IDG: The dark web & business report: A seedy Dickensian underworld online
The dark web is getting talked about a lot at the moment. This is a shady Dickensian underworld of sexually exploited children, snuff movies and all your stolen details lifted by those virtual pickpockets.
But what do businesses need to know about it? Well, to find out we asked qualified experts to contact us and share their views. A group of 31 got back with answers to these three questions:
- What do large organisations need to understand about the dark web?
- What do many fail to grasp at the moment?
- How can understanding this space help them stay secure?
The final result was 23-pages – nearly 12,000 words – of expert responses covering the whole spectrum. It was quite a challenge to work out how best to present the information. So, we decided to break it down to an overview list of core points with some of the best comments included. The full list of contributors can also be found at the end of this short report.
The old curiosity shop: A miniscule mishmash of un-indexed sites
This space is tiny in comparison to the rest of the web. A recent article in Wired suggested there are between 7,000 and 30,000 hidden sites on the dark web. This equates to around 0.03% of the total web.
“In the minds of many, the term ‘dark web’ conjures an image of a mysterious and sinister fringe of the internet; an amalgamation of drug dealers, arms bizarre, and the illicit trading in stolen data,” says Rafe Pilling, Security Researcher at Dell SecureWorks.
“In reality, the dark web is a set of services, accessed via special gateways or software configurations that leverage encryption technology to make access or communication anonymous to a greater or lesser extent.”
Yet “the majority of cybercrime activity is actually not on the dark web,” says Robert Hansen, VP of WhiteHat Labs. Instead it is “on public or private forums on the internet that are simply not well known to the majority of the people and companies who want to protect themselves”.
However, he adds “it’s safe to say that if you are a large enough company, there is a good chance that someone in the dark web is discussing ways that you could be attacked”.
You could describe the dark web as a tiny criss-cross of Dickensian back allies. A lot of nefarious activity takes place here. But this is certainly not the whole story.
“The dark web has an incredibly important social purpose worldwide,” says Christian Berg at CEO NetClean. “In many countries it is the only way to obtain free information. And with states all over the world increasing their monitoring of the internet, the need is also increasing for people to be anonymous with respect to their governments. At the same time, this means the same service can also be used for criminal purposes.”
The real issue for organisations is that employees visiting the space can expose your business to risk.
A tale of two cities: Work access to this space
Anyone can visit these pages via technologies like TOR (The Onion Router) and i2p (Invisible Internet Project). In fact, it is perfectly feasible to access regular internet sites through these anonymous browsers, but it can cause issues for your organisation should individuals choose to.
“Many employees will probably be using it now to block ads or get around the corporate policy on accessing gambling sites while using the corporate network,” says Carl Herberger, Head of Security at Radware.
“While this may seem clever, I’m not certain many employees would realise that they have inadvertently opened up a gateway to the corporate network for those using the dark net,” he adds.
Part of the problem for IT departments is this activity can be a hard space to monitor. This means for businesses, controlling the installation of software on a machine is critical as TOR requires a special modified browser or client software to function.
“Organisations can pretty trivially spot TOR traffic, if not the content, by using deep packet inspection (DPI) techniques for monitoring their network,” says Rapid7’s Security Research Manager, Tod Beardsley. “Yet detecting and blocking TOR traffic completely can be tricky, and no one method is foolproof.”
Bleak house: It is tough to grapple the scale of risk
“I think only a small handful of CIOs would realise that their networks would be effectively ‘pierced’ if the dark net was used to infiltrate the infrastructure,” says Radware’s Herberger. “The consequences are extensive. It could be used to overwrite compliance, and subvert URL tools, malware tools, data leakage. And really there is no way of going back other than to refresh.”
Nick Pollard, General Manager for Guidance Software, adds: “The greatest everyday risk presented to all businesses by the dark web, is that an anonymous command and control mechanism for malware can make it very difficult to identify and disrupt the operators behind a botnet or intrusion. It is hard to tell who the intruders are.”
It is obviously imperative that businesses can secure themselves against any threat. And as the latest wave of breaches have proved, whilst most organisations spend money on traditional perimeter security, many fail to properly protect their biggest asset, their data.
“Personal Identifiable Information (PII) should be encrypted,” says Andrew Tang, Service Director, of Security at MTI Technology. This would make any information unreadable to the perpetrator.
“Many of the recent attacks, which have allowed thousands of records to be stolen have been achieved by using SQL Injection attacks,” he adds. “If information needs to be accessible to the internet, ensure OWASP standards are followed, the website is tested by a penetration testing organisation and critical data is encrypted.”
Hard times: The old-fashioned black market has moved online
One comment that emerged over and over again from our experts is that dark web is the modern day version of the black market. It is here you can trade illegally, enlist the services of a “hacker for hire”, or buy the leaked contents of the latest breach.
Yet, however anonymous you feel you are, you can’t guarantee you’re not going to be spotted by someone. As Pilling of Dell SecureWorks points out: “Encryption and anonymity are actually complex and subtle concepts to put into practice. Many users of dark web services seem to believe they wear an invisibility cloak that makes them impervious to harm.”
“However, the reality is that there are many predatory operators within the world of dark web services, looking for unsuspecting victims,” he adds.
The dark web has also solidified a very well-organised and fully operational global cybercrime world. While the old-fashioned black market was intensely localised this is a complete economic ecosystem.
“For any corporation, it’s very likely that some type of malware customised to your specific organisation is already under development using off-the-shelf code templates available in online ‘malls’,” says Nick Pollard, General Manager UK for Guidance Software.
“This is being adapted by anonymous contract coders hired by anyone from a disgruntled ex-employee to an organised crime syndicate or even a nation-state threat actor… depending on how valuable your intellectual property or sensitive data is,” he continues.
Our mutual friend: Businesses can learn from this space but it’s tricky
It seems fairly obvious that businesses should be looking round the dark web to discover what is happening and to gather useful intelligence. This should help them stay proactive about their threat detection content built on real malware and exploits. Yet this is still harder to achieve than it ought to be at present.
“Only the largest of companies can afford the expertise and tools required to conduct this intelligence,” explains Stephen Coty, Chief Security Evangelist at Alert Logic.
“There are companies that can access the expertise as a service through online intelligence portals that do most of the open source intelligence work for you,” he continues. “This type of intelligence leads you to have a few analysts that can dig deeper into the dark web to find new and emerging malware and further intelligence to assist in the process. Many organisations still see this as an expensive solution that will cost on average about $500,000 a year.”
Obviously, as security continues to make up an increasingly important part of the wider business agenda this is likely to change. “I think in the next ten years we’ll start to see the use of code specialists who really understand the dark web and how it can be used as a vehicle for crime and espionage, and therefore how it needs to be managed,” says Herberger of Radware.
“I also think we’ll see policies to ensure sooner refreshes of devices, or anything connected to the network for that matter,” he adds.
For example, the use of an ad-blocker on a mobile phone makes a good argument for refreshing technology as your mobile could unwittingly be a conduit for the dark web. “Today we worry about the visible threats like viruses and malware, tomorrow we’ll be worrying about the invisible one,” he says.
The long voyage: what conclusions can we draw?
Over the last decade our entire life and work has moved online. As the space matures it is inevitable that cybercriminal activity will rise to the forefront of public consciousness, and spaces for nefarious activity will emerge in which criminals can congregate.
In some respects the dark web is a seedy online Dickensian courtyard situated off the main drag. Yet it is also a global meeting point. And while the risks to businesses are similar to a hook nosed ne’er-do-well following a top-hatted gent back to the Strand, pinching his keys and breaking into his offices, they are also far greater.
After all, today, an organisation’s entire portfolio of global data – and other important assets – can potentially be reached, breached and distributed via a scary range of different weak spots. But it is important not to overestimate its importance. The dark web is just one part of the wider online security issues which are becoming more and more apparent each and every day.
This report was based on feedback from the following individuals:
- Tod Beardsley Security Research Manager at Rapid7
- Christian Berg, CEO at NetClean
- Paul Briault, Digital Security, Identity and API Management Director at CA Technologies
- Simon Bryden, Consultant Systems Engineer at FortiGuard labs, Fortinet
- Dr Guy Bunker, SVP Products at Clearswift
- Jamie Capildeo, Director at Identity Methods
- James Chappell, CTO and Co-Founder of Digital Shadows
- Catalin Cosoi, Chief Security Strategist at Bitdefender
- Stephen Coty, Chief Security Evangelist at Alert Logic
- Simon Crosby, CTO and Co-Founder at Bromium
- Kasey Cross, Security Evangelist at A10 Networks.
- Péter Gyöngyösi, Product Manager of Blindspotter at BalaBit
- Robert Hansen, VP of WhiteHat Labs at WhiteHat Security
- Carl Herberger, Head of Security at Radware
- Fraser Kyne, Principal Systems Engineer at Bromium
- Stephen Love, Security Architect at Insight UK
- Steve Manzuik, Director of Research at Duo Security
- Paul McEvatt, Senior Cyber Threat Intelligence Manager, UK & Ireland at Fujitsu
- Ed Macnair, CEO at CensorNet
- Emily Orton, Director of Marketing at Darktrace
- Ash Patel, Director of Business Transformation at Cobweb Solutions
- Rafe Pilling, Security Researcher at Dell SecureWorks
- Chris Pogue, SVP of Cyber Threat Analysis at Nuix
- Nick Pollard, General Manager UK for Guidance Software
- Dr Tom Robinson, Co-Founder of Elliptic
- Karl Sigler, Threat Intelligence Manager at Trustwave
- Andrew Tang, Service Director of Security at MTI Technology
- Andy Thomas, Managing Director, Europe at CSID
- Ian Trump, Security Lead at LOGICnow
- Matt Walmsley, EMEA Marketing Director at Vectra Networks
- Curt Wilson, Senior Threat Intelligence Analyst at Arbor Networks