Roundtable: the dark net

04 October 2023

The dark net has emerged as a major boon to bad actors across the globe – but what do network managers need to know?

Are today’s network managers fully aware of the risks posed by the dark net?
Brad Liggett, global director and threat analyst, Cybersixgill: The dark net often makes its way into pop culture. Network managers are likely aware of the risks and threats stemming from the cyber underground; however, they may not be properly alerted to those threats, if at all.

Nick Oram, operations manager – dark web & mobile app monitoring, Fortra’s PhishLabs: I doubt that most network managers are aware of the full range of risks that threat actors on the dark web pose to their organisations. The dark web itself is not malicious, it’s just a tool that can be used to do malicious things. The Tor browser was created to increase internet privacy and a way for people to have access to information in locations where censorship of the internet could take place. However, due to the nature of what the Tor browser does it is no surprise that threat actors have used this platform to sell their illicit goods and services to evade law enforcement.

The dark web contains many different marketplaces and forums that are used to sell drugs, weapons, counterfeit goods, malware, credit card data, and stolen credentials, but plenty of sources are completely benign and used just to connect with other users with similar interests. Most malicious items that end up on the dark web didn’t originate there. If we are looking at stolen login credentials, those credentials were most likely swiped from users that attempted to log into a phishing website, or accidentally downloaded some form of InfoStealer malware and had their credentials stolen. Once those credentials are stolen threat actors will turn to the dark web to post the data for free or sell it for monetary gain.

Sylvain Cortes, VP strategy and 17x Microsoft MVP, Hackuity: Absolutely not... in fact, it’s a recurring problem in organisations. There are three reasons for this:

  • Dark net scanning solutions are currently technically imprecise, lacking certain information.
  • Administrators and managers don’t understand how the dark net works and are even afraid to connect to it.
  • Legislation is unclear as to what is and isn’t legal to consult on the dark net, so companies are afraid of breaking the law - what’s more, legislation varies from country to country.

Matt Aldridge, principal solutions consultant, OpenText Cybersecurity: Most IT and network managers are aware of darknets, but perhaps have not fully accounted for them when assessing, prioritising, and managing risks to their organisation.

Should network managers block Tor and other dark net browsers as a matter of course?
Liggett: Network managers can provide one of the biggest defenses for stopping dark web usage in a corporate environment by ensuring that traffic destined to, or coming from, known Tor exit nodes is blocked. The dark web hosts malicious content and links which can be more difficult to block if users are able to access Tor on their work devices.

IP addresses are ephemeral and constantly changing. It’s difficult for network managers to keep up on which CIDR blocks, or specific regions, to allow. There are a handful of companies that monitor IP traffic and usage. Whether traffic is coming from various proxies, tied to commercial VPNs, or have markers of running through anonymisation services, network managers have more tools available to them now than ever before.

Aldridge: Darknets and the dark web have an important place in the world when used for legitimate purposes, but in almost all cases they should not have a place in your organisation, so measures should be taken to control, or at least to monitor any such activity. Blocking access to Tor and similar darknets should be high on the list of priorities for any organisation. Raising alerts to the security team when access attempts are made is also important. This can be largely achieved through a combination of client-side and network-embedded security solutions, although be aware that a determined user will probably find a way around any network controls.

Admins should consider taking a whitelisting approach to allowed applications in their environment and consider Windows Defender Application Control (WDAC) for Windows devices and Google Santa for MacOS devices. Other third-party solutions are also available. This is not a silver bullet however, as certain user populations will need to be able to install and run code that may not yet be whitelisted, for example developers, IT and security teams, however, having whitelisting as the standard approach for most users can realise very strong security benefits for the organisation, as long as there are swift processes in place to help users to get access to new applications when needed. Whitelisting can also be a challenge when allowing BYOD (bring your own device).

Oram: Network managers don’t need to block dark web browsers. Browsers like Tor can be used just like Chrome or Firefox, with the exception that Tor can help with browser anonymity and security, such as blocking targeted ads, unwanted external connections, and network traffic. The main difference with Tor is that it can be used to browse Onion sites. When using Tor, a user should be careful not to look up or stumble onto something malicious just as they would on any other browser.

Cortes: The history of cybersecurity teaches us that banning things is never the solution. Tools and procedures need to be put in place to control use of the dark net, but trying to prevent people from logging on is pointless. Also, it’s technically complicated: a lot of effort for little result in the end…

What is the biggest single danger from the dark net, and how can it be tackled?
Liggett: If accessing the dark web, possibly the most significant risk is exposing yourself or your organisation to malicious threat actors frequenting the cyber underground. Users need to be careful to not click any malicious links or download programs hosted on underground sites.

Cortes: By itself, the dark net is not ‘so’ dangerous. The biggest risk is not technical, but legal... Legislation varies from country to country. Some countries allow you to download files from leaks under certain conditions, while others prohibit it. Some countries consider that authenticating with login and password on a forum is illegal, others do not. It’s important to make sure that the activities you’re carrying out are legal - and even to make sure that the functionalities offered by an external supplier are legal in the organisation’s country. I see a lot of French teams using American dark net scanning solutions, even though their usage is illegal in France!

Aldridge: By its nature, darknet traffic bypasses all security controls that an organisation has in place, directly exposing the user and their endpoint to significant levels of threat from unknown actors on the dark web. This can expose them and their organisation to data breaches, malware infections, legal liabilities, and reputational damage. Controlling and monitoring access attempts will help to protect legitimate users who may have been socially engineered or extorted to access the dark web and make it harder for attackers to stay under the radar for their command and control (C2) and data exfiltration activities – forcing them to use more visible, public solutions. Equally, blocking access to corporate assets from Tor users is extremely important, unless there is a legitimate business need to allow this for certain key applications.

Oram: Combating the threats on the dark web begins with increased knowledge and awareness in places where users already spend a lot of their time, the open web. Most users at some point will be sent a very convincing email or even a SMS message that wants them to log into one of their favourite sites, but it’s a phishing website that was created for the purpose of stealing credentials. The link could also lead to a malware download link, and once that malware is downloaded, credentials and other personal information could be stolen, or the computer could be locked up using ransomware.

Common on the dark web is the sale of credentials that have been grabbed through InfoStealer malware, which can be delivered through traditional phishing methodologies. Once those credentials or other forms of personal information are stolen, they can be sold on the dark web. In addition, daily activity outside of the open web can lead to content posted on the dark web for sale. Threat actors who install sniffing software, skimming devices, or perform point-of-sale device compromise in the various areas where you spend your money, can easily grab your credit/debit card credentials. When your credit/debit card data gets compromised it is common for it to appear for sale on dark web marketplaces that sell dump and data.

Does every enterprise need dark net monitoring tools?
Liggett: While there are some justified reasons for using various privacy tools, if users in that organisation require the ability to connect to these services, each company should weigh the risks of not monitoring for such activities. If someone has a legitimate reason for this type of activity, network and IT managers should ensure that safeguards are in place to allow for access using independent hardware and connections.

Oram: For the safety of all enterprises’ employees and customers, they should subscribe to some form of dark web monitoring. A user’s information is most likely going to be stolen through the open web, a phishing site, malware, social engineering, or by the the illicit use of credit card skimmers, sniffers, and POS device compromise. Once that information has been stolen, threat actors can then turn to the dark web to post this information.

Cortes: A month ago, I was preparing a presentation for a show, and I wanted to demonstrate to the audience what information from ransomware gangs on the dark net looked like. I went to the LockBit 3 website and found a list of leaks which included companies I knew well. I then contacted the CISOs of each of these companies, who didn’t even know their data was on the dark net! Dark net monitoring tools are not perfect, but they are critical.

Aldridge: Every enterprise should determine the need through a comprehensive and ongoing risk assessment, but I would suggest that at the very minimum, an ability to monitor access to the dark web should be present in the security arsenal of every organisation.