The deep and dark webs live up to their nefarious reputation — offensive and often illegal material can sometimes be just a click away. So how do you safely find out if threats are lurking in its depths? There are five key principles you must follow, says Protective Intelligence head Michael Lubieszko.
Picture this: you’re crawling the deep and dark web in search of leaked or stolen corporate information. You think you’ve taken the right precautions to stay invisible but threat actors are skilled digital adversaries. Somehow your identity is traced and your network is flooded with malware. On top of that, a long list of grievance actors now has you on their radar, potentially starting a cascade of threat activity that may not have existed before.
What went wrong? And a better question: what can you do to minimise your exposure risks while monitoring the deep and dark web?
What lies beneath?
For corporate security teams, the open web is the literal tip of the internet iceberg. Lurking beneath the surface of the websites you visit every day is the deep web, a vast region containing unstructured (but mostly safe) data from devices, databases, intranets and pages hidden behind a log-in or paywall. The deep web makes up around 96-99% of the content of the internet—with no visible links to search engines, it’s impossible to know its exact size.
If the deep web is private, then the dark web is secret. Constituting less than 0.1% of the deep web, the pages are difficult to navigate without knowing exactly where you’re going. Some activity that goes on there is legitimate, in the sense that it’s conducted by whistleblowers, journalists and others who need to share sensitive information through mechanisms that are not traceable. But it’s also where you find black markets loaded with stolen data, and all sorts of illicit services from arms dealing and drug smuggling to hitmen-for-hire.
Is your confidential information on these dark marketplaces? Probably. SpyCloud’s 2021 Breach Exposure of the Fortune 1000 report found almost 544 million dark-web exposures related to Fortune 1000 employees, as well as 26 million email/password pairs. This works out to an average of 25,927 exposed credentials per company.
If you’re not actively monitoring the internet’s underbelly, you miss an invaluable source of threat intelligence that you cannot get elsewhere. This article speaks to the many reasons why corporate security teams cannot ignore the deep and dark web.
Policing the shadows
With the right tools, anyone can access the deep and dark web. But if it’s not your professional specialism, you will need a healthy risk appetite and a stomach of steel. First is the challenge of knowing where to look. Not only is navigating difficult, but you cannot underestimate the psychological fallout of stumbling across something you don’t want to see.
Then there’s the possibility of a misstep bringing more attention than you want. Having eyes in the dark is one thing; accidentally embroiling your business in nefarious activities is another. What if you chance upon a competitor’s stolen trade secrets? Could poking around be taken as you condoning illegal or unconscionable groups, messages and activities? Is inexperience a reliable defence if one mistaken keystroke lands you in legal trouble? The financial, legal and reputational consequences could be immense, which is why so many are reluctant to go dark-web diving in the first place.
But before you consign deep-web surveillance to the too-hard box, know that there are ways to do it legally, ethically and with airtight anonymity. At Dragonfly, we believe that an effective approach must follow five key principles. These shape our Protective Intelligence service, a custom solution that includes rigorous investigation of indexed, deep and dark web sources to monitor and assess client-specific threats.
Five pillars of safe and ethical dark web monitoring
#1: Sniper, not scattergun.
The deep and dark web has many nooks and crannies: web pages, marketplaces, closed forums, messaging apps and so on, and they connect in complex ways. And because they are not indexed, you cannot simply Google them as you would on the open web.
A controlled approach is essential for diagnosing the sites that are of interest. You need to know where you’re going – otherwise, you may get stuck in rabbit holes that will derive no value for your business.
The first principle, simply, is to not go charging blindly into the abyss. Especially today, with security budgets stretched thinly and teams working harder than ever, you need to be smart and focused. It’s much easier to identify potential threats when you know the lie of the land.
How Protective Intelligence helps: The team does this day in, day out and knows how to search with focus and direction. We begin by understanding the threats that matter most to your organisation and developing an Initial Threat Assessment when we start working together that maps out your full threat landscape and determines your priorities. This allows us to threat-hunt in a strategic and focused way.
We also have extensive experience navigating the deep and dark web and know where the distractions are, where the dangers lie, how to access certain locations and which language to use. This is all critical to casting a narrow net, saving your business time and money.
#2: Watch, don’t engage.
Monitoring the deep and dark web is exactly that — monitoring. It is not tracking, spying, engagement or entrapment. In addition to legal considerations, ethical considerations are as broad as they are long. Ultimately, you have a duty of care to your business, stakeholders, customers and employees to protect your reputation and remain within the bounds of acceptable behaviour. This requires a skilled, passive approach to optimise collection activity while remaining compliant.
How Protective Intelligence helps: As ethical actors, we operate within a robust framework of non-interference and our activity is limited to non-intrusive, passive watching. We stay within the lines per a strict code of conduct and know when to cut loose if there’s any risk of legal or ethical transgression.
#3: Leave no traces.
Anonymity is a prerequisite for anyone who is attempting to access the deep and dark web. No matter how many precautions you take, hostile parties will always be looking for ways to reverse-engineer your visit and trace it back to your company. How confident are you that your team has closed all their apps, stopped unnecessary services from running, and is at no risk of exposing their identity?
How Protective Intelligence helps: Engaging a third party like Dragonfly creates the first essential layer of anonymity, providing a buffer between your organisation and the dark web. We then add further air gaps to keep us invisible. We do everything possible to minimise the risk that our activities can be traced back to us and, by extension, the clients we work for.
#4. Protect the people around you.
Being exposed to graphic images and volatile, hostile language can be highly distressing to staff. Advanced intelligence hygiene, including continuous training and access to therapeutic counselling services on demand, is an important part of helping them cope with the consequences of performing such a role.
How Protective Intelligence helps: We take on the risk of being exposed to inappropriate material so our clients don’t have to. Our team operates within firm psychological guardrails and we have effective triage in place to manage the impact on our people.
#5: Align tech tools and human intelligence.
While automated scraping tools seemingly offer an easy way to trawl the deep and dark web, they’re not a silver bullet. No tool can penetrate sources that just don’t want to be scraped and, even if they could, data is just data. A scraper may turn out libraries of information, but it cannot filter the noise for relevancy or determine the credibility of each threat.
Turning the raw data into actionable intelligence requires a human touch—someone who knows what threats are trending and can separate benign echo chambers from escalatory fever swamps. Absolutely, you should invest in good tools. But to gain value, you’ll also need a skilled and experienced human team that can assess risks and deliver genuine insight into the dynamics of a rapidly evolving threatscape.
How Protective Intelligence helps: Today’s ideology is tomorrow’s fixation. We place best-in-class automation in experienced human hands to curate relevant information and assess the credibility of each threat as it emerges. Our human-led service ensures the timely separation of signal from noise, delivering useful, actionable and complete intelligence that may otherwise get lost in the dark.
Case study: Timely intelligence of novel threat actors
Here’s how this works in practice. Activists of interest to our client were active on an anonymous doxxing website. As part of their routine monitoring, our Protective Intelligence team detected a post containing the CEO’s personal phone number, residential addresses and details of family members, all of which were listed in connection with an issue surrounding the Ukraine conflict.
Not only was the information now in the public domain, it was being shared at quick-fire speed with other dark web platforms, including violence-inciting sites.
Our Protective Intelligence service was able to swiftly assess the risk posed by a large pool of potential harm actors, and alert the client immediately so they could take steps to protect the CEO and their family. Our intelligence was a real asset to the company’s security stack. And we can make a difference to yours, too.
To find out more about how Protective Intelligence can help your company monitor, identify and assess threats on the deep and dark webs, get in touch with our specialists today.