For many of us, the “dark web” is a vague term that may conjure up images of hoodie-clad hackers looking to enrich themselves or working on behalf of sinister organisations to coordinate trades in weapons or narcotics. It is a murky realm most people never intend to visit and which we assume will not impinge on our lives. In reality, the dark web is a space populated by all manner of people and organisations with both good and bad intentions. For those in the latter category, your business, irrespective of its size or the nature of its activities, may become a target. If you are unfortunate enough to get caught in a threat actor’s sights, the ability to respond quickly to the first sign of an exploitable vulnerability goes a long way towards limiting the impact of a potential cyber-attack or data breach.
The Internet ‘Iceberg’ – the Open, Deep, and Dark Web
In simple terms, the dark web is a subsection of the broader internet. A useful way of visualising the internet is to think of it as an iceberg. The top layer of the iceberg, the part that sits above the water, represents the surface web (sometimes also called the open web). Content on the surface web can be accessed through search engines like Google or Bing and makes up around 10% of the internet. The remaining 90% is called the deep web and represents the part of the iceberg that sits below the water’s surface. Most people use the deep web when they go online, as it involves accessing content hidden behind a password or paywall, such as company intranets, online banking and most social media.
The dark web constitutes a small portion of the deep web, the bottom layer of the metaphorical iceberg. It was originally developed in the late 1990s by the US intelligence community as a means for spies to contact each other anonymously, but was later rolled out as open source software in order to make these communications harder to identify.
Accessing the dark web is relatively straightforward, with users needing only to install a dark web browser. The most popular software is called Tor, which stands for The Onion Router. It allows users to access any site, but unlike normal web browsers, which would immediately register the user’s IP address, the Tor browser bounces the request around several intermediaries, encrypting and decrypting the user’s identity as it goes so that the data remains anonymous. Connecting to Tor using a virtual private network, or VPN, adds an extra layer of protection to dark web browsing.
What happens on the Dark Web?
Once on the dark web, a user needs to know where they want to go as its content is not searchable using the normal search engine tools. The options for those looking to conduct illicit activity are plentiful, with cyber-criminals able to buy and sell child pornography, drugs, weapons and counterfeit money, as well as personal information and stolen credentials.
However, the dark web is not used solely for criminal purposes; it also offers a space for legitimate identity protection. For instance, it allows journalists and political bloggers living in countries with the threat of censorship and political imprisonment to publish information and communicate freely without fear of punishment. The dark web can also be used by individuals in repressive jurisdictions where social media platforms are locked down for political reasons to access the content. Indeed, this contradictory environment of the dark web is perhaps best demonstrated by the fact that its biggest users are a mix of governments, law enforcement, terrorists and criminals.
What businesses need to know about the Dark Web
So, what does the dark web mean for businesses that have no interest in trading weapons or need to publish content away from the prying eyes of authoritarian regimes? Even without any direct interaction with the dark web, companies need to be vigilant about their exposure to it. Posts on dark web forums frequently reference plots to conduct ransomware or denial-of-service (‘DDOS’) attacks, while hacker marketplaces provide a platform for cyber-criminals to sell leaked client data. Private message boards are a platform for business disruption or targeted attacks on sectors or individual businesses, such as environmental groups discussing how to disrupt operations by conducting demonstrations at an office location.
Forewarned is forearmed – some proactive steps for businesses
Businesses need to take proactive steps to detect these types of threat, which in turn puts them on the front foot when it comes to defending against them. At a minimum, businesses should consider:
- Regular threat monitoring to review content published on the dark web that might make them vulnerable to cyber-attacks or data breaches. Alerts highlighting the emergence of such a threat can shorten recovery-response time, which can help prevent further damage. Learn more in our recent blog post, “Threat Hunting for COVID-19: Leveraging threat intelligence to drive cyber security defenses‘.
- Individual vulnerability assessments of executives, high-profile figures, and roles most commonly targeted by threat actors. It is widely recognized that publicly-available personal information can be leveraged by hackers to gain entry to their or their employer’s network via targeted phishing campaigns, while leaked credit card details on the dark web can easily be exploited by fraudsters. Knowing what information may be out there provides businesses an opportunity to mitigate these threats. Read more about executive vulnerability assessment here.
Ultimately, while the dark web is not synonymous with cyber-crime, it presents a significant risk to businesses and their employees. While it is not possible to control the intent of a threat actor, proactive monitoring of dark web content enables businesses to identify potential attacks or breaches at an early stage. Vigilance in the face of all cyber-threat environments remains vital to business success.
To learn more about how to assess and mitigate cyber risks to your organization, please contact Aon.
Authors: Tom Roch and Emma Robertson
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.