According to research, organizations were subjected to 38% more cyberattack attempts last year than in 2021. While some industry sectors fared better than others (education and research topped the table with 43 percent more attempted attacks, while hardware vendors ranked last with 25 percent), none of the figures are encouraging, no matter what business you’re in.
In reality, attempts and breaches are not synonymous. While you’ve probably heard from a slew of industry experts that it’s “not a matter of if, but when” you’ll be targeted, that’s not the whole story. As the statistics show, attempted cyberattacks are unavoidable in today’s world; however, perseverance and success are two very different metrics.
Cyberattacks rarely occur “out of the great blue yonder,” particularly the orchestrated attacks such as ransomware(opens in new tab) that keep security(opens in new tab) professionals awake at night. Threat actors, like everyone else, must organize themselves. They conduct due diligence, conduct reconnaissance on the organizations they are targeting, and look for and frequently purchase vulnerabilities that can be used to breach a company’s defenses. This means that there are opportunities to detect malicious activity in the planning stages before an organization is attacked. Businesses can inform their cybersecurity(opens in new tab) efforts by monitoring(opens in new tab) the deep and dark web, which are used by threat actors when they are in the reconnaissance phase.
Understand your adversary
Organizations devote significant resources to bolstering their cybersecurity defenses, but they frequently have little understanding of who their attackers are and how they operate. At best, they are stretching their people and budgets thin by attempting to prioritize all risks at the same time. At worst, it can result in a defense misalignment for the threats they face – the cyber equivalent of erecting walls while criminals tunnel underground.
Dark web intelligence is one method for organizations to gain a better understanding of the specific threats to their business. For example, if a company discovers that its employees’ credentials and passwords(opens in new tab) are available for wholesale online, authentication becomes the obvious priority. Whereas high volumes of dark web traffic to a network port would necessitate increased network security.
Sometimes the hints aren’t even subtle. Many aspects of a data breach have been outsourced as cybercrime has become more professional. The same criminals launching a ransomware attack may not be the same gang that breached the network in the first place; they may have purchased that access from the aptly named “access brokers,” who sell vulnerabilities on the dark web for others to exploit. They, like anyone else who sells a product, must market it. As a result, a company that monitors the dark web for their company name, IP addresses, or credentials may be able to detect access to their network as it is being sold.
The primary signs of a cyberattack
The following are the most common early warning signs visible on the dark web:
1. Leaked credentials – This is frequently the first step in the chain of attack. A threat actor will buy a large set of credentials from a data breach and use large-scale and fully automated systems to launch a credential stuffing attack across multiple web applications and network logins. Any successful “hits” are frequently resold, usually at a much higher price because they are now “live” and actionable credentials for other criminals to use to access and move laterally across the compromised network.
2. Vulnerabilities – Compromised devices or software vulnerabilities for sale on the dark web can alert businesses to how and where an attacker may strike, allowing them to patch them before they are exploited. Of course, the vulnerability could be in their own infrastructure or in that of a third-party supplier, so monitoring for both is prudent.
3. Dark Web Traffic – Because the vast majority of businesses have no reason to have incoming or outgoing traffic to the dark web, monitoring dark web traffic is a very reliable early warning sign of an attack. Incoming traffic may indicate that the corporate network is actively being scanned for vulnerabilities. Outgoing traffic is potentially more dangerous, indicating that an employee is engaging in potentially malicious behavior (i.e., an insider threat) or, worse, that a command and control server has been established.
Moving to the left of the cyber kill chain
One advantage of dark web monitoring is that the intelligence is tailored to the organization. If a security team discovers their CEO’s personal information on the dark web, or a vulnerability in their software for sale in a dark web marketplace, there are no ifs and buts about it – they are clearly at risk, and immediate action is required. Organizations can move defense outside of their infrastructure and much earlier in the cyber “kill chain” if they can anticipate threat actors’ actions and take preventative action.
The most proactive organizations can also extend monitoring beyond their own domains and branding to include third-party, supply chain, and intelligence monitoring. The attack surface of a business extends far beyond its own networks, and by understanding who the threat actors are, how they operate, and what tools they use, organizations can proactively adapt their defenses to the changing threat landscape.