The dark web is where every CISO hopes their company’s data never ends up. Consisting of websites that are not indexed by popular search engines such as Google, the dark web includes marketplaces for information often obtained through cyberattacks, such as compromised user accounts, identification information, or other confidential corporate information.
Gaining actionable information on the information these sites provide is critical to preventing cybercriminals from using compromised accounts to launch attacks, commit fraud, or conduct campaigns using phishing or brand fraud. The dark web is a source of information on the operations, tactics and intentions of criminal groups. Tools that monitor the dark web for compromised information are available for these purposes.
Because dark web sites are frequently invite-only, gaining access typically requires infiltration by impersonating a malicious user or someone in the market for stolen identity or corporate data. This requires individuals or services with a skill set that not only identifies these sites, but also enables them to access relevant information to protect corporate identities or data.
Most businesses do not need to perform dark web research directly. Instead, you can use tools and services that scan the dark web. Services such as Extended Detection and Response (XDR) or Managed Detection and Response (MDR) ingest data gathered from sources on the dark web to identify compromised accounts, calculate risk, and provide context.
Some industries, particularly government, financial institutions, some high-profile IT security businesses, and a few others, may need direct access to data from dark web sources, Gartner analyst Mitchell Schneider told CSO. In most cases, these companies want more than just leaked credentials or corporate data. Instead, they need intel on threat actors, emerging attack viruses or exploits.
Other business segments, such as retail or pharmacy, are more vulnerable to non-traditional attacks such as brand phishing with fake domains or phishing attacks, Schneider explained. In his view, digital fingerprinting is a particularly useful tool that often involves a dark web element. In addition, download services are a natural step beyond digital footprint tracking. Generally, individual businesses don’t have the necessary contacts with Internet service providers, cloud hosting platforms, and law enforcement to download on their own. Digital Risk Protection Services (DRPS) fill this gap nicely by providing service-based solutions to help protect your brand through monitoring – the Internet, the surface web and the dark web – and additional methods such as site takedown services.
These are the most popular dark web tracking tools.
Brandefense It’s an AI-driven DRPS solution that scans the surface web and dark web for details of attack methods or data breaches, correlates and contextualizes this data, and then issues alerts when an event is relevant to your brand. Brandefense can also facilitate takedowns against threat actors if deemed necessary.
The security of high-level executives or VIPs is another area of focus for Brandefense, as these individuals are often not only part of your company’s brand, but are frequent targets of attacks. Their names and emails are also frequently used in spear phishing attacks against employees or customers.
CTM360 CyberBlindspot and Threatcover
CTM360 offers two different solutions that control the dark web as a way to protect your organization from threats. Cyberblindspot It’s focused on intelligence that directly references your organization’s assets. CyberBlindspot extends the concept of indicators of compromise (IOC) to expose warning or attack indicators, allowing you to more proactively identify areas of concern for your network.
Risk coverage It provides a tool for security analysts to dive deep into threat intelligence feeds, allowing for superior data quality and context from which threat response teams can launch. CTM360 can facilitate downloads worldwide with its Takedown++ service.
IBM X-Force Exchange
IBM X-Force Exchange It is primarily a data sharing platform and community, bringing threat and intelligence feed into an interactive, searchable database that can be integrated with your existing security stack via APIs and automated alerts. Most of the tools IBM offers are free with no registration required, although you may want to register to customize your portal by saving relevant searches and following relevant domains and brands. API access, advanced analytics and premium risk intelligence reports require subscription.
IntSights threat intelligence platform
IntSights threat intelligence platform Brings comprehensive external threat intelligence and monitoring to the IOC. IntSights, now part of the Rapid7 family, mines the dark web for threat intelligence such as strategies, techniques and processes. Threat actors; and variants of malware. This type of intelligence helps security professionals stay up-to-date on evolving attack methods, allowing them to adjust defenses and train users on best practices. IntSights product gives you a window into active conversations on the dark web that mention company brands or domains, giving you the opportunity to proactively respond to threats rather than waiting for an attack to begin.
Malware Information Sharing Platform – MISP
of Malware information sharing platform (MISP) is an open source platform designed around the idea of common threat intelligence. MISP includes open source software that can be installed in your data center or on various cloud platforms, and open source protocols and data formats can be shared with other MISP users or integrated into all information security tools. In fact, MISP integration support is mentioned as a feature of other solutions in this list. While MISP threat streams are not regulated in the same way as commercial tools, they are an inexpensive way for corporations to roll out an internal dark web monitoring solution.
Mandiant Digital Risk Monitoring
Mandiant Digital Risk Monitoring Demonstrates intelligence regarding threats and leaks of information or other corporate secrets on the open internet or dark web. This intelligent information is powered by machine learning, contextual driving, and prioritized alerts that streamline the identification process. In addition to brand monitoring (including VIP protection), Mandiant Digital Threat Monitoring offers monitoring for other businesses you can trust. By monitoring these trusted partners, you can further protect your supply chain and prevent cross-domain attacks that have the potential to bypass existing security controls.
Mandiant also offers Digital Threat Monitoring as an add-on module to Advantage Threat Intelligence, bringing many of the same dark web monitoring capabilities to your threat intelligence.
Open CT It is another open source option for collecting, managing and communicating intelligence information. OpenCTI, developed and owned by Filigree, can be deployed as a Docker container, makes it platform agnostic, and provides extensive links to other security platforms and software tools to integrate and enrich the OpenCTI data stream.
The OpenCTI feature set includes role-based access control for your information security team, standards-based data models, and attribute data that identifies the origin of discovery. All kinds of automation can be enabled using Python’s OpenCTI client, which exposes OpenCTI APIs to helper functions and an easy-to-use framework for rapid development of custom logic based on event data.
Palo Alto Networks Autofocus
It’s no secret that Palo Alto Networks is a major player in the field of network security, and Self-focusing It is a key part of their portfolio. Autofocus brings deep context and awareness to the forefront, enabling security analysts to identify incidents and prioritize response efforts. Palo Alto Networks collects data not only from data repositories on the open internet and dark web, but also correlates and contextualizes data using the provider’s global footprint of tools and services.
Recorded future intelligence cloud platform
of Intelligence Cloud Platform Presented by RecordFuture, it features continuous monitoring of over 300 government actors, 3 million known crime forum handles, billions of domains, and hundreds of millions of IP addresses across the Internet and Dark Web. This Herculean intelligence data context feeds into analytics tools that categorize and apply data sets, ultimately connecting to modules that focus on your organization’s brand, threats and vulnerabilities, identities, and many other areas. Each module features actionable intelligence, allowing you to prioritize your response based on business needs and risk, reducing response time and facilitating efficient remediation.
SOCRadar offers many services and tools for security professionals, including a variety of free tools you can use for guidance, including one-time scans of domain names or IP addresses such as Dark Web Reporting. You’ll want to subscribe to SOCRadar for more comprehensive, frequent monitoring RiskPrime Service. RiskPrime provides PII (Personally Identifiable Information) monitoring, as well as tracking compromised VIP accounts, and performing reputation monitoring and phishing detection. Download services are available through RiskPrime, but unless you are on the enterprise service level, there is an additional cost. Dark web monitoring services are included and get more comprehensive based on service level.