The early warning signs of a cyberattack on the Dark Web

Representation of a cyber criminal
(Image credit: TheDigitalArtist / Pixabay)

Research reveals that organizations were exposed to 38 percent more cyberattack attempts last year than in 2021. While some industry sectors fared better than others (education and research topped the table with 43 percent more attempted attacks while hardware vendors sat at the bottom on 25 percent) none of the numbers make for happy reading, regardless of the business you are in.

However, in reality, attempts and breaches are not the same thing. While you have probably seen myriad industry experts warning that it's “not a matter of if but when” you are targeted, that's not the whole story. As the statistics show, attempted cyberattacks are inevitable, that's the world we live in; but perseverance and success are very different metrics.

Cyberattacks rarely happen “out of the great blue yonder”, especially not the orchestrated attacks like ransomware that keep security professionals up at night. Like everyone else, threat actors have to organize themselves. They do their due diligence, perform reconnaissance on the organizations they are targeting, look for and often buy vulnerabilities that they can use to infiltrate a company’s defenses. This means that there are opportunities before an organization is attacked to identify malicious activity in the planning stages. By monitoring the deep and dark web, used by threat actors when they are in the reconnaissance phase, businesses can inform their cybersecurity efforts with evidence of how they are likely to be targeted.

Know your enemy

Organizations invest a huge amount of resources into building their defenses against cybersecurity attacks but often have incredibly little insight into who their attackers are and how they operate. At best, this stretches their people and budgets thinly, as they try to prioritize all risks at once. At worst, it can lead to a misalignment of defense for the threats they are facing - the cyber equivalent of building walls while the criminals are tunneling underground.

Dark web intelligence is one way for organizations to get greater visibility and understanding of the specific threats their business is facing. For example, if a business identifies that the credentials and passwords of its employees are available for wholesale online, authentication becomes the obvious priority. Whereas a high volume dark web traffic to a network port would call for a shoring up of network security.

Sometimes the clues are not even that subtle. As cybercrime has professionalized, many elements of a data breach have become outsourced. The same criminals launching a ransomware attack might not be the same gang that originally breaches the network; they may have bought that access from the aptly named “access brokers”, who sell vulnerabilities on the dark web for others to exploit. Like anyone selling a product, they have to market it. Therefore, a company monitoring the dark web for their company name, IP addresses or credentials might be able to spot access to their network at the point that it is being sold.

Dr. Gareth Owenson

Dr. Gareth Owenson is is the Co-Founder and CTO of Searchlight Cyber.

The primary indicators of cyberattack

The most prevalent early warning signs visible on the dark web include:

1. Leaked credentials - This is often the very starting point of the chain of attack. A threat actor will purchase a large set of credentials from a data breach and launch a credential stuffing attack across multiple web applications and network logins, using large-scale and fully automated systems. Any successful “hits” are often then put up for sale once again, usually for a much higher price as they are now “live” and actionable credentials for other criminals to use to access and move laterally across the compromised network.

2. Vulnerabilities - Compromised devices or software vulnerabilities on sale on the dark web can alert companies to exactly how and where an attacker could potentially strike, and allow them to patch them before it is exploited. Of course, the vulnerability could be in their own infrastructure or in those of a third party supplier, so it is prudent to monitor for both.

3. Dark Web Traffic - For the vast majority of companies there are no good reasons to have incoming or outgoing traffic to the dark web, which makes dark web traffic monitoring a very reliable early warning sign of attack. Incoming traffic could indicate that the corporate network is being actively scanned for vulnerabilities. Outgoing traffic is potentially even more serious, indicating that an employee is doing something potentially malicious (i.e. insider threat) or, worse, that command and control server has been established.

Moving left in the cyber kill chain

One of the benefits of dark web monitoring is that the intelligence is specific to the organization. If a security team identifies their CEO’s personal details in the dark web, or a vulnerability in their software for sale in a dark web marketplace, there are no ifs and buts about it - they are evidently at risk and there are clear actions that need to be taken. This ability to pre-empt the actions of threat actors and take preventative action means that organizations can move defense outside of their infrastructure and much earlier in the cyber “kill chain”.

The most proactive organizations can also go beyond their own domains and branding, and extend monitoring to include third-party, supply chain, and intelligence. A business’ attack surface extends way beyond the boundaries of its own networks and by having a clearer picture of who the threat actors are, how they operate, and what tools they use, organizations can proactively adapt their defenses in line with the changing threat landscape.

We've featured the best endpoint protection software.

Dr. Gareth Owenson is is the Co-Founder and CTO of Searchlight Cyber. Prior to co-founding Searchlight, Dr. Owenson led the cybersecurity and digital forensic programmes at the University of Portsmouth in the UK.

Read more
A hacker typing on a MacBook laptop with code on the screen.
If your business data appears on the dark web, get ready to face a cyberattack
Dark Web monitoring
How users benefit from Dark Web monitoring
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Hack The Box crisis simulation event
“Everyone will experience a hack” - how incident response can protect your organization
Abstract image of cyber security in action.
Four key questions to strengthen your cyber threat detection strategy
Concept art representing cybersecurity principles
How to combat exfiltration-based extortion attacks
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in Opinion
Closing the cybersecurity skills gap
How CISOs can meet the demands of new privacy regulations
Half man, half AI.
Ensuring your organization uses AI responsibly: a how-to guide
Judge sitting behind laptop in office
A day in the life of an AI-augmented lawyer
Cyber-security
Why Windows End of Life deadlines require a change of mindset
Polar Pacer
Polar's latest software update might have finally convinced me to ditch my Garmin
An image of the Samsung Display concept games console
Forget the Nintendo Switch 2 – I want a foldable games console