Ignorance is Not Bliss When It Comes to Defending Against the Dark Web

Ignorance is Not Bliss When It Comes to Defending Against the Dark Web
Author: Chris Dimitriadis, Chief Global Strategy Officer, ISACA
Date Published: 26 November 2019

The dark web ecosystem continues to evolve as a place where cybercriminals can sell and access stolen data, purchase black-market items such as guns, drugs and hacking software, and connect with like-minded individuals. As is the case in any supply-and-demand scenario, since there remains a strong demand for these and other items, the dark web will remain a popular hub for the foreseeable future. That, in turn, puts security professionals and their enterprises in the position of needing to gain a deeper understanding of the dark web and how to mitigate its various risks.

In many cases, organizations have a long way to go in this regard. Even the name “dark web” connotes a taboo that, unfortunately, causes many organizations to shy away from giving this space the attention that it deserves. While there are areas of the dark web that need to be dealt with cautiously, the dark web’s basic contents, pathways and major risks should be well-understood by organizations’ security teams. Pursuing knowledge about cyber threats and cyber adversaries provides a baseline foundation for any successful cybersecurity program, so dismissing the dark web as either too dangerous, too far out of the mainstream or too complicated to merit attention does a disservice to the organizations that security professionals are responsible for protecting.

While there is a diverse range of threats organizations can face through the dark web, some relatively common ones include:

  • The sale of customer data
  • The sale of personal data (including medical/prescription data)
  • Identity theft
  • Credit card fraud
  • Gift card fraud

As ISACA states in a briefing on the dark web, “All of these crimes can jeopardize an enterprise’s customers, partners and vendors; require significant investment to repair; and erode its reputation in the marketplace. Sadly, because of the anonymity and privacy of the darknet, most enterprises will not know when attacks are coming, what kinds of attacks they are likely to incur, where the attacks will likely originate nor who will be behind them.” Consider that for a moment: if enterprise security teams are unaware of these fundamental details, there is no chance that they can realistically thwart these attacks or be well-positioned to limit the resulting damage. It is difficult enough for security professionals to contend with the challenging threat landscape when they are actively monitoring and assessing threats; without that level of due diligence, security teams are inviting disaster.

It probably is not necessary for all members of security teams to be experts on the dark web, but it would be advantageous to have at least one team member be highly knowledgeable, and for other members of the team to have enough familiarity to be able to deal with specific incidents that demand attention. Pen testers, who can benefit from gaining knowledge of new attack methods, and incident responders, who stand to benefit from insights related to their investigations, might find it especially beneficial to become attuned to certain forums and activities on the dark web. If it is not realistic for smaller teams to have dark web-savvy practitioners on staff, then engaging third-party expertise can provide a viable alternative.

While the dark web accounts for a relatively small percentage of all content on the internet, it is a vast enough space that organizations are unable to actively monitor all, or even most, of material on the dark web. However, by prioritizing high-impact risks, there is much to be gained in pinpointing key areas of the dark web to regularly monitor. Exactly what those areas are will vary from organization to organization, depending on the nature of its business and customer profile, but some likely starting points are applicable dark web forums (where discussions take place highlighting vulnerabilities and attack methods) and black markets (a commerce-focused area where stolen data can be browsed and purchased). It is important to bear in mind, however, that the dark web is no place for security professionals in the private sector to engage with criminals. That is the territory of police and other law enforcement agencies, as it would be dangerous to ignore that cyber criminals are people who also act in the physical world.

The old saying that ignorance is bliss might apply in some cases, but that approach is counterproductive when it comes to dealing with nefarious activity on the dark web. The reality is there is a high volume of activity on the dark web, including many activities, transactions and schemes that could have a direct impact on enterprises and their customers. It is understandable that security teams already feel like they are spread thin with their business as usual responsibilities, and the concept of proactively taking on a new frontier such as the dark web might seem like an intimidating course of action. However, operating as if what transpires on the dark web is outside of a security team’s scope is a failure to provide the due diligence that boards of directors and organizational leaders expect from their security teams. The dark web is an important source of knowledge for security professionals in order to understand both the threats and attack practices of cyber adversaries.

Editor's note: This article originally appeared in CSO.