Nabugu - stock.adobe.com
If you know your enemy and you know yourself, you won't be defeated in a hundred battles. -- Sun Tzu, The Art of War
In many respects, this simple truism has become a pillar of how security controls are built. Knowing our adversaries' behaviors informs everything from threat intelligence and penetration testing to monitoring strategies and threat modeling. In other words, understanding our foes underpins much of what we do and how we do it, and that translates into better readiness and operational preparedness.
The Mitre ATT&CK framework is a good example. Understanding the tools, techniques and procedures deployed by attackers helps defenders pinpoint evidence of attacker activity. Or consider how the Lockheed Martin Cyber Kill Chain enables us to understand attacker campaigns -- in the process, providing tools we can use to disrupt those activities before they can be put into motion.
The truth is that time spent understanding the adversary is never wasted. One way to do that is enterprise dark web monitoring. Let's examine what enterprise dark web monitoring is, how it can help your organization and some factors to consider before bringing such a capability into your own program.
What is dark web monitoring?
At its core, dark web monitoring isn't a difficult concept to grasp. It's about gathering key information about your company by probing activity on the dark web -- that portion of the web accessible via Tor. Because the dark web is a conduit and vehicle for the exchange of information in the attacker community, monitoring serves the following key purposes:
- An early warning about upcoming attacks.
- A detective control for data exfiltration.
- A data source about attacker activity.
Consider these use cases. First, the dark web can be used as a canary to alert if your organization has been breached. The dark web is a common vehicle to share, trade and sell compromised information. If you notice your data there -- critical business intelligence, plans, user data, customer data or any other data meaningful to you -- you've likely been exposed.
A dark web monitoring program also lets you search for the presence of information about your users. Keep in mind that users -- no matter how many times you tell them not to -- often use the same passwords for multiple sites and services on both work and home accounts. Probing the dark web to determine if your users' credentials have been compromised can help you secure those accounts. At a minimum, alert users if their data becomes accessible, but add additional intelligence to the process -- for example, trigger a password reset in the event compromised credentials appear online.
Enterprise dark web monitoring additionally enables organizations to gather data about attacker activities, their methodologies and their tradecraft. If that sounds as if it overlaps with traditional threat intelligence capabilities, you're absolutely right. In this case, dark web monitoring supplements other tools employed to collect data about attackers and their actions. The data can be gathered to track these activities more generally as a means to inform defenses and control selection. Or you can tailor specific searches to find upcoming campaigns from attacker groups that might affect you.
How to integrate dark web monitoring into your program
If dark web monitoring appeals to your organization, the next question is how to integrate that capability into your existing security program. Large companies can consider building their own monitoring capabilities internally. Smaller firms can consider outsourcing monitoring to one of the many providers that offer this as a service.
Each option has pros and cons. Outsourcing can be attractive; much like several other specialized security subdisciplines -- among them forensics, red team and pen testing, and threat intelligence more broadly -- dark web monitoring can be expensive and time-consuming. Depending on your specific needs and intended outcomes, it can require specialized skills, such as fluency in non-English languages used by global threat actors, and time to access forums, marketplaces and other areas used by attackers to share data.
Building an internal team can be an expensive undertaking. Specialized training is critical, and finding the right staff can be difficult. That said, a dark web monitoring capability designed in-house provides much broader flexibility and enables your organization to customize it exactly as it wants.
The decision is ideally approached systematically and in consideration of organization-specific factors. For example, if you're a large organization that has already invested heavily in an in-house threat intelligence capability, colocating enterprise dark web monitoring within the existing structure yields obvious synergies. If, however, you're a smaller organization and supporting a specialized dark web monitoring staff doesn't make economic sense, outsourcing might be a better alternative.