What does it mean for my organization to have a dark web footprint?
Let’s begin by stating that it’s highly likely that sensitive information representing threats to your organization is available on the dark web. This information could have been stolen directly by compromising systems on your network or from your employees who may use company devices on insecure networks and/or for activities that are not strictly work-related, or perhaps from employees who sometimes use personal devices to access your network and data. Sensitive information stolen from your organization’s systems, or from your employees is perennially being sold on the Dark web for a variety of nefarious purposes most commonly including broad lists of partial or full credentials as well as active botnets including nodes on your network or devices belonging to your employee base.
There is, however, a wide range of leaked and sensitive information that could be circulating or available for sale including your intellectual property, banking information, or PII. This information is sold and traded among threat actors and other adversaries in order to target your organizations directly or to more broadly leverage stolen information to increase their profits and reach. You could end up as a target simply because your information was already stolen via widescale and mostly random harvesting campaigns, but the ultimate threat is always that someone with access to your data will take a specific, targeted interest in your organization.
Once an adversary has your credentials (or strong information for further harvesting/phishing campaigns) you’ll need to hope your controls and resources are enough to withstand a targeted campaign, but with resources and persistence of attackers, it’s often a matter of when, not if, a breach will occur.
What can we do to prevent bad outcomes from stolen sensitive data?
Of course, we must all implement best practice policies, training, and technological controls to prevent leaking sensitive data and credentials in the first place; but considering all of the moving parts, human decision-making, and opportunities afforded to cybercriminals via today’s complex threat surface, a 100% success rate seems highly unlikely. Those of us whose organizations have the budget and commitment to follow best practices and implement strong security controls are pretty good at preventing (or at least detecting and containing) the high volume of common, less sophisticated attacks emanating from the web.
To repel targeted, persistent attack campaigns, however, requires an extreme level of vigilance. We strongly recommend all of the best practices you’re accustomed to hearing, including hardening tactics, enforced cyber hygiene policies, advanced, AI/ML-driven detection and response technologies, and a talented SOC (or managed service partner). To this list of best practices and recommended controls, we have also become strong proponents of adding Digital Risk Monitoring as a critical early warning sign of the specific threats your organization faces.
What is Digital Risk Monitoring?
When data is stolen and systems are compromised, it happens for a reason. Sometimes compromises are perpetrated by threat actors for the specific purpose of targeting an individual or an organization directly, but far more often, information is stolen by larger-scale harvesting campaigns that seek to sell this information in one form or another further up the chain or threat actors. Even when a specific organization is being targeted, it is common for the early stages of a campaign to involve acquiring already available credentials or other stolen information available on the dark web. As such, dedicated and specialized cybersecurity organizations have focused on accessing and indexing as much of the available stolen data as possible.
Not only that, organizations like our partners have undertaken to infiltrate APTs and other threat actors in order to expand the reach of what information can be indexed, how fresh that information is, how likely it is to be associated with targeted and advanced campaigns, etc. Using these advanced tactics, a huge amount of digital risk indicators are indexed every day and made available for a range of security services and products designed to identify and measure risk associated with harvested indicators.
Introducing our latest Vigilance service, TrueIntel
Heighten has partnered with an industry-leading digital risk monitoring and dark web intelligence service to offer a managed Dark Web Monitoring service. Our team works alongside yours to establish and maintain the most valuable queries and indicators to monitor via our industry-leading intelligence channels. From there, we continually refine the results and triage the data for legitimate and actionable threats. Our experienced team adds context to the results we’re seeing to proactively advise your team on what leaks and indicators we’re seeing, how this information was likely stolen, its potential impact, and what actions should be taken to prevent or mitigate associated threats.
In our experience, there is a short and crucial timeframe between when information surfaces on the dark web and when it is soon leveraged for attacks or subsequent campaigns. It’s our aim with this service to ensure that our clients have the opportunity to be waned of what data is in the wild and respond accordingly before it’s too late.
Risk Vectors include but are not limited to:
Account Takeover
Botnet Infections
Business E-mail Compromise
Cyberespionage
Brand Reputation Abuse
Dark Web Activity
Domain Squatting
Data Breaches
Digital Certificates
Exposed Network Services
Cloud Service Leaks
If you're looking to improve your organization's security posture, or simply get a true analysis of your brand's dark web footprint on, get started with a TrueIntel Assessment today.
Comments