The risks of dark web exposure

Ben Jones at Searchlight Cyber explores the correlation between dark web exposure and cyber-security

 

It stands to reason that if data relating to a company can be seen circulating in the dark corners of the online criminal underworld, it’s likely a cause for concern. But to what extent? How much risk could that company be facing, and indeed, what can they do about it?

 

Recent research from Searchlight Cyber and Marsh McLennan sought to investigate just that. The research represents the first time that a statistical correlation has been made between the presence of data relating to an organisation on the dark deb, and that organisation’s increased risk of a cyber-attack. The findings were stark: the presence of any data relating to your organisation on the dark web demonstrably increases your risk of a cyber-attack.

 

With cyber-criminals planning their attacks on the dark web, the study of over 9,400 organisations found that a mention of a company on a dark web market increased the average likelihood of a cyber-attack by 2.41 times. A concerning proportion of organisations still do not have enough visibility of their exposure to these statistically significant risks, highlighting the vital need for actionable intelligence and defensive strategies informed by dark web risk.

 

Cyber-security risk and the dark web

The dark web is an obfuscated part of the internet that is prolifically used by cyber-criminals to communicate between one another, plan their attacks, and buy, sell, and build the tools they need to execute them. This activity is known as the “pre-attack” phase of a cyber-security incident: the actions that cyber-criminals undertake before they launch their campaign against an organisation and breach their network.

 

It stands to reason that the presence of this pre-attack activity against a specific organisation would mean that they have an increased likelihood of being the victim of a cyber-security incident.  However, exactly how much risk is inherent in different types of dark web exposure had never been mathematically calculated. This is what Marsh McLennan’s study set out to do.

 

Dark web intelligence and cyber-insurance loss

In order to determine if dark web exposure was correlated with the frequency of cyber-insurance claims, Marsh McLennan analysed Searchlight Cyber’s dark web dataset against a sample of 9,410 organisations. Of that sample, 3.7 percent of the organisations had suffered one or more cyber-insurance losses in the last four years. Marsh McLennan examined whether those breaches had a higher likelihood of occurring if dark web exposure could be found for those organisations in the year leading up to the incident.

 

In a single variable analysis, the study found that all of the types of dark web exposure we identified are individually correlated to the increased likelihood of suffering a cyber-security incident. Put simply: the presence of any dark web findings related to an organisation - without exception - was associated with a higher likelihood of a breach.

 

For this study, Searchlight provided Marsh McLennan with nine separate dark web intelligence sources:

• Dark web market listings: The mention of the organisation or data related to the organisation on a dark web market.
• Forum posts: The mention of the organisation or data related to the organisation on a dark web forum.
• Compromised users: Compromised accounts (passwords, usernames, etc.) on the dark web related to an organisation.
• Telegram chats: The mention of the organisation or data related to the organisation on Telegram, a communication platform that is commonly used by cyber-criminals to conduct pre-attack activity.
• Incoming dark web traffic: Traffic originating from the dark web and connecting to an organisation’s infrastructure.
• Outgoing dark web traffic: Traffic originating from the organisation’s network and connecting to the dark web.
• Dark web pages: The mention of an organisation or data related to an organisation on a dark web site.
• Paste results: The mention of an organisation or data related to an organisation on plain-text repositories that are designed to facilitate the sharing of large blocks of computer data in online forums.
• OSINT results: All of the assets related to an organisation - such as IP addresses and web domains - that have been identified on the dark web

 

In the single variable analysis, four factors make the organisation more than twice as likely to experience a breach than if they weren’t present, these are compromised users (2.56x), dark web market listings (2.41x), outgoing dark web traffic (2.11x), and OSINT results (2.05x).

 

Multiple areas of dark web exposure

While every single source shows an increased risk of a cyber-attack, organisations need visibility of all the sources to truly understand their cyber-security risk. Solely gathering intelligence on compromised user accounts, for example, does not provide the whole picture if you can’t see whether the organisation is listed on a dark web marketplace.

 

Marsh McLennan’s study also showed through a multi-variable analysis how multiple dark web intelligence sources can lead to a more reliable estimate of combined cyber-security risk. Multi-variable analysis uses a classification model to measure the combined effect of multiple fields and for hidden factors like revenue and industry. This model accounts for the correlation between factors and therefore is a more reliable indicator of risk if more than one factor is present.

 

This analysis showed that five dark web intelligence sources are statistically correlated with risk in combination with other factors: Paste Results, OSINT Results, Dark Web Market Listings, Outgoing Dark Web Traffic, and Compromised Users.

 

This does not suggest that the other intelligence sources aren’t predictive - as the previous section establishes, they are all independently correlated with cyber-security risk - but ascertains which sources are most useful when multiple correlated sources are present.

 

It is interesting that the last three were also found to be particularly significant in the single-variable analysis:

 

Dark web market listings - It is unsurprising that Dark Web Market Listings have a particularly strong correlation with cyber-security incidents because it could be an indicator that something (most likely data) has already been stolen from the organisation and is now on sale. If an organisation can identify the sale of this data, they can remediate the incident and stop the stolen data from being used for further nefarious purposes.

 

Outgoing dark web traffic - Network traffic to and from the corporate network and the dark web is a tell-tale sign of malicious activity. Once again, outgoing traffic may suggest that a cyber-criminal’s attack is already underway, as it might be the result of a command-and-control beacon or data being exfiltrated. The sooner an organisation identifies this traffic the quicker they can plug the leak and investigate the incident.

 

Compromised users - The use of stolen passwords and usernames remains one of the key ways that cyber-criminals breach organisations. We regularly observe stolen credentials for sale on dark web forums and sites.

 

Acting on cyber-security risk

The analysis confirms that dark web intelligence is highly correlated with forthcoming cyber-incidents. What matters now is how organisations act on this information.

 

The first step has to be to gain visibility into your exposure on the dark web. Understanding where the organisation is vulnerable is critical for informing defense and the value of pre-attack intelligence is that it creates an invaluable window of time for the security team to act before the network is breached. If the exposure is identified early enough, the company can take action to prevent the cyber-security incident.

 

Once visibility into threats emerging from dark webs is established, it is then critical that this exposure is continuously monitored. The dark web is anything but static; new sites emerge every day, thousands of posts are written on hacking forums, new products are bought and sold on illicit markets.

 

An organisation’s dark web exposure will fluctuate over time and identifying new threats quickly is the key to mitigating risk and reducing the chances of a cyber-security incident.

 

---

 

Ben Jones is Co-Founder and CEO of Searchlight Cyber

 

Main image courtesy of iStockPhoto.com and Eightshot Studio