Most of us tend to think about the web as a single destination, available through our browsers on our laptops and phones. But over the years it has evolved into three very different places: the clear or public web, the private or deep web and the darknet or darkweb. In this post, we explain their differences, what kinds of information can be found in each, and why you need to protect yourself when you access this content. As you can tell by the fact that we list different terms, there is no solid agreement on the labels of the three pieces. Here is a good explainer published by the FBI, which is a useful starting point.
The public web is the web that most of us are very familiar with: the sites that are run by the major dot com businesses, the SaaS sites that provide our software for running common office applications and email, and so forth. This is the data that freely flows between our computers every day. These sites are searched and recognized by Google and other search engines and covered by security tools such as web application firewalls and data leak protectors.
But when we move to the private web, we come to a part of the online world that isn’t easily indexed by the search engines or covered by security tools. This includes private Intranets, instant messaging (IM) services, chat rooms, discussion forums and private databases that are behind various firewalls or that have no public Internet footprint. Until a few years ago, most hackers didn’t focus on using these areas to gain footholds into business networks but that has changed. As IM usage has taken off (with organizations using such products as Microsoft Teams, Slack and other services), hackers have created tools that can leverage the lack of much built-in security across these services. This makes IM a prime target of opportunity for phishing-like attacks in particular.
Finally, there is the darkweb. This portion of the online world is much more difficult to define. Like the private web, these sites take pains to not appear on search indexes, mainly because some of them offer questionable or even illegal content. Examples include:
A recent study by PrivacyAffairs shows how much these various data items are worth. For example, a cloned credit card with a valid PIN is available for $15-35 while details of a stolen PayPal account can bring $200 and a hacked Gmail account nets $150.
Most of the denizens of the darkweb are scammers and swindlers, looking to separate you from your money and your data. These scammers are constantly on the move, trying to stay ahead of law enforcement and vigilantes who are trying to expose their scams. The darkweb sites themselves are also on the move as they can be common targets on denial of service attacks. This means that a lot of material is outdated. And as you might expect, the currencies of this realm are cryptocurrencies such as Bitcoin that make it hard to know exactly who you are doing business with.
There are three reasons why the ordinary IT worker at a legitimate business should understand and spend time on the darkweb: First, it can serve as an early warning system of potential attacks. Often hackers try out methods and techniques first on the darkweb before they launch an attack across the public Internet. By becoming more familiar with the darkweb, an IT manager can learn what adversaries are planning and what malware is being tested before the attacks are seen anywhere else. This means that understanding the darkweb can help businesses protect their data.
Second is that it can be useful to know if your business brand has been mentioned on the darkweb, in advance of an attack or as part of a smear campaign to harm your corporate reputation or confuse your potential and current customers. Such a campaign may try to lead your customers to a site selling counterfeit products and services.
Finally, the darkweb isn’t always used for nefarious purposes. Legitimate companies experiment with darkweb sites of their own. Even Facebook has a presence on the dark web. Note that all of these sites have very convoluted domain names: their owners want to make it harder to track and find them, unlike the public web where your brand name is often synonymous with your domain name.
To access the dark web usually requires a special browser called Tor. Most estimates peg its popularity to about five percent of the total Internet content and traffic. They use the naming conventions of .onion domains instead of .com or .net. So the first step is to download Tor and understand how it differs from an ordinary browser such as Chrome or Firefox.
The Tor/Onion network has a limited series of connecting points with the public Internet, and these are called entry and exit nodes. Many vendors monitor these nodes and scan the content that is moving across the darkweb. Recently, two US government agencies issued an advisory along these lines, recommending that businesses “take appropriate mitigations to block or closely monitor inbound and outbound traffic from known Tor nodes.”
The next step is to consider buying one of the content tracking products that can provide intelligence on the darkweb. These include products such as EchoSec Beacon, Dark Owl Scanner, SixGill’s Darkfeed, Recorded Future, ZeroFox and Digital Shadows’ Searchlight. These tools can help to provide near real-time access to threat data that is being shared on the darkweb on a variety of discussion forums and other places, again as a way to learn about the early stages of an attack. With some products, you can search profiles of the more prolific threat actors and track what other malware campaigns they have created or participated in. These tools can also be connected to your existing security event management system products to provide a more complete picture of potential threats. A comparative review of some of these tools can be found here.
Finally, there is the free resource maintained by Troy Hunt called Have I Been Pwned. This contains a huge database of more than 9 trillion email addresses and passwords which have been stolen during various breaches. While these addresses are used in all sorts of situations, lists of them continually appear across the darkweb. You can enter your email address and quickly determine which breaches have included it on Hunt’s website.
Use Our Tips to Defend Against Darkweb Threats
The darkweb doesn’t have to feel like a constant threat. By following our suggestions, you can protect your organization, and bring any dangers the darkweb poses into the light.