Research reveals that organizations were exposed to 38 percent more cyberattack attempts last year than in 2021. While some industry sectors fared better than others (education and research topped the table with 43 percent more attempted attacks while hardware vendors sat at the bottom on 25 percent) none of the numbers make for happy reading, regardless of the business you are in.
However, in reality, attempts and breaches are not the same thing. While you have probably seen myriad industry experts warning that it's “not a matter of if but when” you are targeted, that's not the whole story. As the statistics show, attempted cyberattacks are inevitable, that's the world we live in; but perseverance and success are very different metrics.
Cyberattacks rarely happen “out of the great blue yonder”, especially not the orchestrated attacks like ransomware that keep security professionals up at night. Like everyone else, threat actors have to organize themselves. They do their due diligence, perform reconnaissance on the organizations they are targeting, look for and often buy vulnerabilities that they can use to infiltrate a company’s defenses. This means that there are opportunities before an organization is attacked to identify malicious activity in the planning stages. By monitoring the deep and dark web, used by threat actors when they are in the reconnaissance phase, businesses can inform their cybersecurity efforts with evidence of how they are likely to be targeted.
Know your enemy
Organizations invest a huge amount of resources into building their defenses against cybersecurity attacks but often have incredibly little insight into who their attackers are and how they operate. At best, this stretches their people and budgets thinly, as they try to prioritize all risks at once. At worst, it can lead to a misalignment of defense for the threats they are facing - the cyber equivalent of building walls while the criminals are tunneling underground.
Dark web intelligence is one way for organizations to get greater visibility and understanding of the specific threats their business is facing. For example, if a business identifies that the credentials and passwords of its employees are available for wholesale online, authentication becomes the obvious priority. Whereas a high volume dark web traffic to a network port would call for a shoring up of network security.
Sometimes the clues are not even that subtle. As cybercrime has professionalized, many elements of a data breach have become outsourced. The same criminals launching a ransomware attack might not be the same gang that originally breaches the network; they may have bought that access from the aptly named “access brokers”, who sell vulnerabilities on the dark web for others to exploit. Like anyone selling a product, they have to market it. Therefore, a company monitoring the dark web for their company name, IP addresses or credentials might be able to spot access to their network at the point that it is being sold.
Dr. Gareth Owenson is is the Co-Founder and CTO of Searchlight Cyber.
The primary indicators of cyberattack
The most prevalent early warning signs visible on the dark web include:
1. Leaked credentials - This is often the very starting point of the chain of attack. A threat actor will purchase a large set of credentials from a data breach and launch a credential stuffing attack across multiple web applications and network logins, using large-scale and fully automated systems. Any successful “hits” are often then put up for sale once again, usually for a much higher price as they are now “live” and actionable credentials for other criminals to use to access and move laterally across the compromised network.
2. Vulnerabilities - Compromised devices or software vulnerabilities on sale on the dark web can alert companies to exactly how and where an attacker could potentially strike, and allow them to patch them before it is exploited. Of course, the vulnerability could be in their own infrastructure or in those of a third party supplier, so it is prudent to monitor for both.
3. Dark Web Traffic - For the vast majority of companies there are no good reasons to have incoming or outgoing traffic to the dark web, which makes dark web traffic monitoring a very reliable early warning sign of attack. Incoming traffic could indicate that the corporate network is being actively scanned for vulnerabilities. Outgoing traffic is potentially even more serious, indicating that an employee is doing something potentially malicious (i.e. insider threat) or, worse, that command and control server has been established.
Moving left in the cyber kill chain
One of the benefits of dark web monitoring is that the intelligence is specific to the organization. If a security team identifies their CEO’s personal details in the dark web, or a vulnerability in their software for sale in a dark web marketplace, there are no ifs and buts about it - they are evidently at risk and there are clear actions that need to be taken. This ability to pre-empt the actions of threat actors and take preventative action means that organizations can move defense outside of their infrastructure and much earlier in the cyber “kill chain”.
The most proactive organizations can also go beyond their own domains and branding, and extend monitoring to include third-party, supply chain, and intelligence. A business’ attack surface extends way beyond the boundaries of its own networks and by having a clearer picture of who the threat actors are, how they operate, and what tools they use, organizations can proactively adapt their defenses in line with the changing threat landscape.
