The Dark Web is a term that has been getting a lot of attention in corporate boardrooms and media outlets as of late. The general preconception of the Dark Web is that it’s a seedy underground digital hiding place for drug dealers, assassins, cybercriminals and pedophiles, which isn’t far from the truth. For this reason, security researchers and law enforcement agencies have been surveying the Dark Web for years and keep close eyes on what goes on there. Quite often it is the first place that people learn of a data breach. This has also made it a place of interest for corporate IT security teams and risk managers. According to the rumor mill in cybersecurity circles, stolen data from the Target and Sony breaches potentially sat on the Dark Web for months before making headlines. However, while Dark Web intelligence may be helpful in defending your organization from cybercriminals, counsel needs to have a basic familiarity with the underground regions of the Internet and some understanding of how malicious actors use it to commit their crimes in order to avoid running afoul of unnecessary risks.
The Internet is composed of three primary layers: the World Wide Web (or Surface Web), the Deep Web and the Dark Web. The top layer, which is the area that most users are familiar with, represents only a very small fraction of the Internet. It is the roughly 4 percent of the Internet that is easily accessible via any common search engine. Underneath the Surface Web is the Deep Web, a much larger pool of information that is largely untouched by search engines. No one knows the exact size of the Deep Web, because it is hard to quantify without search engines. Typically, the Deep Web consists of corporate and academic environments that can only be accessed through direct queries. In other words, you need to know precisely what information you’re looking for and you often need to have some kind of authorization to obtain the information. Legal research databases and subscription services are common examples. The third layer is the Dark Web. It’s referred to as “dark” because it can only be accessed with special browsers, routers and encryption tools that render all traffic to its sites anonymous. The sites also use tools to hide their IP addresses, which make tracking their location and ownership especially difficult. These two aspects of anonymity are what make the Dark Web suitable as a digital underground. However, they are also what enables anonymous whistleblowing and protects users from surveillance and censorship in authoritarian regimes.
Given the wealth of intelligence that can be gleaned from the Dark Web, it is understandable that corporate security and risk teams are attracted to it. However, counsel must ensure that these teams proceed with due caution in order to avoid what can be very significant risks.
Most importantly, impromptu Dark Web reconnaissance can inadvertently expose an organization to greater security risks because of unknown malicious files that can infiltrate the corporate network. Just like other underground black markets, the Dark Web is full of unscrupulous actors who enjoy taking advantage of the unacquainted. If IT staff isn’t properly trained nor has the right resources and equipment they could easily bring that malware and its controllers back home without even knowing it. In fact, connecting to the Dark Web from any corporate network is always ill-advised. It’s important to use air-gapped assets that have no way to transfer malicious data into the corporate environment, as well as to use multiple layers of encryption.
Further, gaining access is not for the faint of heart. Not all content on the Dark Web is immediately accessible. It can take considerable time, expertise and manual effort to glean useful information. It may take a researcher years to establish trust in certain communities and sales forums. Your in-house staff likely don’t have the luxury of such time, energy and resources. Additionally, several criminal forums on the Dark Web utilize a “vouching” system, similar to a private members club, which might require an investigator to associate with criminals or stray into significantly gray ethical territory to gain access to the content. The average systems administrator probably doesn’t have the operational skills necessary to pass himself off as a hacker on the Dark Web. Without the requisite skills, reconnaissance is likely to prove fruitless and will open the company up to further danger.
Lastly, even if your team was successful in safely gaining access, their activities must be closely monitored to ensure they do not run afoul of any laws. For example, you certainly wouldn’t want your employees accidentally viewing child pornography or bringing it onto the corporate network. Also, while it can be tempting to download files pertaining to purported breaches, taking receipt of stolen goods is a felony in the United States (18 U.S.C. § 2315) that can cause legal issues for your team. Beyond that, such activities may disrupt the legitimate work of law enforcement agencies engaged in their own actions. Also, keep in mind that there is no way to confirm who the seller actually is. Purchasing data in such places can subject the company to risks of violating the Patriot Act if it turns out the data is being sold by a terrorist organization and you transfer funds to them.
A better strategy is to engage a reputable security firm to assist with these services. Many firms now offer some level of Dark Web reconnaissance, ranging from manual intelligence gathering to more automated approaches using Web scraping and analytics tools. Further, by integrating and organizing social media, Deep Web public records and peer-to-peer domains, skilled researchers are able to provide a more unified view of their external threats than internal teams can. The use of artificial intelligence and deep learning enables a more valuable exploration and indexing of large unstructured data sources, while enriching the analysis. The result is real-time finished intelligence, safe from the risks of self-gathering.
Published December 5, 2016.