used with permission from Tektonika (HP)
The dark web is a nefarious place, where criminals lurk and communicate, buy, sell, plot, and plunder. The clue, of course, is in the name. Speaking to NBC, FBI Supervisory Special Agent Mark Knoll referred to it as “like your new drug dealer on the corner in the virtual world.”
UK Home Secretary Amber Rudd went even further, saying it’s a place where “anonymity emboldens people to break the law in the most horrifying of ways with platforms that enable dangerous crimes and appalling abuse.”
Highlighting the broader impact of the dark web is important, because much of the publicity surrounding it in recent years has been related to drug trafficking. The Silk Road marketplace was one of the best known sites for this illegal activity, at least until it was closed down in 2013 after the capture and imprisonment of its founder, Ross Ulbricht.
Its relevance to fueling other crimes cannot be understated, but the dark web truly thrives in cybercrime. Just consider the fact that the building blocks for ID theft are on the dark web. Selling personal information to fraudsters is booming, and the overall state of cybercrime today is skyrocketing in parallel.
What is the dark web?
The dark web is an encrypted part of the internet that uses non-standard communication protocols and ports to hide digital identities. It features forums and marketplaces (often referred to as darknets), where products and services are bought and sold. Individuals can enlist the services of a “hacker for hire,” buy the leaked contents of the latest data breach, purchase credit cards from any country, drugs, weapons, counterfeit goods, and so on.
Anyone can visit these pages with the right technology, like The Onion Router (TOR) or the Invisible Internet Project (i2p). Information, products, or services can be requested and paid for in bitcoin or other digital currencies.
How does it heighten the cybersecurity threat landscape?
In the United Kingdom alone, there were 4.7 million incidents of fraud and computer misuse in the 12 months prior to September 2017. Corporate data breaches are a regular occurrence now. Thomas Cook, Equifax, Facebook, Costa Coffee, Starbucks, Adidas, and the United Kingdom’s National Health Service are just some of the many organizations that have suffered data breaches during 2017 and 2018—and this comes at a cost.
A 2018 study by the Ponemon Institute—the thirteenth annual Cost of Data Breach study—found that the global average cost of a data breach was 6.4 percent over the previous year, totaling $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148. Given that the majority of breaches tend to run into the millions of records, it’s easy to see how costs can dramatically escalate.
While the financial cost to businesses is clear, there are other costs to consider, such as reputational damage, customer confidence, and staff morale. The effects of a breach can impact across an entire operation, and for publicly listed businesses, this can also mean taking a hit on share price.
Clearly, this is a growing problem, but it’s also worrying that it’s not isolated to static networks. A 2017 study by IntSights found a 30-fold increase in mobile dark web activity since 2016, with the likes of Discord, Telegram, and WhatsApp being used to “trade stolen credit cards, account credentials, malware, drugs and to share hacking methods and ideas.”
“It’s not an understatement to suggest dark clouds are looming over businesses,” said Vali Ali, HP Fellow and Chief Technologist of Security and Privacy for Business. “Information is the new currency, and as long as the trading of personal information on the dark web remains relatively painless for criminals, we should expect to see increased attacks and the resulting theft of corporate data. Sadly, it’s supply and demand.”
Gleaning information from the dark web can be difficult, but it’s only going to get harder. In an interview with Wired, Tor Project cofounder Nick Mathewson said that updates to the application will tighten privacy by hiding the .onion address that identifies dark web sites—unique cryptographic keys will be generated instead. In essence, it will be almost impossible to stumble across or guess a specific darknet site address and even more difficult to determine the actual owner of that site.
For law enforcement, this represents an ongoing challenge. Although success stories aren’t unheard of—US agents arrested 35 dark web weapons and drugs dealers in June 2018—the goal posts are constantly shifting. For businesses, it’s a constant headache. Keeping up with the pace of change and identifying often stealthy breaches is a problem. According to FireEye, the average time to discover a breach in systems is now 57.5 days, but as soon as criminals have exfiltrated data, they are likely to attempt to sell it online.
Typically, hackers will look to package personal data. They will search the stolen data files for authentication material—names, addresses, phone numbers, and even credit card details—and offer them up for sale in bulk to scammers and other hackers. It’s all done very quickly, which means from a criminal’s point of view, the data is sold before the company even knows it is missing.
Interestingly, a study by Recorded Future found 75 percent of all disclosed vulnerabilities appear online, on average, a week before they’re listed in the National Vulnerability Database (NVD), giving criminals a good head start. The study also found that 5 percent of vulnerabilities are detailed in the dark web prior to NVD release, and these have higher severity levels than expected, while 30 percent are found in foreign language content. The major vendors involved are Google, Apple, Microsoft, and Oracle, which covers most of the platforms used by businesses.
How can you mitigate risk?
Understanding what needs to be protected is a crucial first step. Only then can your organization put in place effective security tools and policies. All companies should build a threat model and keep that model up to date as assets and threats change.
Here are some quick tips on creating a threat model:
- Identify assets: This includes hardware, business processes, IP, mobile devices, ERP systems, databases and even end-of-life systems.
- Create security profiles for each asset, identifying what is actually protecting each asset from cyber attack: This should enable the organization to identify potential vulnerabilities. This includes looking at layers of security for endpoints, software, and networks.
- Identify the potential threats and prioritize: Where is the threat coming from? This can include opportunistic hackers, hacktivists, cyber criminal gangs, internal disgruntled employees, internal errors, untrained or unauthorised freelance workers, physical loss of devices, etc.
- Match risks with potential action: Apply appropriate tactics and procedures to each asset based on potential severity.
With a threat model in place, the best way to really mitigate against the threat of the dark web is to understand and monitor it. You can try simple tactics to start, such as setting up fake accounts within legitimate data sets. These can act as a decoy and help you find breached material.
There is a new wave of companies—like Webhose, RepKnight, Terbium labs, Massive, Recorded Future, Sixgill, Hold Security, and AlienVault—which are trying to make the dark web as easily searchable as the normal internet. This should enable organizations to at least try and monitor breach activity.
Organizations, such as the FBI, also release regular communications about threats. Understanding active threats and historical patterns can help you determine likely threats to your systems from criminal activity.
What should you stay vigilant for on the dark web?
Even with access to the dark web, it’s still not easy to find what you’re looking for, as you have to try specific forums to see what’s being bought and sold. It’s a bit like looking for a stolen radio in a flea market: difficult but not impossible.
Nonetheless, here are a few ways you can focus your search:
- Look for any data related to your organization or partners and suppliers, such as bank information.
- Search for internal data, such as usernames, emails, company-related documents, or personally identifiable information of employees or customers.
- Keep an eye out for exploit kits, malware, and other potential threats that aren’t specifically targeting your organization but could pose a threat in the future.
Just remember, this is a movable feast of information. Nothing remains static, and for this reason alone, countering threats will demand an intelligent mix of machine learning analytical technology and human vigilance. This is why cybersecurity skillsare in short supply. The demand is such that there are not enough to go around, so businesses need to be clever by partnering with expert groups and ensuring suppliers adhere to their own security policies.
Building security into systems is also a must. You’ll want to make sure you have sophisticated technologies baked into the very fabric of your hardware and applications to rebuff any potential threats. You’ll also want to keep your devices up to date, which is where a centrally managed Device as a Service (DaaS) model can help.
HP, for instance, providers a one-stop solution with their DaaS offering that combines hardware and lifecycle services to make your company more efficient, improve the employee experience, and free up IT resources. The transformative nature of this service model brings with it increased and centralized security on the latest hardware—in fact, the security stack built into HP hardware substantially improves manageability and security.
As regulations change or threats increase, you can switch out devices to meet requirements. By helping to manage volatility and fast-changing business needs, HP also enables analytics-based prediction of security and hardware needs. In this sense, HP DaaS can help you proactively protect your business from attacks to data by monitoring every device and how it adheres to security policies, data access, and approved apps. It also allows for analytical perspective on inventory, device location, and condition, as well as end-of-life disposal to prevent physical security breaches.
At the end of the day, the key challenge facing your organization is consistency. Criminals only need one opportunity to break through defenses, so ensuring any potential vulnerabilities are shored up is essential and demands a solid technology solution—coupled with best-in-class business processes—to mitigate risk. The stakes are too high for businesses to bury their heads in the sand. Ongoing alertness is imperative to stop critical business data appearing on the hidden underground forums of the dark web.