Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Why Your Security Team Should Be Monitoring the Dark Web

Mike Wrzesniak

Editor's Note: This article was first published by Legaltech News.

With more than 53,000 security incidents last year, security is top of mind for many organizations around the world. However, it’s not only corporations that are targets. The American Bar Association found that about one in four law firms have already been breached.

While organizations have beefed up their security programs and most have initiated at least some plans to respond to attacks, many are still behind the curve on proactively monitoring the threat landscape and potential threat actors.

We’ve talked before about simple measures law firms can take to proactively manage their security programs. From defending against phishing attacks to leveraging certified technology solutions purpose-built to protect their data, organizations don’t have to feel helpless in the face of an evolving threat landscape. But the dark web remains a scary place.

Let’s shine a light on what the “dark web” really means and how you can leverage that knowledge to protect your business and your clients.

Dark Web vs Deep Web

There are different parts of the web, defined based on accessibility to the public and coverage by search engines. The public web, which makes up about four percent of the internet, is indexed by search engines and can be found by anyone with access to the internet.

The deep web, making up the majority of online content, is comprised of any sites that aren’t available to the public, and are not indexed by search engines. This includes sites that are password protected, online banking content, or private networks.

While most of the deep web can be accessed through common browsers, the dark web can only be reached through the Tor network and is designed with anonymity in mind. On the Tor network, a user’s traffic is bounced around multiple servers and encrypted several times over.  Although Tor is known to have a negative reputation, it is also used for positive efforts around to world. For examples, journalists and whistleblowers may leverage Tor to get their story out without compromising their identity.

Why Monitor the Dark Web?

Though its uses aren’t exclusively nefarious, the fact is that the dark web is the place to go to buy and sell new exploits, malware, compromised credentials, social security numbers, and contraband. It’s also a venue to recruit hackers as well as share tools and tutorials about how to hack systems and exploit security vulnerabilities.

Recorded Future, a cybersecurity company, researched vulnerabilities disclosed in NIST’s National Vulnerability Database (NVD) and found that 75 percent of those vulnerabilities appeared online in the dark web before they were listed in the NVD, giving adversaries an edge to exploit any vulnerabilities. With a median gap of seven days between when the vulnerabilities first appeared online and when they were released to the NVD, 25 percent had at least a 50-day gap and ten percent had gaps of more than 170 days.

Watching out for possible vulnerabilities that may impact your business could give you a head start to prevent a data breach. In cases where you’ve already been hacked, you can also try to determine if your data is being sold.

Accessing the Dark Web

When it comes down to it, keeping tabs on the dark web is an important component of a modern cybersecurity program. Whether or not you’re monitoring and preparing to suppress emerging threats, odds are good that someone else may be watching for opportunities to capitalize on your vulnerabilities.

If you’re taking advantage of SaaS tools, ask your provider whether their protocols including dark web monitoring. If your data is hosted on-premises, consider adding this precaution to your existing security tactics.

Should you need to do this yourself, there are a few key strategies to keep in mind. Accessing any underground forum should be handled with great care not to reveal any identifying information linked to you or your company. Here are three must-know tips before you get started:

  1. A new laptop should be used that is not, and has never been, connected to the corporate network.
  2. In order to connect to the Tor network, it’s recommended to use Tails, a Linux operating system specifically designed to securely connect to the Tor network.
  3. When in doubt, call on a cybersecurity expert to help you navigate the landscape. It’s important to be cautious and make sure you’re protecting your organization—not endangering it.

Mission Update - Cloud Security in RelativityOne

Mike Wrzesniak is a threat intelligence analyst on Relativity’s Calder7 security team.