Adam Wilson, Product Manager at Searchlight Cyber, explains how Dark Web Traffic Monitoring can be used to gain the advantage over the adversary.
dark web traffic monitoring
Today we have announced enhancements to our Dark Web Traffic Monitoring capabilities, a vital tool for cybersecurity professionals in the increasingly hostile cyber threat landscape.
In fact, it’s so critical that – if Sun Tzu was still around to publish revisions to the The Art of War – I’m almost 100 percent certain he would state “Dark Web Traffic Monitoring is of vital importance to the ongoing prosperity of your company”.
The Art of (Cyber)warfare
The modern defender has a vast array of technological weaponry at their disposal to identify and mitigate against the ever-adapting threats that are posed to their assets and infrastructure. You will find every manner and flavor of firewall, antivirus, MDR, XDR, and threat monitoring solutions out there to help you fight the good fight. But you won’t find [m]any that provide a Dark Web Traffic Monitoring Solution, like DarkIQ.
Traffic monitoring forms an important aspect of the day-to-day security workflows for many organizations and sees vigilant networking and security teams watching the activity on their network like sentries – ready to strike the moment some anomalous traffic pattern reveals the enemy.
The problem is that most conventional network monitoring tools do not give you visibility of the traffic that is hitting the outer reaches of your public facing network from the dark web or, equally importantly, traffic that is leaving your network and heading to Tor.
Know thy enemy
Monitoring traffic coming to and from the dark web is an incredibly effective tool for scouting enemy activity because there are very few “innocent” reasons for there being traffic. Traffic anomalies are therefore not only an effective “tripwire” for identifying that an adversary is encroaching on your territory, but also provides vital intelligence on what malicious tactics the attacker is trying to execute – a vital component of “knowing thy enemy”.
For example, traffic from Tor to non-browsable web content like VPN portals can indicate cybercriminal reconnaissance, i.e. that attackers are scanning the organization’s ports for vulnerabilities. Meanwhile, traffic from company infrastructure to Tor could indicate that a command and control beacon has been established, and is reaching out to the criminal infrastructure via the dark web.
Now, let’s be clear, not all dark web traffic that is entering or leaving your network is malicious. Some incoming connections to your web server and other low-risk public network ports are completely meaningless, expected, and benign.
There are also cases where employees could be inadvertently putting the company at risk. Maybe Steve – the new guy from accounting – has unwittingly bypassed existing protections and downloaded a software package from Tor that’s not on the approved software list. Or maybe Ian from HR has knowingly ignored the same list, to get a cheeky desktop version of Spotify. It definitely sounds like classic Ian….
Even in this circumstance, the security team’s ability to monitor the dark web is critical because – although Ian might not know it – the dark web is swarming with malware and he is putting the company at risk.
Having visibility of what is happening at the fingertips of your network is vitally important to spotting the enemy in action but in order to be effective security teams need the ability to analyze and granularly interrogate dark web traffic. That is where we come in.
Balk the enemy’s power and force him to reveal himself
Dark Web Traffic Monitoring within DarkIQ allows your defenders to build a detailed understanding of what “normal” looks like. Once you have established that baseline it is much easier to see anomalous traffic patterns and investigate accordingly.
DarkIQ alerts your team to incoming and outgoing dark web connections, and allows you to interrogate all aspects of your public facing infrastructure that have been implicated with dark web traffic in granular detail. All this, in a solution that can be deployed in minutes.
This unparalleled level of molecular detail allows the easy identification of all the tell tale signs that you would associate with malicious activity, such as file or malware uploads, hands-on-keyboard web shell or similar backdoor access, port scanning, and data exfiltration.
It allows your network, threat intelligence or security team to quickly react to this as-yet unconfirmed hypothesis and cross reference it with your own internal logs to identify, contextualize and mitigate against the worst possible outcomes for your organization and its reputation.
Quickness is the Essence of War
It’s an old adage that the cybersecurity landscape has become a battlefield – but an accurate one. All cybersecurity professionals know they are in an arms race with cybercriminals, to defend as quickly as they are being attacked.
As Sun Tzu said, “quickness is the essence of war” – the faster that cybersecurity professionals can identify malicious activity, and the quicker they can act, the more chance they have of repelling the enemy before the battle has even begun. Spotting malicious traffic right at the edges of your network is one of the most effective ways this can be done.
Identifying potentially suspicious dark web traffic activity early lets you proactively build a very clear risk profile and defend against imminent, evolving and potential future threats – and at Searchlight Cyber, that is exactly what we are all about.
“The supreme art of war is to subdue the enemy without fighting.”
“I’m really sorry, I just wanted to listen to Taylor Swift”