3 Questions to Help Evaluate the Right Dark Web Monitoring Tool for Your Business

The Dark Web is one of those hidden crevices of the Internet that many people have heard of, but few understand. The most common perception is that it’s the part of the Internet where bad people do bad things.

While that description certainly has an element of truth, it’s also incomplete.

For one, not all things that happen on the Dark Web are illegal. In fact, many people around the world have legitimate reasons to keep their activities hidden from prying eyes (e.g., oppressive governments).

Still, the truth remains ­– the Dark Web is a place where you never want your proprietary customer/ employee/company data to be ever leaked.

Unfortunately, it’s not realistic for your team to monitor the Dark Web in-house on a continuous basis to rapidly detect whether your organization’s sensitive data has been leaked. Plus, your security team may not have the experience required to identify subtle patterns that serve as early indicators of a potential cyberattack within threat actor conversations.

What is the “Dark Web”?

The Dark Web is a catch-all term for web content that exists on darknets, which themselves are overlay networks that require specific software (like TOR), configurations, or authorization to access.

Due largely to the anonymity it provides, the Dark Web is an important hub for threat actors, who use the cybercrime marketplaces, private forums, invite-only messaging groups, code repositories, and other communities to buy and sell sensitive data, plan cyberattacks, and publish attacker tools.

Dark Web content isn’t indexed by — and therefore isn’t discoverable or searchable via — regular search engines. It shares this characteristic with the Deep Web, and although the two terms are sometimes used interchangeably, they refer to different parts of the web.

What Can You Learn from Monitoring the Dark Web?

For cybersecurity practitioners who know where and how to look for it, the Dark Web offers a mother lode of information. And, for those who know how to use it, that information can be extremely valuable.

For example, monitoring leak sites helps to uncover the activities of ransomware gangs. Doing so across many sites can provide insights into overall ransomware trends and the broader cybercrime ecosystem, which can be important inputs into defensive strategies.

Experienced threat intelligence researchers can go even deeper, as eSentire’s Threat Response Unit (TRU) recently did when — over a period of 21 months — they unmasked the hackers behind the cyber weapon of choice for two of Russia’s most notorious Internet crime gangs (Part 1 | Part 2).

Paying attention to the Dark Web can also provide early warning of attack campaigns, new exploits, indicators of compromise (IoCs) — and much more that has broad applicability for those within the cybersecurity community.

Importantly, Dark Web monitoring can also help individual organizations by extending their visibility beyond their own IT infrastructure and traditional threat intelligence feeds.

For example, organizations can learn if their data has been breached or if their credentials are for sale, both of which would no doubt trigger an array of responses that could lessen the impact of an intrusion or prevent one altogether.

Unfortunately, while monitoring the Dark Web is tremendously valuable, doing so hasn’t been practical or possible for most organizations.

Why is the Dark Web So Hard to Monitor?

There are several factors that make Dark Web monitoring a complex and challenging task. It requires specialized knowledge, tools, and resources to effectively navigate and monitor this hidden part of the internet. These include:

Identity-hiding anonymity and encryption

The Dark Web is designed to provide maximum anonymity to its users, achieved using encryption technologies that mask users' identities and activities. The most common tool used for this purpose is Tor (The Onion Router), which routes a user's data through several random servers around the world, making it extremely difficult to trace back to the source. This high level of anonymity makes it challenging to monitor activities or identify malicious actors.

Distributed and decentralized infrastructure

Unlike the Surface Web, which relies on centralized servers, the Dark Web operates on a distributed and decentralized infrastructure. This means that data is not stored in one place but is spread across numerous servers worldwide. This distribution makes it hard to shut down or monitor a site completely as there is no single point of failure.

Evolving technologies and tactics

The Dark Web is a dynamic environment where technologies and tactics are constantly evolving. Cybercriminals are always finding new ways to evade detection, making it a moving target for monitoring efforts. The use of advanced malware, botnets, and other sophisticated tactics adds to the complexity of monitoring.

Volume and complexity of content/information

The sheer volume of data on the Dark Web, combined with its complexity, makes monitoring a daunting task. This includes everything from illegal marketplaces and forums to encrypted communications and files. The data is not only vast but also unstructured, making it difficult to analyze and interpret.

Restricted access and membership

Many areas of the Dark Web require specific permissions or memberships to access. This could be an invitation from an existing member or the use of specific software. These barriers to entry make it harder for outsiders to monitor activities or gather intelligence.

Content encryption and hidden services

Much of the content on the Dark Web is encrypted or hidden. This includes not only communications but also websites and other services. Encryption makes it difficult to understand the content, while hidden services can't be found through traditional search methods. This adds another layer of difficulty to monitoring efforts.

As a result, manually exploring and analyzing the Dark Web is often beyond the resources of all but the most well-funded security teams. Although there are specialized tools and technologies that may be used for automatic Dark Web monitoring, they must be built, configured, and maintained. Unfortunately, most in-house security teams are simply not equipped to undertake these tasks themselves, especially when impacted by budget and resource constraints.

Plus, because many resources (e.g., marketplaces, forums, messaging groups, etc.) are hidden and/or require invitations, Dark Web monitoring isn’t something that even a very well-funded cybersecurity researcher can suddenly start doing — unless they’ve already put in the effort, over months and years, to be accepted into the necessary cyber communities.

Are Dark Web Monitoring Services Effective?

There are many Dark Web monitoring tools in the market that claim to scan the Dark Web, but the extent to which they can scan depends on their access within the Dark Web. Threat actors are constantly changing their tactics, making it increasingly difficult for standard detection tools to identify them.

Although several companies provide Dark Web monitoring services for organizations and individuals alike, these services are often expensive, usually well beyond the reach of small and medium businesses (SMBs) and other organizations with limited security funds (e.g., public sector, not for profit, etc.). Moreover, many Dark Web monitoring tools are rather inadequate, providing noisy and stale data pulled from only a small fraction of the Dark Web.

However, a bigger pain point is that security leaders often struggle to interpret and operationalize the threat intelligence gathered from these Dark Web feeds. For example, the monitoring feed itself exists in isolation, completely without context from the organization receiving it; consequently, it typically takes a lot of time and resources to integrate the intelligence with the security stack, to establish playbooks consume the data, and to train analysts to interpret it.

3 Questions to Ask When Evaluating Dark Web Monitoring Services

As you look beyond just traditional credential monitoring tools, it can be difficult to evaluate the true effectiveness of a Dark Web Monitoring tool. Your team needs more detailed threat intelligence about cybercriminals, the latest tactics, techniques, and procedures (TTPs) they’re using, and additional context on how to adapt your cybersecurity strategies based on Dark Web activities.

So, before you invest in a Dark Web Monitoring service, here are 3 questions you should ask your Dark Web Monitoring provider:

Where do you source your data from and how often is it updated?

It goes without saying that cybercrime is constantly evolving, including adversarial TTPs. However, threat actors are also expanding beyond the Dark Web and into encrypted messaging platforms (e.g., Discord, Telegram, etc.) to further anonymize their presence.

As a result, Dark Web monitoring tools that source their data only from the Dark Web may overlook new threats or vulnerabilities that may be emerging on other platforms. In fact, according to the State of the Cybercrime Underground 2023 report by Cybersixgill, there has been a significant surge in the use of encrypted messaging platforms; in 2022, Cybersixgill collected nearly 1.97B items – a 439% increase in comparison to 2020.

How do you correlate data from your Dark Web Monitoring tool with information from other security tools?

If your Dark Web Monitoring tool is ‘disconnected’ from your other security technologies, you lose the benefit of harnessing collective threat intelligence. On the other hand, Dark Web data often contains indicators of compromise (IoCs), threat actor chatter, and discussions about using, and even developing, new attack tactics and techniques.

Correlating this information with your telemetry and alert data from other security tools can enable your team to gain valuable context regarding potential threats. This context aids in understanding the motives, methods, and specific targets of threat actors. In turn, this influences your strategic decision-making process by providing a broader understanding of the threat landscape, of which the Dark Web is a significant component.

More importantly, if your Dark Web Monitoring tool integrates seamlessly with your Managed Detection and Response (MDR) service, you also benefit from getting complete, robust response capabilities against potential cyber threats detected in your environment.

Beyond alerts, what kind of reporting or expert support does your Dark Web Monitoring tool provide?

Monitoring for IoCs and TTPs is only one facet of security. Regularly reporting on malicious activities and the ever-evolving TTPs in the Dark Web is important as well.

Your Dark Web Monitoring provider should update you on industry trends, the latest threats in the Dark Web and provide comprehensive tactical recommendations (at least quarterly) on how to mitigate those threats. Moreover, we also recommend partnering with a provider that offers expert guidance and support so you can make informed decisions about your security strategy.

Protect Your Employees and Brand Reputation with eSentire’s Dark Web Monitoring Services

Our Dark Web Monitoring service extends visibility beyond your on-premises and cloud environments to detect compromised user credentials, corporate sensitive data, and early indicators of potential cyber threats to protect your brand, executive team, and employees.

24/7 monitoring across the Dark Web identifies early indicators of potential cyber threats, IOCs, and evolving tactics, techniques, and procedures (TTPs) that threat actors rely on to conduct sophisticated cyberattacks. In addition, we provide contextual awareness into known and unknown threat actor groups, for deeper threat investigations, by observing forum discussions, recognizing communications patterns used within conversations, and using this intelligence to build a timeline to inform our threat response actions.

More specifically, you can benefit from:

• Enhanced visibility and alerting on compromised credentials, mentions by Initial Access Brokers (IABs), or discussions of a targeted cyberattack — including 24/7 monitoring for leaked credentials of your top executives and key personnel
• Identification of potential phishing campaigns, domain infringement practices, and other malicious activities
• Proactive monitoring of third-party and supply chain vendors to manage and reduce supply chain risk
• Identification of employees (or other insiders) who are acting with malicious intent to violate security policies or sell their credentials/access on the Dark Web

Plus, eSentire MDR customers can also leverage the eSentire Threat Response Unit (TRU) and the eSentire Cyber Resilience Team for regular reports on relevant Dark Web alerts, get informed on industry-specific risk areas, participate in live TRU threat intelligence briefings —and more.

Done right, Dark Web Monitoring can provide difference-making intelligence to help safeguard IT environments, detect breaches, and track down advanced threats.

To learn how eSentire Dark Web Monitoring services can protect your business from cyber threats and build a more resilient security operation, connect with an eSentire cybersecurity specialist.