Most enterprises think about the Dark Web as a giant market for cybercrime — exploits, hacking services, stolen data marketplaces, and so on. While this is true, there are other elements that might not be so apparent but are equally problematic for enterprises: malicious insiders looking for an easy way to monetize their knowledge and access.
Two simultaneous trends are opening new areas of profound risk to enterprises via the Dark Web: It is becoming both decentralized and democratized. Together, these two movements are converging to create a real problem, particularly as they pertain to insider threats.
Trend 1: Exit scams and market takedowns have caused a decentralization of Dark Web commercial activities. Instead of seeing giant marketplaces today, which can be taken down by law enforcement with meaningful impact, you instead see the equivalent of fair booths where threat actors sell their wares as independent vendors. Some are even moving to alternate channels, such as Discord, Telegram, and OpenBazaar, to further evade law enforcement. All of this activity makes it more difficult than ever for enterprises to uncover breaches and other indicators of compromise in the criminal economy, including those perpetrated by malicious insiders.
Trend 2: The democratization of cybercrime is making the Dark Web much easier to use. Today, people with limited technical skills can simply subscribe to services that will carry out their malfeasance for them. From an insider-threat perspective, this trend has also made it easy for insiders to monetize their knowledge and access, simply by participating in the many "as-a-service" offerings on the Dark Web or by directly promoting access to enterprise networks and systems. Just in the last couple of weeks, our researchers have seen several insider-related offerings that should resonate with many companies. These include:
In each of these cases, security technology is of limited use in catching the threat actors because there is no technology that can stop someone from walking out the door with insider information in their head or system credentials scribbled on a piece of paper. However, technology-enabled human intelligence operatives can find this activity on the Dark Web using counterintelligence and cyber reconnaissance techniques. And after the employer knows about it, there is a clear process to narrow down the potential culprits and put a stop to the problem. Using the intelligence data as evidence, the enterprise security and fraud teams pinpoint the systems that were accessed, correlate access with access management logs, and narrow down the potential suspects.
All of this leads us to the ultimate irony of today's Dark Web — as the new trends of decentralization and democratization make it significantly more dangerous to enterprises, the best countermeasure isn't fancy new technology; it's human intelligence accelerated by technology.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.