Why monitoring dark web traffic is crucial for cybersecurity teams
Uncover threats early
You would struggle to find organizations that aren’t actively involved in network monitoring - a core aspect of daily security workflows. Security teams are always watching over their network’s activity for unusual traffic patterns that might indicate a threat.
However, if you were to ask the average security team whether they monitor dark web traffic to and from their network, you may get a very different picture. The vast majority of organizations are not actively monitoring traffic originating from the dark web that reaches their public-facing network, or the traffic leaving their network and heading to the dark web. For security teams, this could be a vital missed opportunity to catch a threat or evolving attack in progress.
There are very few “innocent” reasons for this traffic, making it a very effective indicator that an adversary is making a move on an organization. As well as potentially sounding the alarm on an imminent incident, dark web traffic can also provide vital intelligence about exactly what malicious activity is taking place, and the tactics the attacker is using.
The sooner cybersecurity professionals can pinpoint malicious activity, the greater the likelihood of stopping an attack before it can even take shape - making the early warning provided by dark web monitoring a hugely valuable asset for security teams that know the signs they should be looking for.
Senior Threat Intelligence Engineer at the dark web intelligence company Searchlight Cyber.
Dark web reconnaissance
The anonymity offered by the dark web provides cyber criminals with ideal cover for conducting reconnaissance against the organizations they are looking to attack. Cyber criminals will often probe networks for vulnerabilities and weak spots, identifying their point of entry for more significant cyberattacks. Identifying traffic from the dark web to your network can therefore serve as an effective tripwire for identifying malicious intent, allowing organizations to take pre-emptive security measures.
In some circumstances, traffic from the dark web to your organization is harmless, especially if it is to public-facing infrastructure like the website (this could be someone looking at your website via the dark web for privacy reasons). However, when a sudden surge of traffic emanates from the dark web toward your network, especially parts not publicly accessible, it can indicate that cybercriminals are actively gathering intel your defenses. By identifying this traffic early, analysts can gather vital insights into an adversary’s tactics and objectives – based on the parts of the network they are targeting – and take action to mitigate the chances of an attack, for example by applying any patches to the components that are receiving in-coming dark web traffic.
Traffic to the dark web: an indication of insider threats
In pretty much all organizations, there is no legitimate reason why an employee should be accessing the dark web from the corporate network. If this happens, consider it a major red flag. Employees browsing the dark web are putting the company at risk by exposing their organization to threats such as malware.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In more severe cases, this traffic could signify insider threats, where employees are intentionally compromising security of the organization by engaging in illicit activities, using the dark web to communicate with cybercriminals. It is critical that companies identify this outbound traffic as quickly as possible so they can launch investigations and shut down the threat.
Malware on the move
Large data flows from the dark web to the corporate network can be a sign of an adversary installing malware.
In a recent real world example, we helped a European government agency successfully identify and neutralize a cyber-threat, based in part on detecting suspicious dark web traffic in the early stages of the attack. Traffic monitoring showed data going to the organization's IT infrastructure from the dark web that was much larger than would be expected in comparison to the size of the response.
Further investigation uncovered a webshell implemented by a hostile actor within the agency’s network – and this early detection allowed for prompt response, preventing a potential cyber-attack.
Signs of data theft
Unusual data flow patterns from a corporate network to the dark web is also a potential signal that an attack is in progress. Large-scale movement of data in this direction can indicate data exfiltration: the illicit transfer of sensitive information out of the organization's perimeter. Awareness of such activities is imperative for identifying data breaches and maintaining the confidentiality and integrity of an organization's valuable data.
Data breaches can have devastating outcomes, including significant financial loss, reputational damage, and legal consequences. By monitoring dark web traffic for signs of data leakage, an organization can gain valuable time in coordinating incident response and mitigating their potential impact of a breach on their company, staff, and customers.
Shutting down dark web threats
Early detection and rapid response are paramount to mitigating the impact of a cyberattack. Dark web traffic, whether directed toward or emanating from a corporate network, can serve as an indicator of an imminent threat. As it stands, this is a untapped opportunity for many organizations to take a more proactive approach to their cybersecurity.
Cybercriminals use the dark web because it obscures their identify but a security team can learn much more important things about their adversary by monitoring dark web traffic. It can give them early warning that their adversary is targeting their organization for an attack and – critically – provide them with intelligence on the tactics the cybercriminal is using, giving them a unique opportunity to take mitigative action and stop the attack in its tracks.
We've listed the best cloud antivirus.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Robert Fitzsimons is a Senior Threat Intelligence Engineer at the dark web intelligence company Searchlight Cyber.