Threat Tracking: Tracking Threats Across the Dark and Clear Web

The Internet is a gold mine of threat information that can bolster your cyber defenses if you actively track this data. From news updates to forum discussions on hacker forums, and data dumps to service offerings on marketplaces, there’s a lot to find out that could otherwise slip under the radar. 

Tracking cyber threats across both the publicly accessible Internet (clear web) and the portion of the Internet requiring special software to access (the dark web) helps you stay one step ahead of threat actors. Read on to get the lowdown on the types of threats worth tracking on both the dark and clear web.

Key Dark Web Threats Worth Tracking

The dark web is a hive of underground cybercrime activity with threat actors ranging from script kiddies looking for scripts or programs developed by others to use for malicious purposes to Advanced Persistent Threat groups (APTs) offering zero-day exploits for millions of dollars. The key dark web threats to consider tracking include:

Hacked accounts or credentials for sale

By one recent estimate, there are over 24 billion stolen credentials being given away and for sale on the dark web. User accounts often provide an easy way into a company’s environment, which is why the dark web is so awash with this data. And since bad practices like easily guessable passwords, reusing credentials on multiple accounts, and a lack of multi-factor authentication are still rife, the marketplace in stolen credentials continues to flourish.

The threats here extend from just stolen credentials to entire working hacked user accounts for sale, or digital browser fingerprints covertly stolen from victims and repackaged as bots that buyers can use to log in and impersonate those victims. Tracking dark web marketplaces for stolen credentials for sale helps you reset affected accounts and prevent data breaches before malicious actors exploit them.

Targeted attacks

Targeted attacks are another key dark web threat to keep an eye on. Your company or assets might get mentioned in dark web forums by adversaries looking for assistance or services to breach your defenses. Or, your company’s name might feature in the service offerings on marketplaces, with groups offering to conduct DDoS or other attacks against you for a fee. 

Tracking information about targeted attacks helps you identify unknown and upcoming threats to your security. This tracking facilitates further investigation and proactive measures to prevent such attacks.

Discussions about vulnerabilities

These more generic sources of information can prove useful in gauging the general patterns and trends of current and upcoming cyber attack campaigns. Dark web cybercrime forums often include discussions about software vulnerabilities for which patches aren’t widely deployed. Viewing these conversations as a threat and appropriately tracking them gives you valuable time to protect vulnerable software or discover previously unknown weaknesses. 

Service offerings

The cybercrime-as-a-service business model continues to grow in popularity on the dark web. Adversaries offer tools, malware, or bespoke attacks like ransomware to other threat actors for a monthly subscription fee or some kind of commission. Tracking current service offerings on dark web marketplaces gives you valuable insight into potential upcoming threats.

What Cyber Threats Should You Track On The Clear Web?

The dark web might contain the bulk of the Internet-based threat information worth tracking, but when you know what to look for, the clear web is also a very useful source. 

GitHub leaks

Microsoft CEO Satya Nadella says that every company is now a software company. Whether you release customer-facing apps or not, it’s likely you have a team running development projects for internal apps and services. The code for these projects often gets stored in Internet hosting services like Github. 

As Twitter found out to its expense recently, proprietary source code can and does get leaked in GitHub repositories, either accidentally or intentionally. Secret keys can also end up in public GitHub repositories, where hackers easily grab them and use those keys to access other services. 

The risk of source code and secret leaks on Github makes this threat worth tracking. In particular, each public commit to GitHub should be scanned for secrets and sensitive data; this includes the personal GitHub repos your developers use. 

Data dumps

The dark web ransomware and data extortion industry is worth billions of dollars, but in many cases, stolen data ends up freely available on the public Internet. Hackers regularly post password dumps, sensitive technical data, and even personally identifiable information regularly on Pastebin and other anonymous sharing sites (bin sites) accessible using standard web browsers. 

With leaked information easily available to any threat actor that loads up Pastebin or a similar website, this cyber threat can lurk outside your perimeter waiting to be used for malicious purposes. It’s definitely worth tracking the clear web for mentions of your company or email domains.

With stolen data commanding such a high fee in today’s underground cybercrime world, you might wonder why someone would make this information available for free. In some cases, threat groups or individual actors want to demonstrate their hacking prowess and provide evidence of what they can do. Some adversaries steal data not for profit, but for political, ideological, or even hobby purposes, and they have no hesitation in posting stolen information on anonymous sharing websites for free. 

Domain spoofing

Sometimes referred to as a brand impersonation attack, domain spoofing involves scammers creating lookalike websites to impersonate your business. A spike in recent years in impersonation fraud led to a reported $2 billion in losses in recent years, as reported by the US’s FTC. 

These spoofed domains can use your exact business website address and simply modify the top-level domain (TLD), for example, from .com to .co. More commonly, though, the spoofed domain sounds or looks similar to your original domain name, but there is a slight misspelling or additional character in the domain name. 

The threat actors who create these fake websites often copy the exact branding from the target company’s website to make the fake site appear more convincing. The intent behind domain spoofing is often to harvest sensitive information from unsuspecting customers or employees who think they’re interacting with your authentic brand. 

Reputational damage is a key consequence of domain spoofing—affected customers are inclined to blame the brand for not knowing about a copycat website. Since these lookalike domains are almost always accessible via the public Internet, they are certainly worth tracking for, ideally using some kind of automated service or tool.

Why Automated Threat Tracking Is Essential

Security skills gaps continue to constrain the available resources for most companies and impact how they prevent, detect, and respond to cyber threats. It’s possible to track many of these threats manually, but that doesn’t mean it’s an efficient or sensible use of resources. In fact, tracking all of this information alone would take up most of your security team’s working week. 

The best places your security analysts can add value are by monitoring vulnerability discussions on forums and regularly checking out the latest service offerings on marketplaces to gauge trends. Apart from these threats, automation is the way to go for dark and clear web threat tracking.

Flare and Threat Tracking

Flare’s digital footprint monitoring solution works effortlessly to scan both the clear and dark web for all kinds of threat information. You get real-time alerts if your company or assets are mentioned anywhere on the dark, deep, or clear web. Flare also identifies leaked credentials, credentials for sale, data dumps on anonymous sharing websites, GitHub leaks, and more. 

Get your demo here.

Share This Article

Flare

Related Content