Corporate data dark web

From a cybersecurity point of view, the dark web is like a huge marketplace where sensitive data (personal data, bank details, email addresses, credentials, etc.) are found alongside kits for carrying out cyber-attacks. Indeed, 15 billion credentials are currently in circulation [1], and it is reportedly possible to buy malware for between $50 and $5000 [2].

Why does business data end up on the dark web? And how to identify possible data leaks? Before we get to the heart of the matter, let’s clarify a few things about the concepts of deep web, dark web and dark net.

Deep web, Dark Net, Dark Web: What Differences?

The image of the iceberg remains the most appropriate illustration for understanding the differences between the clear web, the deep web and the dark web.

The emerged part represents the clear web, accessible via search engines. It consists of all the indexed pages and content. On the other hand, websites and content that are not indexed by search engines (approximately 90% of the web) are found in the hidden part of the iceberg, also known as the deep web.

The dark web is the most submerged part of the iceberg. To get there, you must first use a private encrypted network, also known as a dark net (such as Tor – The Onion Router -, the best known and most widely used, I2P – Invisible Internet Project – or Freenet). Providing anonymity to users, the dark web is used by activists and whistleblowers to escape surveillance and by Internet users in countries where the web is censored.

Unfortunately, the dark web is also a fertile breeding ground for criminal activity of all kinds, and a favourite playground for hackers. There are forums where the sharing of resources (tutorials, hacked accounts, etc.) is very present; and numerous marketplaces specialising in the sale of corporate data or tools for targeted cyber-attacks: malware, zero-day exploits, botnet infrastructure for DDoS attacks, etc.

The Dark Web, a Marketplace Specialising in the Sale of Corporate Data

Following a data theft or leak, the collected information can be put online on the dark web, for different reasons. Selling, trading and sharing on marketplaces or forums are the main ones.

Email addresses, banking data, health data, architectural documents, credentials, etc., all have a market value as they allow attackers to optimise their phishing and identity theft campaigns and facilitate their fraud and embezzlement actions.

Moreover, attackers are not only interested in personal data. On the contrary, corporate data is now the lifeblood of the war and the most expensive commodity on the dark web. Indeed, a Digital Shadows report on the dark web ecosystem published in July 2020, estimated the cost of administrator access to corporate domains at around $3,000 [3].

How to Identify Corporate Data Leaks on the Dark Web?

To identify possible leaks of sensitive data or documents, the solution is to search the clear web and explore the dark web.

White paper: How to prevent attacks and identify data leaks on the dark web?

On the clear web, the aim is to collect all types of information (IP addresses, DNS, information on the architecture of the information system and the technologies used, organisation chart and contact details, internal documents, various technical or business data, etc.) that are publicly accessible and could potentially be used in a cyber-attack.

This approach allows you to obtain a global and precise idea of your attack surface, with the aim of reducing it. This research can be carried out internally with the right tools and by mobilising the right skills. You can also rely on the expertise of a specialised third party to carry out this type of audit, also known as a reconnaissance audit.

However, it is more difficult to search the dark web, as the pages are not indexed. Indeed, one must use the right tools and know where and how to look for relevant information in the mass of data that can be found there. Moreover, the risks of hacking are very high. Therefore, it can be interesting to entrust the research to a third party specialised in offensive security.

For more details on the objectives, approach, methodology, deliverables, etc. of a dark web audit, you can check our white paper which presents all these elements.

Thus, the information gathered during a dark web audit can be of various kinds: list of IT infrastructure elements exposed online, list of contact details exposed online, data leaks (IDs, passwords, confidential documents concerning your company, etc.), information concerning backdoors, etc.

In short, this type of audit makes it possible to precisely determine your level of exposure and then to correct the technical or human flaws at the origin of data leaks. The aim is to implement measures adapted to the dangerousness of this exposure to make it useless for attackers, as it will be particularly difficult, if not impossible, to remove them.

Actions that can be taken following a reconnaissance audit or a dark web audit may include changing permissions, modifying network access or application credentials, for example, adding complexity to the authentication system, or notifying your customers if their data has been leaked (and, depending on your legislation, also notifying an official monitoring body).

Including Security Upstream to Prevent Data Leaks

To prevent data leaks, it is important to consider the security of your infrastructure and applications. Web or mobile applications are gateways that are highly exposed to attacks. Any information exposed on the web should be limited as much as possible. By reducing your attack surface, you will limit the possibility of your data and systems being compromised.

Performing a penetration test is also a good way to identify potential vulnerabilities in order to secure the exchange and storage of your data to prevent leaks on the web and the dark web.

Finally, raising internal awareness of cyber-risks is an essential element in strengthening security. Poor practices and misunderstanding of the current dangers can lead to major incidents. During a training session or a social engineering penetration test, your teams are exposed to threats adapted to your company’s context. Raising awareness through real-life situations helps to remember good practices and to respect procedures.

[1], [3] From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover. Digital Shadow

[2] Dark Web Price Index 2021. Privacy Affairs