The Dark Web is a scary place. Even the name sounds very ominous. Most people know that it is bad when business or personal information shows up on the Dark Web. But at the end of the day, those same people do not really know what the Dark Web is and what is going on in the shadowy recesses of the anonymous Internet. That is OK and to be expected. The Dark Web is shady and cryptic and difficult to understand by design.
But Burk IT understands the threats associated with the Dark Web and the potential sale and distribution of valuable personal and business-related information. Because the threat is real and awareness is key, Burk IT includes Dark Web monitoring in all of our core Managed Services agreements. As part of that monitoring service, our customers will from time to time receive emails alerting them to compromises of content associated with their business user accounts. This article will hopefully shed a little light on that process and how to react to and best leverage that information for the safety of the business and its individual computer users.
What is the Dark Web?
Before you can understand what is really taking place with Dark Web monitoring, you need first know what the Dark Web is and is not. The best analogy I have seen to describe the Dark Web is to think about an iceberg*. The top part of the iceberg, the part that you see bobbing up and down above the water, that is the public Internet or the World Wide Web. This is the open part of the Internet where you can search for cat videos or find great lasagna recipes or read the box scores for your favorite baseball team.
Just beneath the surface of the water and expanding downward and outward is where the true mass and size of the iceberg lives. This is the Deep Web. These web servers are where the work of the Internet gets done. This is where your online purchases get processed and your banking portal data gets generated. This is where your social media history lives, and your private chats get hosted. This is the home of the “cloud” and the backbone of e-commerce.
In an obscure, hard to find corner of the iceberg near the ocean floor lies the Dark Web. This part of the Internet is not advertised, and it cannot be reached by traditional web browsers like Microsoft Edge or Google Chrome. Access to the Dark Web requires the use of a Tor Browser which is designed to anonymize the PC and user exploring the far reaches of the Dark Web. Dark Web websites end in the extension “.onion”, referring to the many layers of obfuscation in place to provide safely anonymous browsing.
Despite its ominous name, not every user on the Dark Web is a cybercriminal peddling his or her wares on the virtual black market. Because of the anonymity it provides, the Dark Web is used by many legitimate groups including political dissidents, journalists, whistleblowers and even normal Internet consumers simply desiring to avoid the constant gathering of metadata traditional web browsing affords. Yet, the Dark Web also brings together evil doers trading in child pornography, illegal drugs, violence and identity theft information. Because of this illegal trafficking, Dark Web monitoring is an important component of any modern cybersecurity program.
What is Dark Web Monitoring?
Given the secretive and anonymous nature of the Dark Web, the logical question arises – what exactly is being monitored on the Dark Web? This is a very important question to pose because many of the TV, web and print ads touting Dark Web monitoring would lead you to believe that these companies can definitively protect your identity and purge every bit and byte of your personal information from all these criminal forums. That is not exactly the truth.
Dark Web monitoring was born from federal government contracts with private firms designed to understand what information was being posted and traded on the Dark Web for national security and law enforcement purposes. These private firms quickly realized the commercial value of the tools and techniques they had developed, so business and personal Dark Web monitoring offerings were quickly designed and marketed to general public.
Dark Web monitoring services basically scour Dark Web news boards, commerce sites, and other forums looking for PII (personally identifiable information) that has been posted for sale or trade. This research is performed using custom bots, software artificial intelligence and human assets to ensure the information is as timely and actionable as possible. These services then correlate the PII detected with the corporate domains and user accounts being monitored and report on the findings that match.
The information reported by a Dark Web monitoring service varies from vendor to vendor but generally includes the following:
Username / Email address associated with the compromised account – This ID is typically associated with the domain name for the business or organization being monitored by the service.
Date the compromise was found – This is the date the service’s algorithms and human resources discovered the compromised information in the Dark Web.
Date reported / posted / added – This is the date the discovered information is validated and provided to the monitoring customer, usually via a traditional web portal or secure email.
Password / Password Hint / Password Hash – This is typically the entire cleartext password of the account in question, or a portion of that password as a verification tool for the end user. A password hash is a masked version of a user password usually compromised from an online website or backend website resource. These hashes are easily decrypted by cybercriminals and are, therefore, very damaging when discovered in the wild of the Dark Web.
PII information – Many monitoring services will also report whether additional personal information was present associated with the compromised credentials including full name, address, phone number, and social security number.
Source or origin of the compromise – This information is often speculative, but most Dark Web monitoring services will provide insight into the source or nature of the breach that led to the presence of these credentials and other PII on the Dark Web.
All of this information is value and warrants a response, but it is also very important to consider the information that the Dark Web monitoring service CANNOT provide and the actions the service CANNOT take on behalf of the compromised entity:
Date / Time of the original compromise – Monitoring services most often cannot pinpoint the exact date or time of a data compromise. Even if the compromise is attributed to a known breach of a business, service, or website, specifics about the timing surrounding those breaches are not typically public knowledge. If the compromise was the result of an attack against an end user such as phishing or a malware attack, knowledge of the timing of those types of attacks is nearly impossible. It is also important to note that most of the information posted on the Dark Web was stolen weeks if not months earlier.
Date the compromised information was first posted to the Dark Web – Monitoring services have become extremely efficient at finding and correlating data from the Dark Web, but they are still far from the ability to monitor the whole of the Dark Web in real-time. There can be a significant delay of days or weeks between the time information is posted to a site or forum on the Dark Web and its discovery by a monitoring service.
Removal of compromised information from the Dark Web – It is one thing to discover information associated with an individual on the Dark Web. It is a wholly different problem to try to purge information from these forums and sites. Generally speaking, once this proverbial genie is out of the bottle, there is no putting it back. Remember, these are Dark Web MONITORING services. They can let you know something bad has happened, but they cannot necessarily reverse the damage already done.
What should you do when you receive a Dark Web alert?
Many people will read the previous paragraph and decide that there is no real value in Dark Web monitoring if you cannot remove personal information once it is posted. I would disagree on the following grounds – 1) It is better to know than to not know what personal information is in the wild, and 2) With knowledge comes power and the ability to better mitigate the situation quickly. So, what should you do if you or your organization receives an alert that PII is on the Dark Web?
- Rotate the passwords associated with the affected user account – The biggest fear for most business IT administrators is that when a website is compromised, the user’s password associated with that website may be the same password that person uses on the business network. Internet users have become creatures of habit when it comes to passwords and tend to reuse passwords across multiple sites and systems. This behavior makes the job of the cybercriminal that much easier when he or she decides to see what all can be stolen using those compromised credentials. Also, consider three other options when you are changing those passwords:
- Switch from short, complex passwords to longer, easier to remember passphrases consisting of several words or a memorable sentence. Passphrases are significantly harder to crack for cybercriminals and require changing less often.
- Consider using a good Password Manager (1Password / KeePass / LastPass). It is a good practice to use unique passwords or passphrases for every website and system you access. A password manager is a safe way to keep up with all those different credentials.
- Implement multi-factor authentication for websites and systems whenever possible. Multi-factor authentication in the form of authenticator apps or SMS texts adds a strong barrier to protect against identity compromise. Even if a cybercriminal gets his or her hands on your username and password, that person still cannot authenticate as you without your phone or token. Most major websites and services support multi-factor authentication now including Facebook, Twitter, Amazon and Google.
- Request new credit cards and other account numbers when necessary – In some situations, Dark Web monitoring services can alert you to card or account fraud before the affected bank or store knows something has gone wrong. React quickly by alerting the bank or store and requesting new account info.
- Consider freezing your credit – The best way to prevent identity theft and stop the bad guys from opening lines of credit in your name is to take away that option. Freezing your credit line by contacting each credit bureau (Equifax, Experian, and TransUnion) is an easy, low cost process that can provide peace of mind despite the scary nature of the Dark Web.
- Educate! Educate! Educate! – The best thing anyone can do to fight cybercrime is to learn about the enemies at the gate, learn how to keep out and fight back against those enemies, and then share that information with others. Train yourself. Get training for those around you. Share what you have learned.
Hopefully this article has helped to demystify the Dark Web and add some clarity to the process surrounding Dark Web monitoring. The tools that protect us from cybercrime keep getting stronger and more effective. We too need to continue to get stronger in our knowledge of the threats we face and the actions we need to take to protect ourselves. Keep fighting!
* Susan Grant of the Consumer Federation of America