The dark web is the place where every CISO hope their company’s data will not end up. It consists of sites that are not indexed by popular search engines such as Google, and the dark web includes marketplaces for data usually obtained as a result of a cyberattack such as compromised user accounts, identity information, or other confidential corporate information.
Gaining operational intelligence on what data these sites are offering is critical to defending cybercriminals using compromised accounts to enable attacks, commit fraud, or conduct campaigns using spear phishing or brand spoofing. The dark web is also a source of intelligence on the operations, tactics, and intent of criminal groups. Tools that monitor the dark web for compromised data are available for these purposes.
Who needs dark web monitoring tools?
Since dark web sites are frequently invite-only, gaining access typically requires infiltration by masquerading as a malicious user or someone in the market for stolen identity or corporate data. This requires individuals or services with skill sets enabling them to not only identify these sites, but to acquire data relevant to protecting corporate identities or data.
Most businesses don’t need to perform dark web research directly. Rather they can leverage tools and services that scan the dark web. Tools like extended detection and response (XDR) or services like managed detection and response (MDR) both commonly ingest data gleaned from sources on the dark web to identify compromised accounts, calculate risk, and provide context.
Some industries, notably government, financial institutions, certain high-profile IT security businesses, and a few others, may have a need for more direct access to intelligence only directly available from sources on the dark web, Gartner analyst Mitchell Schneider tells CSO. In many cases these companies are looking for something beyond leaked credentials or corporate data. Rather, they need intel on threat actors, evolving attack vectors, or exploits.
Other business segments like retail or pharma are more susceptible to nontraditional attacks like brand spoofing in the form of fake domains or phishing attacks, according to Schneider. In his view digital footprint monitoring is a particularly valuable tool and will often include a dark web component. Further, takedown services are a natural step beyond digital footprint monitoring. In general, individual businesses won’t have the required contacts with internet services providers, cloud hosting platforms, and even law enforcement, to effect takedowns on their own. Digital risk protection services (DRPS) fill this gap nicely by offering service-based solutions that cater toward protecting your brand through monitoring—the internet, surface web and the dark web—and more hands-on methods like site takedown services.
These are some of the most popular dark web monitoring tools.
Brandefense is an AI-driven DRPS solution that scans the surface web and the dark web to glean detail on attack methods or data breaches, correlating this data and contextualizing it, and then providing alerts when an incident has relevance to your brand. Brandefense can also facilitate takedowns against threat actors should it become necessary, keeping your security posture in a forward lean rather than waiting to respond to active attacks.
Security of high-level executives—or VIPs—is another focus area for Brandefense, as these individuals are often not only part of your corporate brand, but a frequent attack target. Their names and emails are also frequently used in spear phishing attacks against employees or customers.
CTM360 CyberBlindspot and ThreatCover
CTM360 offers two different solutions that monitor the dark web as a means to protect your organization from emerging threats. CyberBlindspot is focused on intelligence that directly references your corporate assets. CyberBlindspot expands on the indicators of compromise (IOC) concept to expose indicators of warning or indicators of attack, allowing you to identify areas of concern to your network even more proactively.
ThreatCover offers tooling for security analysts to deep dive into threat intelligence feeds, allowing optimal data quality and context from which response teams can initiate incident response. CTM360 can also facilitate takedowns internationally through its Takedown++ service.
IBM X-Force Exchange
IBM X-Force Exchange is primarily a data sharing platform and community, bringing threat and intelligence feeds into an interactive, searchable database that can also be integrated into your existing security stack through APIs and automated alerts. Many of the tools IBM offers are free without even requiring registration, though you’ll want to register in order to customize your portal by saving relevant searches and following feeds pertaining to relevant domains and brands. API access, advanced analysis, and premium threat intelligence reports do require a subscription.
IntSights Threat Intelligence Platform
IntSights Threat Intelligence Platform brings holistic external threat intelligence and monitoring for IOC. IntSights, now part of the Rapid7 family, mines the dark web for threat intelligence such as tactics, techniques, and procedures; threat actors; and malware variants. This sort of intelligence helps security professionals stay up to date on evolving attack methods, providing the means to adjust defenses and train users on best practices. IntSights’ product also provides a window into active conversations on the dark web that reference company brands or domains, giving you the opportunity to react to threats proactively, rather than waiting for the attack to begin.
Malware Information Sharing Platform – MISP
The Malware Information Sharing Platform (MISP) is an open-source platform shaped around the idea of shared threat intelligence data. MISP includes open-source software which can be installed within your data center or on various cloud platforms and leverages open-source protocols and data formats that can be shared with other MISP users or integrated in all manner of information security tools. In fact, support for MISP integration is often mentioned as a feature of other solutions in this list. While MISP threat streams aren’t curated in quite the same way as commercial tools, it is a low-cost way for corporations to spin up an internal dark web monitoring solution.
Mandiant Digital Threat Monitoring
Mandiant Digital Threat Monitoring offers visibility into intelligence pertaining to threats and leaked credentials or other corporate secrets on the open internet or the dark web. This intelligence data is bolstered by context delivered through machine learning, driving relevant, prioritized alerts that facilitate the triage process. In addition to brand monitoring (including VIP protection), Mandiant Digital Threat Monitoring offers monitoring of other businesses with which you have trusted relationships. By monitoring these trusted partners you can further secure your supply chain and prevent cross-domain attacks which have the potential to circumvent existing security controls.
Mandiant also offers Digital Threat Monitoring as an add-on module to their Advantage Threat Intelligence, bringing many of these same dark web monitoring capabilities into your threat intelligence capability.
OpenCTI is another open-source option for collecting, managing, and interacting with intelligence data. Developed and owned by Filigran, OpenCTI can be deployed as a Docker container, making it platform agnostic, and features a vast array of connectors to other security platforms and software tools to both integrate and enrich the OpenCTI data stream.
OpenCTI’s feature set includes role-based access control for your information security team, standards-based data models, and attribute data indicating the origin of the finding. Automation of all sorts can be enabled using the OpenCTI client for Python, which exposes OpenCTI APIs with helper functions and an easy-to-use framework which enables rapid development of custom logic based on event data.
Palo Alto Networks AutoFocus
It’s no secret that Palo Alto Networks is a major player in the network security arena, and AutoFocus is a key piece of their portfolio. AutoFocus brings deep context and insight to the forefront, enabling security analysts to triage events and prioritize response efforts. Palo Alto Networks collects information not only from data repositories on the open internet and the dark web, but correlates and contextualizes using data consumed from the vendor’s global footprint of devices and services.
Recorded Future Intelligence Clout Platform
The Intelligence Cloud Platform offered by Recorded Future features constant monitoring of over 300 state actors, 3 million known criminal forum handles, billions of domains and hundreds of millions of IP addresses across the internet and dark web. This herculean intelligence data is fed into analysis tools that categorize and apply context to the data set, finally surfacing it to modules that focus on your corporate brand, threats and vulnerabilities, identities, and several other areas. Each module surfaces actionable intelligence, letting you prioritize your response based on business need and risk, minimizing response time and facilitating efficient remediation.
SOCRadar offers several services and tools for security professionals, including a variety of free tools you can use for manual, one-off checks on domain names or IP addresses such as a dark web report. For more comprehensive, reoccurring monitoring you’ll want to subscribe to SOCRadar’s RiskPrime service. RiskPrime offers monitoring for PII (personally identifiable information), while also tracking compromised VIP accounts, and performing reputation monitoring and phishing detection. Takedown services are available through RiskPrime, but unless you’re on the Enterprise service level, it has an additional cost. Dark web monitoring services are included and get more comprehensive based on service tier.