Dark Web Monitoring is the process of regularly searching the dark web for relevant information that is being traded and sold. When data associated with your company is found, you receive a notification with the details.
You can think of Dark web monitoring tools like Google for the dark web. A dark web monitoring service helps you find leaked or stolen information such as compromised passwords, breached credentials, stolen session tokens, intellectual property and other sensitive data that is being shared and sold on the criminal underground.
How Does Dark Web Monitoring Work?
Protecting your organization from the criminal underground requires ongoing efforts. Regularly monitoring your company’s assets on the dark web can help catch issues before they cause real damage. Dark web monitoring services scan thousands of resources every day to look for sensitive data. Essentially, any information that criminals can use to commit fraud against your organization. This often includes:
- Employee’s and customers' usernames and passwords that have been leaked
- Login credentials belonging to your C-level executives' personal accounts
- Credentials for remote access servers such as Remote Desktop, SSH, and FTP
- Internal company emails and documents
- Employees' corporate and government-issued IDs
How Does Your Data get on the Dark Web?
Let’s define the dark web as any part of the internet that is not indexed by search engines. You’re probably thinking of networks like Tor, I2P or Freenet, but “regular” internet forums that are only available after a user authenticates are included as well.
Cybercriminals sell millions of credentials as well as initial access on the dark web every day. We often see one of the following methods as the root cause :
- Malware. Infected machines sniff traffic and upload credentials, session tokens, screenshots, and other confidential information to the attacker
- Vulnerabilities. Exploits can be found on multiple forums that target specific software versions
- Phishing. Legitimate-looking emails impersonate someone with authority that attempts to gain confidential information.
Once an attacker has valid credentials, they can simply authenticate and go straight through the front door to access your network. Due to password reuse, hackers can use credentials leaked in 3rd party breaches to access your network as well. Furthermore, infostealer malware uploads their victims' session cookies. This allows malicious users to bypass any 2-factor authentication (MFA) requirements by using a valid session token in their requests.
How You Can Protect Your Information From the Dark Web
Breachsense uses a combination of automated scanning and human analysis to provide continuous monitoring of the dark web for signs of malicious activity. Millions of records are imported daily. Users create a list of domain names, email addresses, IP addresses, session tokens, or hardware IDs that they wish to monitor. When a monitored asset, such as a company email address, appears in a breach or leak, an alert is sent with the exact details of what was disclosed. This often includes the plaintext passwords, which enables security teams to verify the validity of the issue and figure out where else those credentials were used.
Benefits of Dark Web Monitoring Tools:
- Threat intelligence. Data captured can be fed into automated threat intelligence systems as a means to enrich that data
- Threat hunting. Threat hunters can use the data to develop a more comprehensive understanding of attackers and the methods used
- Incident response. Investigation and response workflows can be used to mitigate threats quickly
- Integration into security platforms. Data collected can be integrated into other systems to formulate more accurate insights from the entire security stack.
In addition, offensive security teams, pen testers, red teams, and even M&A consultants can leverage the service to find any historic data associated with their clients that was leaked.
While breached credentials that were part of 3rd party breaches are often mitigated quickly due to vendor notifications, credentials leaked via stealer logs traditionally remain valid for extended periods of time. This increases the likelihood that hackers can exploit these credentials to gain unauthorized access to your organization or commit fraud by impersonating your customers.
Proactive Monitoring Can Help Reduce Your Risk
Setting up ongoing monitoring is a crucial first step to make sure you have visibility when data associated with your organization is breached or leaked. There are a number of other steps that should be taken to help you ensure that your data doesn’t end up in the wrong hands.
Password reuse is extremely common. Studies have shown that over 50% of users reuse their passwords across multiple sites. Consider using a password manager like KeePassXC or Bitwarden. Ideally, you should only know the password of your password manager. The password manager should generate your passwords for you.
In addition, forcing users to periodically change their passwords is no longer recommended (see NIST 800-63-3 and OWASP ASVS). Forced password updates tend to result in very minor changes to the original base password (e.g. Password1 gets changed to Password2). These changes can be easily brute-forced via tools like hashcat.
Dark Web Threat Protection with Breachsense
Cybercriminals aren’t likely to stop any time soon, so it’s very important to proactively protect your information. Hackers exploit breached credentials to gain initial access to their victim’s networks. By leveraging leaked credentials and already built-in tools, they can avoid detection for long periods of time. Monitoring your organization’s assets for breached data helps security teams mitigate one of the primary initial attack vectors attackers used to gain unauthorized access. We index millions of breached records daily. We enable security teams to protect their staff as well as their customers from data breaches.
Interested in your company’s breach exposure? Check out our free search tool here