What is dark web monitoring?
Dark web monitoring is a service often offered by cybersecurity vendors that scans the dark web for information pertaining to an organization. These software scan and search dark web websites and forums checking for your organization’s information against compromised datasets being traded or sold.
The dark web is the place where every CISO hope their company’s data will not end up. Not typically a direct threat to corporate networks, the dark web consists of sites that are not indexed by popular search engines such as Google and includes marketplaces for data usually obtained because of a cyberattack such as compromised user accounts, identity information, or other confidential corporate information.
Gaining operational intelligence on what data these sites are offering is critical to defending against cybercriminals using compromised accounts to enable attacks, commit fraud, or conduct campaigns using spear phishing or brand spoofing. The dark web is also a source of intelligence on the operations, tactics, and intent of criminal groups. There are tools and services that monitor the dark web for compromised data and provide critical intelligence and visibility into areas of the dark web that are potentially outside your view.
How do dark web monitoring tools work?
Dark web monitoring typically involves a combination of software tools tailor-built for monitoring and security researchers versed in the intricacies of potential threats and the social culture of the internet underworld. Software tools can be loosed on known hangouts for malicious users to exchange techniques or compromised data, compiling this data into streams that can be analysed and catalogued. Security researchers help identify threat viability and assist with the expansion of monitored dark web sites. Finally, the monitoring tools can act on catalogued data, applying rule sets to alert administrators or automatically perform remediation actions to prevent further compromise.
Who needs dark web monitoring tools?
Since dark web sites are frequently invite-only, gaining access typically requires infiltration by masquerading as a malicious user or someone in the market for stolen identity or corporate data. This requires individuals or services with skill sets enabling them to not only identify these sites, but to acquire data relevant to protecting corporate identities or data.
Most businesses don’t need to perform dark web research directly. Rather they can leverage tools and services that scan the dark web. Tools like extended detection and response (XDR) or services like managed detection and response (MDR) both commonly ingest data gleaned from sources on the dark web to identify compromised accounts, calculate risk, and provide context.
Some industries, notably government, financial institutions, certain high-profile IT security businesses, and a few others, may have a need for more direct access to intelligence only directly available from sources on the dark web, Gartner analyst Mitchell Schneider tells CSO. In many cases these companies are looking for something beyond leaked credentials or corporate data. Rather, they need intel on threat actors, evolving attack vectors, or exploits.
Other business segments like retail or pharma are more susceptible to nontraditional attacks like brand spoofing in the form of fake domains or phishing attacks, according to Schneider. In his view digital footprint monitoring is a particularly valuable tool and will often include a dark web component. Further, takedown services are a natural step beyond digital footprint monitoring. In general, individual businesses won’t have the required contacts with internet services providers, cloud hosting platforms, and even law enforcement, to effect takedowns on their own. Digital risk protection services (DRPS) fill this gap nicely by offering service-based solutions that cater toward protecting your brand through monitoring—the internet, surface web and the dark web—and more hands-on methods like site takedown services.
These are some of the most popular dark web monitoring tools.
Brandefense
Brandefense is an AI-driven DRPS solution that scans the surface web and the dark web to glean detail on attack methods or data breaches, correlating this data and contextualizing it, and then providing alerts when an incident has relevance to your brand. Brandefense can also facilitate takedowns against threat actors should it become necessary, keeping your security posture in a forward lean rather than waiting to respond to active attacks.
Security of high-level executives—or VIPs—is another focus area for Brandefense, as these individuals are often not only part of your corporate brand, but a frequent attack target. Their names and emails are also frequently used in spear phishing attacks against employees or customers.
CrowdStrike Falcon Adversary OverWatch
CrowdStrike maintains their industry standing despite a rough patch in July 2024. CrowdStrike’s Falcon Adversary OverWatch platform is a 24/7 threat hunting service that combines industry security experts and AI to proactively identify and disrupt malicious actors in real-time. CrowdStrike Falcon Adversary OverWatch provides insights and visibility into dark web references to your corporate data, identities, and brands, even proactively blocking threats before they become incidents.
CTM360 CyberBlindspot and ThreatCover
CTM360 offers two different solutions that monitor the dark web to protect your organization from emerging threats. CyberBlindspot is focused on intelligence that directly references your corporate assets. CyberBlindspot expands on the indicators of compromise (IOC) concept to expose indicators of warning or indicators of attack, allowing you to identify areas of concern to your network even more proactively. CyberBlindspot also leverages CTM360’s global partnerships to offer managed takedown and global threat disruption (GTD), enabling your business to disable or disrupt malicious actors masquerading as your brand.
ThreatCover offers tooling for security analysts to deep dive into threat intelligence feeds, allowing optimal data quality and context from which response teams can initiate incident response.
DarkOwl Vision UI
DarkOwl Vision UI provides simplified visibility into dark web data that’s relevant to your business. Vision UI supports searching collated dark web data feeds using standard text search, boolean logic to quickly focus in on key categories, support for up to 47 languages, and even support for regular expressions. DarkOwl Vision UI’s capabilities extend beyond interactive search, offering features for notifications and alerts, and exposure metrics, which attempt to quantify exposure based on multiple factors and sources.
IBM X-Force Exchange
IBM X-Force Exchange is primarily a data sharing platform and community, bringing threat and intelligence feeds into an interactive, searchable database that can also be integrated into your existing security stack through APIs and automated alerts. Many of the tools IBM offers are free without even requiring registration, though you’ll want to register to customize your portal by saving relevant searches and following feeds pertaining to relevant domains and brands. API access, advanced analysis, and premium threat intelligence reports do require a subscription.
Malware Information Sharing Platform – MISP
The Malware Information Sharing Platform (MISP) is an open-source platform shaped around the idea of shared threat intelligence data. MISP includes open-source software which can be installed within your data center or on various cloud platforms and leverages open-source protocols and data formats that can be shared with other MISP users or integrated in all manner of information security tools. In fact, support for MISP integration is often mentioned as a feature of other solutions in this list. While MISP threat streams aren’t curated in quite the same way as commercial tools, it is a low-cost way for corporations to spin up an internal dark web monitoring solution.
Mandiant Digital Threat Monitoring
Mandiant Digital Threat Monitoring offers visibility into intelligence pertaining to threats and leaked credentials or other corporate secrets on the open internet or the dark web. This intelligence data is bolstered by context delivered through machine learning, driving relevant, prioritized alerts that facilitate the triage process. In addition to brand monitoring (including VIP protection), Mandiant Digital Threat Monitoring offers monitoring of other businesses with which you have trusted relationships. By monitoring these trusted partners you can further secure your supply chain and prevent cross-domain attacks which have the potential to circumvent existing security controls.
Mandiant also offers Digital Threat Monitoring as an add-on module to their Advantage Threat Intelligence, bringing many of these same dark web monitoring capabilities into your threat intelligence capability.
OpenCTI
OpenCTI is another open-source option for collecting, managing, and interacting with intelligence data. Developed and owned by Filigran, OpenCTI can be deployed as a Docker container, making it platform agnostic, and features a vast array of connectors to other security platforms and software tools to both integrate and enrich the OpenCTI data stream.
OpenCTI’s feature set includes role-based access control for your information security team, standards-based data models, and attribute data indicating the origin of the finding. Automation of all sorts can be enabled using the OpenCTI client for Python, which exposes OpenCTI APIs with helper functions and an easy-to-use framework which enables rapid development of custom logic based on event data.
Rapid7 Threat Command
Rapid7’s Threat Command replaces point solutions with combined external threat intelligence, digital risk protection, indicators of compromise (IOCs) management, and remediation. As part of Threat Command is the Digital Risk Protection feature which mines the dark web for potential dangers before they affect an organization. The feature offers alerts on threats affecting your business, proactively research malware, tactics, techniques, and procedures (TTPs), phishing scams, and other threat actors. This sort of intelligence helps security professionals stay up to date on evolving attack methods, providing the means to adjust defenses and train users on best practices.
Recorded Future Intelligence Cloud Platform
The Intelligence Cloud Platform offered by Recorded Future features constant monitoring of over 300 state actors, 3 million known criminal forum handles, billions of domains and hundreds of millions of IP addresses across the internet and dark web. This herculean intelligence data is fed into AI-driven analysis tools that categorize and apply context to the data set, finally surfacing it to modules that focus on your corporate brand, threats and vulnerabilities, identities, and several other areas. Each module surfaces actionable intelligence, letting you prioritize your response based on business need and risk, minimizing response time and facilitating efficient remediation.
SOCRadar Advanced Dark Web Monitoring
SOCRadar offers several services and tools for security professionals, including a free license of their Cyber Threat Intelligence tool you can use for limited but valuable insights into compromised credentials, brand impersonation, or vulnerabilities in your public footprint. For more comprehensive, automated monitoring you’ll want to subscribe to SOCRadar’s Advanced Dark Web Monitoring service. Advanced Dark Web Monitoring offers monitoring for employee PII (personally identifiable information), while also tracking compromised VIP accounts, and performing reputation monitoring and phishing detection. SOCRadar even offers monitoring of Telegram and Discord channels and a dark web search engine.
ZeroFox Dark Web Monitoring
ZeroFox Dark Web Monitoring is another software that aims to simplify the process of surfacing risks from the dark web. Continuous monitoring of compromised credentials, employee personal information, or sensitive corporate intellectual property is just the start for ZeroFox. Context built by analysing attack methods inform defensive measures you can take to protect your business, and alerts notify you of risk to your brands to keep you informed of emerging threats.