More than 6,000 marketplaces on the Dark Web sell ransomware toolkits for inexpensive prices. No wonder, then, that ransomware has exploded in instances and dollars paid in ransoms over the past 12 months. It’s easy to find, if you know where to look, and cheap to execute.
That’s just one example of the nefarious underbelly of the internet. Even its name sounds sinister. Media reports talk about the types of information sold on the Dark Web in the aftermath of serious cybersecurity incidents – beyond ransomware, this is where bad actors can buy credit card and financial records or get access to passwords and user logins or Social Security numbers.
However, the Dark Web has many uses, both legal and illegal. It is a key enabler of the cybercrime economy.
“It’s important for security professionals to familiarize themselves with what hackers have access to on the Dark Web to better understand what they need to defend themselves against,” said Isabelle Dumont, vice president at Lacework. “From toolkits that enable novice hackers to mount an attack to stolen credentials, everything can be acquired on the Dark Web.”
Here are some basics of what you should know about the Dark Web.
The Different Levels of the Web – Surface Web
There are different levels to the web and to understand them is necessary to understanding the underpinnings of the cyberworld’s black market. First there is the surface level, which is simply the internet that is indexed and easily found using common search engines. Or the part of the web that most of us use every day. “This is where most surfing is tracked and indexed by firms such as Google and Microsoft. Yet only around 17 percent of the entire internet is indexed and accessed by the general public,” explained John Kronick, director of cybersecurity solutions at PCM, Inc.
The Deep Web is the part of the internet that is not indexed; therefore, you need to know the address of the web page to access it. You can’t simply use a search engine to find a website. The vast majority of the web is Deep Web.
The Dark Web is interconnected within the Deep Web, however, it requires special browsers/configurations to access and the main purpose is to protect privacy and remain anonymous, explained Joseph Carson, chief security scientist at Thycotic. “The main purpose of the Dark Web is to protect privacy using a combination of routing and encryption, and of course this can be used for both legal and illegal purposes.”
A darknet is any overlay network that can be accessed only with specific software, configurations, or authorization, often using non-standard communications protocols and ports, explained Kronick. “Two typical darknet types are friend-to-friend networks and privacy networks such as Tor and Onion. The reciprocal term for an encrypted darknet is clearnet or surface web when referring to search engine indexable content.”
Connection to Silk Road
The Dark Web has been heavily associated with Silk Road, according to Carson, which was a market platform used for selling illegal drugs. This connection resulted in the large negative assumption that Dark Web is only used for illegal or criminal activities. While it is true that cybercriminals turn to the Dark Web for illegal behaviors, it is also used for secure and private communications for journalism, testing of new internet services, or simply to avoid monitoring of your internet activity.
Other Terms to Know
According to Anthony Aragues, VP of Security Research at Anomali, other important Dark Web terms to know include:
- Crypters: tools that encrypt malware in order to bypass detection by Antivirus engines
- Binders: tools used to trojanize a legitimate program with a malware sample
- Rippers: actors on forums identified as ripping off and scamming other users without delivering useful services or contraband
- Hard Candy: another term for child porn
- Doxing: revealing someone’s name, address, phone number and other personal information
- Full Cards: credit card info with names, number, expiration and CCV
The Insider Threat
There is a Dark Web insider threat that organizations must be aware of, said Aragues. “Any connection to or from the Dark Web within your company’s network can put you at risk, including employee use of the Dark Web on work devices or use of employee work credentials to access Dark Web services. Any data dumps that include direct mentions of your company or specific employees within underground hacker forums is a major red flag that you are at risk, and particularly if it includes a call to arms directed at you.”
What Criminals Are Doing
Some of the commodities you’ll find for sale and behaviors to monitor on the Dark Web, according to Anurag Kahol, CTO with Bitglass, include:
- Tor traffic – organizations should be watching for traffic routed through Tor nodes, indicative of sensitive data being exfiltrated.
- Malware and C&C hosts – same as above. Traffic hitting these destinations suggests a breach – either insiders or outsiders with access to the corporate network.
- Credentials for sale – the Dark Web is in part a marketplace for illicit goods and activities. Credentials that provide complete access to an organization's cloud apps are often sold on the Dark Web.
- PII – as with credentials, information on employees, customers, and clients may be sold on the Dark Web.
Best Practices to Keep Sensitive Information from the Dark Web
Christian Lees, chief information security officer with InfoArmor, shared the following best practices to keep your sensitive information from being compromised on the Dark Web:
- Company email addresses should never be a secondary qualifying address for gmail.
- A cloud service used for work - like Box, Azure or Dropbox - can be the employee's company email but should always have a different password than their company login.
- Understand that threat actors are superb at “connecting the dots” on social media and other sources, for whale phishing and generalized targeted phishing purposes.
- CISOs and HR should work together on the issue of employees' use of digital assets and company URL.
- HR needs to get more security savvy.
Why Security Pros Need to Understand the Dark Web
“Once you understand the scope of what’s available to criminals, it’s a lot easier to rationalize how to defend an organization from cyberattacks,” said Carson. “It’s no longer about detecting malware or a suspicious file. Security teams need to stay on top of every single anomaly in their environment, from unintended misconfigurations that hackers will take advantage of (the easiest path) to inappropriate use of privileged accounts, to appropriation of resources in the cloud.”
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba