What is the Dark Web?
The dark web is a formidable term we don’t like to think about because honestly, it’s a scary place. Not to be confused with the “deep web” that hosts primarily intranet and private websites, the dark web is where the criminals think they can hide. The dark web makes up only a small percentage of the internet, but it’s a hotbed for cybercriminals who navigate it with greater anonymity than the web we all know and love. With their IP addresses, and therefore identities and locations, masked by specialized software, they have free reign to buy and sell stolen information, or so they think.
The online underground market for identities, credentials and personally identifiable information (PII) is growing exponentially. Anyone with a computer, a bitcoin wallet and internet access can easily buy (or sell) access to stolen credentials and PII. It’s not uncommon to see threat actors making the rounds on underground sites trying to sell data shortly after a target site or commercial web application has been breached.
Often referred to as “fullz” in threat-actor communities, this stolen information can sometimes include full “packages” of information that can be used to empty a victim’s bank account or be leveraged in credit card fraud operations. Fullz usually include physical addresses, credit information, dates of birth, social security numbers and additional sensitive information belonging to the victim. Part of the sales process involves offering “proof of access” by sharing a sample of hacked account logins (oftentimes, thousands of them) to prospective buyers. In short, credential harvesting is lucrative—and business is booming.
We’re also seeing emerging secondary markets dedicated exclusively to selling actual user account access. Once a threat actor has successfully compromised an online account, he can usually get a decent return on his investment. Hacked accounts that have cash account balances, linked credit cards, or travel/gift points typically demand respectively higher prices in underground markets.
The dark web isn’t always that bad, however. It can and does have legitimate purposes. Journalists, for instance, often use the dark web to engage in protected conversations with secret sources. Undercover law enforcement leverages the dark web to track criminal behavior, particularly related to child abuse, terrorism rings and the sale of illegal goods.
What companies and people want to avoid, however, is having their personal, private data sink into the dark web without their permission or knowledge. Here are three technologies to consider before your company becomes the next statistic.
Dark Web Monitoring
You don’t know what you don’t know. How sure are you that your employee, customer or corporate data isn’t already in the dark web, being sold to the highest bidders, if you aren’t actively checking it on a regular basis? You don’t want to learn the hard way, via a public breach that damages your brand’s reputation and costs your company millions of dollars in fines and legal fees.
Many companies turn to automated dark web monitoring technologies, such as web scanners, forum scrapers and web crawlers to locate stolen credentials. While the intent is good, the execution is a little late to the game. Dark web monitoring services do enable you to keep a constant eye on the dark web to identify any breached credentials, but this is often too late. Effective account takeover prevention hinges on one critical capability -finding stolen credentials before they’ve hit the dark web. Once most automated technologies find breached credentials on the dark web, those assets have already been sold to communities of dark agents. The key is to detect vulnerabilities early in the account takeover process, before those assets have been pushed into the more commercialized dark web.
The earlier username and password breaches are flagged, the sooner action can be taken to force a password reset. The sooner the password is changed to a stronger, uncompromised one, the less of a chance threat actors can scale their breach to impact more accounts or sell their stolen goods to communities of cybercriminals on the dark web. Finding these breaches early, however, requires more than scanners, scrapers and crawlers alone.
Dark Web Credentials API
The dark web isn’t a place where you can just search and find stolen credentials. First, stolen credentials aren’t sprinkled throughout the dark web for people to discover. Cybercriminals post only a few bits of their stolen credentials to entice buyers. Only when they have sealed their deal do they release the entirety of their assets.
A dark web monitoring API enables developers, security teams and vendors, and other users to rapidly integrate with actual breach data – data that has already been collected, sorted and analyzed for consumption by an ATO prevention company. The dark web API helps companies take proactive measures to protect employee and customer accounts automatically while giving fraud investigators the data they need for their investigations.
It’s important to note that not all breach data is the same. Some companies populate their data set with incomplete, encrypted or inaccurate data. In order to leverage the power of the dark web API, be sure the database to which the API connects is current, comprehensive and accurate. Compromised passwords should be presented in plain text format so security and fraud teams can more easily find matches. The cleaner the data, the faster more vulnerabilities can be found.
Dark Web Password Protection
The first step to prevent account takeover is to enforce better password selection. Weak passwords provide a highway to the dark web. People are prone to using the same passwords across multiple accounts and reusing them even when a company implements a 90-day password rotation policy. Bad actors know this. They count on it. They use technology to crack passwords and once they do, perform credential stuffing techniques to test those passwords against multiple accounts at scale.
NIST’s new guidelines for password protection means employees should choose passwords they can remember but are difficult to guess. By using a dark web credentials API, companies have access to a dark web password database against which they can compare their employee and/or customer passwords against a dark web database of breached passwords. If there is a match, the user is forced to choose a stronger, uncompromised password before they can register their account.
Employee education should be at the top of any security team’s list. Oftentimes, employees do not appreciate the risk they bring into the company with the use of simple, easily-guessable and/or reused passwords. They don’t always understand how using passwords across multiple accounts puts all of their accounts and those companies at risk. Dark web password protection begins with education and ends with technology to enforce company standards.
The ATO Arsenal
One of the misconceptions of the dark web is that cybercriminals are living in an anarchy where there are no repercussions for their illicit activity. Fortunately, they can and are being busted by the police. Dark websites are being shut down and people are being held accountable. Unfortunately, many of the criminal behavior in the dark web comes in the form of stealing identities. By the time criminals are caught, people’s lives and company reputations have been put through the ringer.
The good news is the cybersecurity industry is making a dent. They are developing smart technologies and best practices that can discover bad behavior early in the ATO lifecycle when actions can be taken to minimize the damage.
Human Intelligence and Applied Research
If the automated collection of stolen credentials is not sufficient, then what is? While AI and machine learning technologies may be where everything is moving, humans still hold an advantage in many ways. Humans can develop relationships with underground actors to obtain information no automated technology can match.
Only by using human intelligence (HUMINT) and applied research can ATO be discovered and mitigated early on, before the credentials have been sold to the masses. Humans have to actually get into the minds of the cybercriminals, covertly establish relationships with them, gain access to private sources, and then report their intel back. When combined with applied research that makes sense of all of the data, a much wider net is cast and a better picture of what’s happening is in view.
Dark Web Scanners and Similar Automated Tools
Open sources, pastes, Tor hidden sources, dark web markets and private forums are all discoverable by automated collection tools. Scanners, scrapers and crawlers constantly monitor the dark web for suspicious activity. Stolen credentials can be found this way, even if it’s later in the ATO cycle.
The smartest way to use these automated tools is to combine them with human intelligence. By doing so, every crevice of the dark web is brought to light. While no technology or human input can protect every account, the combination of the two gives companies a much better chance to prevent ATO from the start or at the very least, minimize the damage when a breach is discovered.
Dark Web Cleansing and Analysis
It would be nice if all of this discovered data came in a neat little box with a bow wrapped around it. In reality, the data is often “dirty,” containing duplicates, encrypted data, old data and inaccurate data that can be in multiple formats. Not all of the data is valuable or usable. The best technologies can clean it up for analysis so it can be used immediately to inform decisions or take action.
There is sophisticated cleansing technology available that does all of the hard work so security leaders can take action quickly. This includes the complicated processes of parsing, normalizing, removing duplicates, validating and enriching the data. All five of these steps are critical in making the data understandable, usable and actionable.