How to use dark web monitoring: a talk with Mary D’Angelo

Dark web monitoring

Today is just like any other day at the office. You are going through emails and laying out plans for your company's upcoming big project when suddenly, your screen freezes. None of the troubleshooting steps work. Quickly, your IT team becomes anxious; the company's network has stopped working. The reason is a security breach tied to stolen credentials from RIPE, an organization that assigns IP addresses across numerous countries.

This situation is similar to what Orange Spain experienced, suffering an outage due to a hacker who improperly accessed their RIPE account. Researchers at Resecurity have noticed a troubling trend: the dark web now houses millions of stolen network operator credentials, which cybercriminals are poised to misuse.

The dark web serves as a hidden space where these stolen credentials remain unseen. It is also where attackers coordinate their plans and recruit accomplices for future breaches. 

For businesses, keeping an eye on the dark web is vital. It helps uncover new threats and trends as they arise. 

Equally important are cybersecurity practices. They shield businesses from an increasing array of cyber threats. 

By combining dark web monitoring with solid cybersecurity, businesses can establish a protective strategy to remain secure.

That's why we talked with Mary D'Angelo, a leading Cyber Threat Intelligence and Dark Web Advisor. We discussed how the dark web works and explored why businesses might need dark web monitoring.

The interview's highlights

  • The deep web makes up 80% of the internet, while the dark web and clear web each make up 10%.

  • The US Navy originally created the Tor network for good reasons, but now less than 1% is for whistleblowers and journalists.

  • Dark web monitoring lets businesses see planned attacks, indicating the immediate need for protection.

  • Ransomware groups are growing, and threat actors are switching to platforms like Telegram.

  • Companies should combine dark web monitoring and cybersecurity practices for early threat detection.

Key insight #1: the clear web makes up only 10% of the internet

NordLayer: To start, what is the dark web?

Mary D'Angelo: When I discuss the dark web, I refer broadly to its distinction from the deep web and the clear web. The dark web is a segment of the internet accessible only through specialized software, typically Tor, which I'll mostly reference. It's because Tor is the most commonly used. The deep web and clear web are other internet segments. The clear web includes anything findable via Google and other search engines. The deep web, while still accessible through search engines, comprises sites that are very hard to enter. Statistics indicate that the deep web constitutes 80% of the internet, with the dark web and the clear web each accounting for only 10%.

Dark web takes up to 10% of the internet

NordLayer: The dark web ensures anonymity and is technically limitless. How does the Onion Router contribute to this anonymity?

Mary D'Angelo: The Onion Router, a type of software made to connect to the dark web, encrypts messages in multiple layers, similar to an onion. These messages, when sent, pass through various relays or nodes, mixing up communications. Upon receiving a message, each relay cannot trace its origin, making it extremely difficult to track the messages and users' activities.

Key insight #2: the original purpose of the dark web, initiated by the U.S. Navy, now makes up just 1% of its current content

NordLayer: Could you explain the legal and illegal aspects of the dark web?

Mary D'Angelo: It's a common misconception that the dark web is entirely illegal. Initially, the Tor network was developed by the US Navy research team to enable secure communications. 

The primary purpose of the dark web was to assist journalists and whistleblowers in remaining anonymous and using encrypted messaging on a privatized platform. Over time, it has evolved to host a significant amount of illegal activity. 

It's estimated that 40% of the dark web is comprised of child sexual exploitation material, with less than 1% now dedicated to whistleblower and journalism activities. The majority involves illegal marketplaces, threat actor forums, ransomware groups, and similar entities.

NordLayer: But the dark web also has positive uses for privacy and free speech. Can you discuss them?

Mary D'Angelo: The dark web is valuable for media organizations and individuals in censored countries, providing a secure communication channel. Organizations like ProPublica use the dark web for secure communications, offering a platform for whistleblowers and those reporting from repressive regimes.

NordLayer: Considering its origins, does the dark web offer more security than platforms like Amazon?

Mary D'Angelo: The comparison depends on what you mean by security. The dark web provides anonymity, encrypted messaging, and privacy, even for websites. Users on the dark web enjoy encrypted and anonymized communication unseen by others. Conversely, Amazon tracks all user information, making the dark web, in some respects, more secure. However, this anonymity also contributes to the prevalence of illegal activities.

NordLayer: Is regulation of the dark web a significant challenge?

Mary D'Angelo: Yes, law enforcement faces considerable difficulties in tracking down illegal activities due to the dark web's structure. Although recent efforts have improved, the process is complex and time-consuming.

NordLayer: Can dark web marketplaces be shut down successfully?

Mary D'Angelo: Marketplaces like Silk Road and Alpha Bay have been taken down by law enforcement, involving extensive international investigations. Often, the downfall of these sites is due to the carelessness of threat actors. However, new marketplaces frequently emerge, creating a continuous cat-and-mouse game between law enforcement and dark web users.

NordLayer: How does law enforcement investigate the dark web?

Mary D'Angelo: Investigations involve collaboration with various agencies and platforms like ours that can index and search the dark web efficiently. Law enforcement builds cases on threat actors, tracking their movements and communications, often capitalizing on their mistakes to dismantle operations.

Key insight #3: dark web monitoring helps to detect the threat on its planning stage

NordLayer: How did your interest in the dark web begin?

Mary D'Angelo: My journey into the dark web began with my background in cybersecurity and network detection. Joining Searchlight Cyber, I deepened my understanding of threat intelligence and the significance of dark web monitoring to identify potential security threats to organizations.

Dark web is a hub for threat actors to plan attacks

NordLayer: Why is it important for businesses to monitor the dark web?

Mary D'Angelo: The dark web is a hub for threat actors to plan attacks. Dark web monitoring allows businesses to detect potential threats early in the planning stage, giving them more time to prevent attacks.

"You can also try NordLayer's ThreatBlock to prevent threats. It automatically blocks access to harmful websites, making it easier to avoid entering a malicious site. You won't see harmful ads and pop-ups, and you will be prevented from accessing websites linked to illegal activities or those marked as unsafe in trusted databases. This tool makes life easier."

Martyna Gaidelė, Product Marketing Manager at NordLayer

Click to tweet

NordLayer: So how can organizations monitor the dark web effectively?

Mary D'Angelo: Companies like Searchlight Cyber provide services to monitor the dark web safely and efficiently, helping businesses to protect themselves without risking exposure to malicious content.

7 stages of cyber-attacks

NordLayer: Can you share a success story related to dark web monitoring?

Mary D'Angelo: Our human intelligence team does a lot of the undercover work. Accessing some dark web sites is tough; it requires specific permissions. Our team managed to enter these sites and found someone selling domain access control credentials for a large US airline. They didn't name the airline to avoid detection but shared details like the revenue size, location, and access type. High pricing often indicates legitimacy. Upon discovering this, I contacted the airline's security team to alert them, despite them not being our client. We then discussed the intelligence, which was new to them, and together, we devised a plan to enhance their security.

NordLayer: That's impressive. What security measures do you generally recommend to introduce? 

Mary D'Angelo: We generally suggest enforcing multi-factor authentication (MFA) across all platforms. The approach depends on the attack type, but ensuring MFA is in place is crucial so that only authorized individuals have access.

"Multi-factor authentication (MFA) is an essential part of NordLayer. However, we advocate for a broader range of multi-layered authentication solutions and encourage our customers to implement more comprehensive Zero Trust Network Access (ZTNA) strategies.

Multi-layered network access control minimizes the risks of data breaches and aids in achieving compliance certificates, contributing to business credibility as well.

My favorite NordLayer features for network access control are the Cloud Firewall and Device Posture Security. They are easy to use and powerful solutions, ensuring advanced network access control."

Martyna Gaidelė, Product Marketing Manager

Click to tweet

Key insight #4: Ransomware groups are hiring, which means even more attacks in 2024

NordLayer: Have you observed any trends in the dark web, such as an increase in ransomware groups?

Mary D'Angelo: Last year, we saw ransomware groups increase their recruitment. This means that they only plan to increase their attacks. They now have larger budgets because they were so successful last year in terms of the ransom payments. And so now they have more purchasing power, they can buy better exploits and better credentials. Bad actors also have their AI tool, called fraud GPT, which can just more easily and quickly make very sophisticated attacks.

NordLayer: How can businesses and law enforcement adapt to the evolving threat landscape on the dark web?

Mary D'Angelo: Understanding the tactics, techniques, and procedures (TTPs) of threat actors allows organizations to build more effective defenses. Monitoring threat actor movements helps in developing predictive security measures.

NordLayer: There is also a kind of "Robin Hood" mentality among some ransomware groups. Can you elaborate on this?

Mary D'Angelo: Interestingly, some ransomware groups adhere to a moral code, avoiding attacks on hospitals and focusing on other targets. This nuanced behavior among threat actors highlights the complex ethical landscape of the dark web.

Ransomware groups have been increasing their recruitment and budgets

NordLayer: Despite some groups avoiding healthcare targets, the sector remains highly vulnerable. Why is that?

Mary D'Angelo: The healthcare sector often faces the highest ransom demands, with many hospitals lacking the security infrastructure to defend against sophisticated attacks. The sale of access credentials to healthcare institutions is alarmingly common.

NordLayer: There’s also a trend where threat actors are shifting from dark web forums to encrypted messaging platforms like Telegram. Why do you think threat actors are choosing these platforms?

Mary D'Angelo: The shift to encrypted platforms like Telegram reflects threat actors' increasing paranoia and desire to evade detection. As law enforcement and security firms improve their monitoring capabilities, actors seek new ways to communicate securely.

Healthcare sector and ransomware

NordLayer: How do you conduct research on the deep web and platforms like Telegram?

Mary D'Angelo: Our team utilizes a combination of human intelligence and proprietary automated technologies to gather intelligence from various platforms. This allows us to monitor threat actor activities across the deep web and dark web comprehensively.

NordLayer: What future research directions do you see for dark web intelligence?

Mary D'Angelo: Collaborating with security practitioners and academic researchers can lead to innovative strategies for mitigating risks and combating cyber threats. Future research will likely focus on predictive analysis and the development of more sophisticated defense mechanisms.

Encrypted platforms need increase

Key insight #5: for businesses to stay safe, they need all employees to be aware of possible attacks

NordLayer: What general advice would you give businesses to enhance their security?

Mary D'Angelo: Businesses should prioritize early detection of threats by monitoring for reconnaissance activities. Leveraging threat intelligence to understand the landscape and adopting a proactive security posture can significantly reduce the risk of attacks.

NordLayer: How important is cybersecurity awareness?

Mary D'Angelo: Cultivating a culture of security throughout an organization is crucial. Integrating cyber threat intelligence across all levels can inform strategic decisions and prioritize security measures, ultimately making it more difficult for threat actors to succeed.

Proactive security costs less

NordLayer: In conclusion, investing in cybersecurity is more cost-effective than facing the consequences of a ransomware attack.

Mary D'Angelo: Absolutely. The cost of proactive security measures is significantly lower than the potential losses from a successful cyber attack.

How NordLayer can help

NordLayer offers a comprehensive security approach, protecting your team with Threat Prevention from harmful sites, securing online activities with VPN, and ensuring appropriate access with Cloud Firewall. Beyond these tools, we advocate for adopting Zero Trust Network Access (ZTNA), Security Service Edge (SSE), and other cybersecurity frameworks to strengthen your defense. Our sales team is always here if you need any help along the way. 

Beyond NordLayer's offerings, it's essential to create a culture of cybersecurity, maintain up-to-date software, and use secure communication tools. Additionally, assessing your vendors through a Third-Party Risk Management Plan and restricting their access can significantly mitigate risks.

Share article


Copy failed

Protect your business with cybersecurity news that matters

Join our expert community and get tips, news, and special offers delivered to you monthly.

Free advice. No spam. No commitment.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.