Gajus - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Threat monitoring: Why watching the dark web is crucial

Enterprises should broaden their threat monitoring to include dark web sites. Expert Matt Pascucci explains why it's important, and what enterprises can learn from the dark web.

In today's threat landscape an organization can use all the help it can get with detecting threats against its...

assets. Monitoring for threats within a company's network has and will continue to be the first place to look for threats, but many people are exploring additional locations to monitor for threats outside of their direct control. With these additional options available, many organizations are turning to services that monitor the dark web to expand their threat monitoring capabilities. This allows organizations to keep an eye out for attacks being planned in the dark web or even to be notified if stolen corporate data is being posted to malicious forums. Sometimes you need to be in the lion's den to detect an attack.

The dark web has been a place filled with mystery and can offer anything from drugs, books, weapons, music, stolen data and even refuge for political dissidents. It's the internet within the internet and allows people the freedom, either good or bad, to access data that they're looking to research, view or even sell with the guise of anonymity. The dark web, which sees the sale of stolen data, malware and hacking campaigns, makes it a natural place for cybercriminals to congregate. There are plenty of legitimate uses for the dark web, but many people focus on these uses since it's what's mostly reported about in the media. It's for this reason that cybersecurity threat intelligence companies like OWL Cybersecurity and SurfWatch Labs undertake threat monitoring of the dark web and other commonly used hacker sites to bring this correlated intelligence to your fingertips.

Having insight into what's occurring within the dark web is extremely useful when an organization is looking to monitor for potential risks before they occur. These solutions are taking advantage of the openness of the dark web and using it for your benefit. The dark web is unlike the internet we all know, mainly because it's not indexed by a common search engine and it's hard to determine where certain activity is occurring. This makes it much harder for people to find information on the dark web unless they know where to look.

Monitoring the dark web adds an additional level of intelligence that many companies are grasping for in order to get a leg up on attackers.

Particular threat intelligence companies are piggy backing off the data on the dark web and using this to their advantage by creating alerts when something of interest for your organization has been found. There have been many examples of attacks, or malware being found, that if detected and alerted on earlier would have given the victims a better chance to prepare for the attack before it occurred. It is alerts like these that allow threat intelligence companies to shine a light on the dark web and become an earlier warning system for organizations looking to monitor for threats outside their direct control.

There have also been instances where compromised data from an organization has been posted to the dark web either for sale or to dox another entity. Having the ability to use the data provided from these companies, or to run custom queries within the data threat intelligence companies own, allows you to proactively be notified if there's been a breach. This has been seen many times with insider threats that take data or ideas and post them within the dark web for sale or reputation harming. Without knowing where to look in the dark web, this data would go past any internal threat intelligence organization that a business might have deployed. If an organization knows data was posted to the dark web by an insider threat, it can limit the scope of its investigation or at least be able to understand the motives behind the attackers' actions sooner.

Threat monitoring on the dark web adds an additional level of intelligence that many companies are grasping for in order to get a leg up on attackers. Just like anything else, these technologies aren't to be used solely by themselves. They're to supplement your threat monitoring architecture by being able to perform searches outside of your normal domain and within areas that attackers are performing business. It's becoming extremely difficult to monitor all areas that an attacker might post information, but having services review the dark web and other sharing platforms that attackers normally communicate is critical in today's threat monitoring and reputation protection. Being able to monitor communications on the dark web of attackers discussing campaigns with other actors could yield vital information a company would want to know urgently.

By monitoring potential attackers as close as possible where many groups are performing their operations and communication allows you to take a step closer in disrupting their efforts in organizing an attack. It also assists with monitoring of data that might be used to harm your business and be used as an early warning sign that something isn't right. Using technologies like this might not find threats every day, but when they do you'll be happy to know about it beforehand.

Next Steps

Find out how to stop employees from touring the dark web

Read more on how to achieve cybersecurity readiness

Learn about best practices for conducting security assessments

This was last published in September 2016

Dig Deeper on Hacker tools and techniques: Underground hacking sites