EB: How well do you think businesses understand the threat of the dark web?
JM: For many companies, the dark web isn’t fully understood and there isn’t a lot of awareness. It’s an emerging area of threat research and one of those things that needs to be shown rather than told in order for most companies to fully appreciate the value in understanding these threats.
Due to its illicit nature, it can be extremely difficult for organisations to access and understand the dark web. In addition, most IT teams are focused on responding to problems rather than scouring the abyss of the dark web for potential compromises.
EB: How prolific is the buying and selling of credentials on the dark web?
JM: The dark web is a haven for criminals looking to buy and sell credentials, exploits and all manner of illegal wares. Exchange of data is pretty prolific and shows no signs of slowing down.
The latest Verizon Data Breach Investigations Report found that a staggering 81% of recent hacking-related breaches leveraged either stolen or weak passwords, and we’d expect the majority of these to have been sold on the dark web.
EB: What are the main factors behind organisations’ lack of visibility into the dark web?
JM: The big challenge is that the data on the dark web is typically not found by scanners, scrapers, or web crawlers. It usually needs dedicated analysts spending time manually browsing the forums and building up trust in order to gain access to sensitive data.
This requires a considerable investment of time, technical skill and authorized access that simply isn’t available to IT teams in all organisations.
EB: What are Account Takeover attacks? How does it work?
JM: Account Takeover attacks are where user ID and passwords are leaked in one breach and then subsequently used to try and gain access to other cloud services to take over the account. These are successful for a couple of reasons.
First and foremost, many breached companies might not realize that they’ve been breached for weeks or even months, giving criminals plenty of time to plan and carry out attacks.
Secondly, users are notoriously bad at re-using the same credentials across multiple services, so breached credentials have a high likelihood of working elsewhere.
EB: In your opinion, how aware are businesses today of the potential threat of this kind of attack?
JM: I think the awareness of account takeover or similar attacks is on the rise. However, the mechanisms by which the data is acquired and shared amongst criminals, and the best ways to detect and prevent these attacks is an area that needs greater focus.
Because of widespread password re-use, the risk of compromised credentials extends well beyond the immediate control of an organisation. Unfortunately, many users still don’t realise the implications of using their corporate email and password to log into a third-party environment that IT has no visibility or control over.
Because IT does not have the ability to monitor these services, many don’t realise that their systems may be vulnerable until it’s too late.
EB: How can businesses increase visibility into the dark web?
JM: Being a manually intensive task, for now, it’s probably easier for companies to increase visibility through vendors that can pull data in from the dark web and integrate it into the daily monitoring and threat detection capabilities of an organization.
Tools like AlienVault’s AlienApp for Dark Web Monitoring can generate alarms that detect when your users’ personal or corporate credentials are trafficked in the dark web. This can allow IT teams to take proactive remediation actions and reduce the risk and exposure to systems and cloud services before serious damage is done.