Is your company data on the dark web? Key webinar takeaways

Éanna Motherway

May 16, 2024


93% of CISOs are concerned about dark web threats. What cybersecurity challenges are emerging from the online underworld, and how can we proactively address them? Nord Security’s recent webinar, Is your business data on the dark web?, delved into the hidden depths of the Internet and its growing relevance to security leaders.

Cybersecurity experts Vladimir Krupnov, Threat Intelligence Lead at Revolut, Andrew Rose, Chief Security Officer at SoSafe, and Matt Lee, Senior Director of Security and Compliance at Pax8, joined Gerald Kasulis, VP Sales at NordStellar, to share their experiences and insights on dark web monitoring, and how they leverage threat intelligence to secure their organizations’ data. Enjoy the recording above for its comprehensive discussion on the topic, or keep reading for key business takeaways.

Understanding the dark web

The dark web refers to parts of the internet that are not indexed by typical search engines and require specific browsers or tools to access. According to Matt, it is "where data has been traded... where a lot of criminal business has historically been transmitted." To Vladimir,  “It's a cyberspace where criminals – or potential criminals – communicate and carry out malicious activity, which could be related to your company, government, or anything else.” 

But as Andrew points out, it’s not all doom and gloom. The dark web has proven time and again to be a beneficial technology, providing a vital platform for journalists and social movements across the world for free speech and anonymous communication.

For security leaders, it’s a vast, largely untapped wellspring of information and data that isn’t attainable on the clear web. Fearing or ignoring it as a large business equates to simply wasting a good source of intelligence and/or value. 

Quote bubble: “You have to embrace the dark web as well as fear it, because it might be serving your business, your community or your social group, not just endangering your business.”

So why do cybercriminals flock to the dark web? According to Matt, it offers threat actors a way to "control the discoverability" of illegal activities, leveraging end-to-end encrypted technologies for anonymity. Vladimir points out the ease with which individuals can now become cybercriminals, thanks to platforms like Telegram that host thousands of illicit groups: “this is a massive problem because it lowers the barrier for the typical person to become a cybercriminal. It just takes 2 clicks nowadays.”

What are they after? 

quote bubble: “The information that [threat actors] steal from your network will likely be passwords,” says Matt. “It might be intellectual property, it might be files. Whatever it is, it’s being traded on the dark web.”

Vladimir states that the point is not to be fully invisible, but to have an easy escape and lower traceability (compared to the “clear” web): "You can always find anyone... It all comes down to time and effort. If someone sells credentials belonging to your company and the existing damage is less than a few million, it's unlikely to be picked up by law enforcement unless it's a part of a broader campaign.”

Disposable fake profiles are a key tool in a threat actor’s arsenal. “They just burn the profile,” says Matt. “He would just say, they’re getting too close to me, time to burn my PGP key. Next I'll just build a new profile. They're living in plain sight. That said, they hate burning a persona. It sucks. But yes, they do it when they need to.”

Hacker gangs operate better than most think, he continues. “Their tradecraft and OPSEC (operations security) is better than most people give credit for, and I would also say is probably better than most companies’... it is the risk/reward of what they're doing – since the risk is extremely high, they respond with better offset and better methodologies.”

Assessing and addressing business exposure

Matt Lee advises businesses to adopt a mindset of “live compromised,” focusing on limiting damage and improving incident response: “How do I limit the blast radius? How do I find it faster?”

This proactive stance can be supported by using threat intelligence services, as Andrew’s experience shows: “A threat intel firm brought me information about one of our staff members' identities being sold online... We reached out immediately to that staff member and helped them close down all of those loops. We knew that although it was a personal issue for them, that could very easily turn into an insider threat, blackmail, or risk for us.”

Andrew explains that his team effectively scans for anything to do with their brand or company. In this case, it was a lucky find: “It just so happened that part of the details that were being sold said that this person is working for this organization in this role. So that was our trigger, that was our hook.” 

He points out ethical concerns for business leaders when dealing with dark web resources. “You look at things like the Ashley Madison data dump… and we’re wondering what we do with this? Do we download this data and look at it to see whether any of our staff have been compromised and therefore potentially being blackmailed? Because that's us downloading illegally stolen data. Or do we step away from it?” 

Proactive measures and best practices for security leaders

Each expert supports ramping up education efforts and budget quotas for cybersecurity. 

“I describe users as your primary attack surface,” says Andrew. “So education and awareness becomes absolutely paramount. You see all the data saying that 95% of breaches are human related, and yet what do we spend on the human side of it? 5% of our budget, 10% at the maximum.”

Business leaders, particularly newly hired executives, are singled out by threat actors with targeted phishing and vishing attempts, according to Vladimir, underscoring the need for comprehensive security protocols from day one.

What about “selling” to stakeholders and business leadership? As always, it comes down to communication. Andrew stated: “You have to take stories to your exec. Take my previous examples of finding at-risk employees online and being able to protect them, thus protecting the company. Or receiving a phone call from a threat intel provider, letting me know that there were discussions about attacking my sector. 

quote bubble: It's all about business protection. So show them how the dark web is impacting your control selection to protect your organization and enable business services.”

Should smaller companies be concerned about the dark web threats? There’s a common misconception that small companies are not a target for cybercriminals, with media exposure focusing on large scale data breaches of well-known brands. Matt Lee thinks so: “If I land on your credentials, your data, it doesn't have to be valuable to me, it doesn't have to be valuable to the world. It only has to matter to you to get you to pay.” Vladimir reminds us to watch out for fourth party risk – any risk posed to your organization from a business relationship a third party has with its vendor.

Insights and recommendations for threat exposure management

Matt recommends using canaries (attractive decoy targets for threat actors) as warning beacons on your security perimeter. “It enables you to take action, and makes that credential no longer valuable. Remove the credential, remove the persistence, whatever it may be.” A common question crops up: How can security leaders measure the effectiveness of dark web monitoring solutions? The panelists agree on measuring intelligence quality by how much of it their security teams can act upon.

the most logical measurement you can have is intelligence actionability,” says Vladimir. “So if the intelligence being provided to you by the vendor is just interesting, but not actionable internally, you might have to consider alternatives… The most actionable pieces of intelligence are bad IPs, bad domains, stolen credentials.”

Andrew looks at how current the data his solution is providing is, acknowledging that there are barren periods, but “it was never a service you could do without. Because you always knew that next month might be when suddenly they'd find something which could make the whole contract worthwhile.”

quote bubble: “I believe nowadays that [dark web monitoring] is just part of basic cyber hygiene, because everyone does it.”

Matt agreed, saying it’s simply good strategy, relevant to sports, life, and cybersecurity: “You go scout the other team!”

Any final words? Incident response plan. If you don’t have one, Matt says, sort it out. “Too many companies lack this.” This plan should be reviewed annually and adapted to evolving threat and business environments. Ultimately, this is all about setting a strategic baseline for cybersecurity best practices. “Everything we're talking about here is part of basic data hygiene and governance. Live as close to the CIS framework as you can.”

With actionable data, timely insights, and increased visibility into the online underworld, staying one step ahead of threat actors becomes possible. For CISOs protecting their organization's data and security, this means having the ability to not just react to threats, but to anticipate them.