credentials,” he says. “This could come in the form of a dedicated bot management solution, designed to prevent automated credential stuffing bots from using your website or services to test lists of stolen credentials.

Although one can’t ask for much more than having protocols in place, it appears that another risk for most businesses is the fact that they won’t even know when attacks are coming

Although one can’t ask for much more than having protocols in place, it appears that another risk for most businesses is the fact that they won’t even know when attacks are coming

As well as dealing directly with the risk to an enterprise’s reputation in the face of a credential stuffing attack, there are vendors who scan the Dark Web to identify any breaches or datasets that involve your brand. However, this is a highly reactive approach and is purely focused on post-breach damage limitation.”

Patriaca says it’s important to note that it is cyber criminals organisations need to protect themselves against and not the dark net itself.

“Many organisations focus on and invest in software to defend and protect against external threats, like malicious software or outside hackers,” he says. “Perimeter software such as firewalls can help to safeguard against this. However, it’s also important to protect against human error and insider threats through technology such as privileged access management. This will not only add an additional layer of protection, but it can also ensure that cyber criminals have limited access if they do penetrate the first line of defence.”

Although one can’t ask for much more than having protocols in place, it appears that another risk for most businesses is the fact that they won’t even know when attacks are coming.

“In some not every organisation is aware when they have an intruder in the network,” says Patriaca. “There are many occasions when businesses may even see their own personal data or customer data leaked online and only then do they realise there had been a data breach. 

Typically, the problem comes down to budget constraints and added user burden.”

Indeed, he says organisations must make the most out of what budget they are given, and employees want to work quickly without the need to type in multiple passwords. “Education and supporting employees can make a significant difference, it’s important that anyone using the network takes an element of responsibility to safeguard data and password protection is a simple and effective way to do this,” continues Patriaca. “Adding an additional layer of protection through privileged access management can also help to reduce some of this burden and improve security.  If organisations encourage a strong security protocol internally and help to educate employees not only on the risks and what signs to look out for, but also how to create healthy passwords we will see a much more effective approach taken to cyber security.”

Laliberte says attackers prey on complacency. “Enterprise IT staff should always assume they are under attack, because they almost always are,” he adds. “The good news is, there are technologies available to detect even the most evasive attacks. Teaching your users to spot phishing attacks can also go a long way towards keeping your networks clean.” 

Maude offers the west African proverb ‘speak softly and carry a big stick; you will go far’. He adds: “A good way to approach risks online is you must deliver a good experience to your customers whilst always being prepared to defend yourself. Organisations may worry about the risks associated with activity on dark web cyber-crime forums, but there is no real difference between this and the activity carried out on private forums, on the regular internet or even by lone threat actors.”

In Maude’s view an enterprise doesn’t need to know when an attack is coming to be prepared. “It is important that enterprises get inside the mind of an attacker when developing new sites and services online and conduct threat modelling exercises to understand the risks and possible mitigations,” he adds.

There are precautions that can be taken, but if the dark web is used for things as serious and sinister as buying weapons, terrorism, drugs, kidnapping and prostitution, just what chance does an enterprise have of defending itself?

Maude says while its anonymous nature makes it hard to track users and shutdown illegal services, “it is merely an alternative method of communication, there is nothing particularly unique about the threats beyond potentially masking their origin”.

Laliberte says networks are as secure as enterprises make them and an organisation’s main goal should be to defend their networks and keep data off the dark web. “While there is no such thing as a perfect defence in cybersecurity, hope is not lost for keeping your company safe,” he says. “The right mix of layered security with user training can give you a fighting chance against cyber criminals. If you take the time to deploy and maintain technical layered defences, you have a better shot at keeping cyber criminals out of your network.”

Patriaca says, “simply put” even the most secure of networks are not impenetrable. “Unfortunately, as humans we are prone to mistakes and this can leave networks open to potential security breaches,” he adds. “What is needed is a combination of both technology and education in order to minimise as much vulnerability as possible.”