Attributing attacks to threat actors: When organizations suffer from data breaches and cyber incidents, the dark web becomes a crucial tool for defenders, including the impacted businesses, their legal teams, and negotiators.Threat actors such as ransomware groups often attack organizations to encrypt and steal their data so they can extort them for money, in exchange for a decryption key. To gain leverage during negotiations or should the organization outright refuse to pay a ransom, threat actors often start leaking stolen data on their .onion leak sites in small batches, gradually exposing sensitive customer and employee information, including copies of passports, identification documents, protected healthcare data, and financial records to the public. Other threat actors may also put up the larger multi-gigabyte data dumps for sale on hacker forums from which identity thieves and phishing actors can benefit.For the impacted organization, the dark web becomes a vital means to monitor the extent of damage: what information has been publicly exposed, on what forums or online groups, who (or which threat actor group), if anyone, has claimed responsibility for the attack, and how stolen assets are being disseminated (i.e. being sold for profit or outright leaked for free). Often, .onion sites and Telegram groups may be the sole links between an impacted organization’s defenders and the threat actor(s), serving as primary communication channel, as evidenced by leaked negotiation chats between Royal Mail and the LockBit ransomware group during the 2023 cyber attack.Attribution becomes especially important when an obvious motive, like monetary gain or ransom, is missing. Hacktivist groups, for example, may target a website or government systems with large-scale Distributed Denial of Service (DDoS) attacks, knocking them offline, or some vigilante software authors may intentionally sabotage their work to cause damage to systems located in certain parts of the world all to draw attention to their wider message rather than financial gain.
Monitoring for data leaks and breaches: Data breach monitoring services like HaveIBeenPwned (HIBP) frequently keep track of leaked data dumps surfacing on the dark web and in hacker forums. Users can check if their information was compromised in a data breach simply by entering their email address on HIBP, at no cost.Search engines such as Intelligence X specialise in enabling researchers and defenders to look up crucial bits of information, such as a cryptocurrency wallet address, IPs, domains, or email addresses, found in public data leaks and the darknet.In a consumer context, dark web monitoring has recently gained prominence in the form of fraud and identity theft monitoring plans offered by leading credit reporting bureaus like TransUnion, Equifax, and Experian.Users initially create a profile with a credit bureau after verifying their identity by answering questions online, solutions to which are already known to the bureau, given the historical lending data they hold about consumers. After successful enrolment in a paid subscription, users can opt to record their sensitive information, such as credit card numbers, driving license information, passport and travel document data, and taxpayer identification numbers like National Insurance Number (NINo), Social Security Number (SSN), and Social Insurance Number (SINs) on the bureau’s website. This information, stored securely, is periodically checked against leaked data emerging on the dark web, such as breached company databases surfacing in the wild.The idea is that any time there is a hit for a piece of the recorded data against an illicit data dump floating on the dark web, the enrolled victim would be notified and can become aware of potential identity theft they may be subject to.
Bypassing censorship and whistleblowing: Dark web and technologies like Tor, Telegram, or VPNs may also be relied on by whistleblowers in jurisdictions where internet use is restricted or heavily scrutinized.Political dissidents and defenders of civil liberties who want to raise their voice without compromising their identity or location may opt to use the dark web to disseminate their message or disclose evidence of corporate or governmental wrongdoing, for example. While these actions may be of questionable legality and ethics, they demonstrate the complex nuances of these technologies and the wider “dark web,” which isn’t inherently “bad.”Technologies like VPNs can allow users to access restricted apps and websites, such as LGBTQ+ social networks, in countries where they are censored. News websites, like The Guardian, often have an .onion version with identical content. Should the main outlet website be banned by an authoritarian regime, citizens can still rely on Tor to access the outlet with a greater degree of anonymity.
Enforcing the law: If criminals can lurk on the dark web, so can and do the police.Government law enforcement agencies like the FBI, Interpol and the Australia Federal Police are frequently credited with taking down widespread cybercrime operations. Recently, these have involved the FBI and several other law enforcement agencies from different countries cracking down on a counter-antivirus operation, “AVCheck,” and crushing the Lumma Stealer malware-as-a-service (MaaS) that stole millions of passwords.Beyond seizing illicit domains and nuking ransomware operations, federal agencies have employed the dark web to target drug traffickers and criminals behind CSAM. A recent example would be Operation RapTor, in which law enforcement agencies across the US, Europe, South America, and Asia collaborated to arrest 270 dark web vendors, buyers, and admins associated with illegal fentanyl and opioid trade.
Research and journalism: Less obvious but paramount use cases of the dark web include the value it provides to investigative journalists.To reporters, the dark web provides an interesting avenue for extensive corroboration between parties and observing developments “behind the scenes,” particularly during high-profile cyber attacks. The anonymized communication channels and leak sites may serve as a conduit between reporters and threat actors who claim to be behind data breaches. While it’d be naïve to take the word of a threat actor at face value, the information about an attack or potential evidence shared by a threat actor may help a journalist vet how credible the claims made by the threat actor and the impacted organization are. This exercise can be particularly crucial for independent reporting in cases involving corporate wrongdoing, such as when an organization may wilfully try to cover up or downplay a security breach from stockholders and customers, despite ample evidence indicating the opposite, on a balance of probabilities. Other times, a company may not disclose a cyber incident at all. Still, the chatter on dark web and ransomware leak sites might enable researchers, the public, and journalists to ask important questions.
Enforcing the law: If criminals can lurk on the dark web, so can and do the police.Government law enforcement agencies like the FBI, Interpol and the Australia Federal Police are frequently credited with taking down widespread cybercrime operations. Recently, these have involved the FBI and several other law enforcement agencies from different countries cracking down on a counter-antivirus operation, “AVCheck,” and crushing the Lumma Stealer malware-as-a-service (MaaS) that stole millions of passwords.Beyond seizing illicit domains and nuking ransomware operations, federal agencies have employed the dark web to target drug traffickers and criminals behind CSAM. A recent example would be Operation RapTor, in which law enforcement agencies across the US, Europe, South America, and Asia collaborated to arrest 270 dark web vendors, buyers, and admins associated with illegal fentanyl and opioid trade.
Research and journalism: Less obvious but paramount use cases of the dark web include the value it provides to investigative journalists.To reporters, the dark web provides an interesting avenue for extensive corroboration between parties and observing developments “behind the scenes,” particularly during high-profile cyber attacks. The anonymized communication channels and leak sites may serve as a conduit between reporters and threat actors who claim to be behind data breaches. While it’d be naïve to take the word of a threat actor at face value, the information about an attack or potential evidence shared by a threat actor may help a journalist vet how credible the claims made by the threat actor and the impacted organization are. This exercise can be particularly crucial for independent reporting in cases involving corporate wrongdoing, such as when an organization may wilfully try to cover up or downplay a security breach from stockholders and customers, despite ample evidence indicating the opposite, on a balance of probabilities. Other times, a company may not disclose a cyber incident at all. Still, the chatter on dark web and ransomware leak sites might enable researchers, the public, and journalists to ask important questions.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4017766/how-defenders-use-the-dark-web.html
