Dark Web Monitoring

Understanding the Dark Web and Dark Web Monitoring

It is crucial for organizations to monitor dark web and leaked credentials to proactively identify and respond to potential security threats and breaches. Understanding and analyzing the use of stolen credentials by hackers, would give IT and security leaders an upper-hand in making informed decisions about threat mitigation, prioritizing security measures, and implementing effective countermeasures.

What Is the Dark Web?

The surface web, deep web, and dark web differ in their level of accessibility and anonymity, with the dark web being the most private and secure. Often times the deep and dark web are used interchangeably, but the dark web specifically refers to encrypted and anonymous networks like Tor and I2P. Is dark web that dark? Well, it is a mix of both legal and illicit activities, with some users accessing it for legitimate purposes like secure and private communications, while others use it for cybercrime.

The dark web’s anonymity and encryption makes it an attractive place for hackers. Monitoring marketplaces and forums on dark web enables security teams to gather valuable intelligence, track threat actors, and stay ahead of emerging cyber threats.

Marketplaces and Forums

There are a number of marketplaces and forums on the dark web, some of which are open for public, and others being invitation-only platforms, where cybercriminals discuss, buy and sell stolen data, malware, and other illicit goods and service offerings. Initial access brokers play a key role in this underground economy, providing cybercriminals with access to compromised systems, stolen credentials, as well as necessary tooling.

What Kind of Access Information Is Bought and Sold?

Common types of leaked credentials include remote access logins, such as VPN, cloud and corporate system accounts, as well as privileged access accounts such as admin accounts. One of the most valuable items for hackers on sale are data stolen from victims by information stealing malware, often referred as stealer logs, as they contain rich data, such as session cookies, which allow attackers to bypass MFA on accounts.

Other type of sensitive data that can be found on the dark web include financial information, healthcare records, and customer data, which can be used for identity theft and other malicious activities.

Stolen credentials can cost anywhere from a few dollars to thousands of euros, depending on the level of access and the type of accounts.

Through the Eyes of a Threat Actor

After buying leaked credentials attackers would proceed with testing and validating the stolen logins. The specific methods of stolen credential validation depends on several facts, such as sophistication of attackers as well as type of accounts. For instance, stolen credentials from streaming and entertainment services will be checked in an automated way by means of brute forcing and credential stuffing. Whereas attitude towards stolen credentials to corporate systems will be more careful, where attackers will check the validity without trying to raise alarms.

Once gained a foothold in the victim systems, attackers will try to move laterally and gain persistence in the compromised network. Often times the gained access bu initial access brokers will be either sold to the highest bidder or used in the ransomware and extortion attacks.

Preparing for the Threat

Monitoring and gathering intelligence from dark web enables organizations to identify potential threats, such as leaked credentials and access sales, and allows them to take proactive steps to prevent cyber threats and minimize risk, while also ensuring compliance with international and regional regulations such as NIS2 and GDPR.