Dark web scans promise big results, but in reality, they don't usually yield an ROI. CyberMaxx explains how to better protect yourself from cybercrime.
Many companies offer Dark Web scans. The proposed value is that the service provider searches Dark Web sites for account credentials and other sensitive data related to your organization to see if criminals are offering it for sale. Bottom line: Don’t waste your money.
How the Dark Web Works
In a nutshell, the Dark Web is a collection of internet sites that “require specific software, configurations, or authorization to access." One of the more common examples is Tor, software that uses a free, global, overlay network of volunteer nodes to anonymize traffic.
There are many legitimate uses of Tor and similar networks. For instance, the Dark Web provides anonymous internet browsing capabilities for people living under repressive regimes that use internet activity logs to track down dissidents.
Criminals also use the anonymizing capabilities of the Dark Web to hide their activities. Common illicit activities on the Dark Web are illegal pornography, criminal services for hire, and sale of illegally obtained information.
Why You Shouldn’t Pay for Dark Web Scans
1. You’re not getting results for the complete Dark Web. It’s infeasible to scan every site on the Dark Web. Remember, these are services used by criminals. Many of the sites are up for 12 hours per day for a week and then drop offline forever. There is no comprehensive list of Dark Web sites that one should search for sensitive data. Efforts at compiling such a list have resulted in over a septillion addresses, which is computationally infeasible to search.
This leaves customers with a cursory search of easily accessible sites that contain data dumps that are often of little value (or it wouldn’t be available for free download). There might be account info or sensitive data on those sites, but this is not normally the data used by organized crime rings who pose the biggest threat to U.S. companies. The stuff you’re likely worried about is not indexed or identified by the Dark Web scans you pay a consultant to perform.
2. Any scan result is going to represent a point in time. Like the internet, the content on the Dark Web is dynamic. You might get a clean result today, but sensitive data might be identified 5 minutes, 2 days, or 3 months after performing the scan.
What You Should Do Instead
1. Leverage free resources. We acknowledge there is marginal benefit from knowing if you have account credentials or data contained in commonly searched data dumps. However, a better way to check on this is via a site like Have I Been Pwned?. This legitimate web site has received lots of positive media coverage for making it easy to search for compromised information. The site also provides a mechanism to monitor an entire domain and automatically contacts you if accounts within your domain are identified. All of this is available for free.
2. Come to terms with the fact that your organization is going to experience credential theft at some point. This is the reality of the current cybersecurity threat environment, and we have no expectation of it changing in the near term. Therefore, you need to implement controls that mitigate the risk of stolen credentials being used to attack your organization. This is far more effective than selectively changing passwords for a few accounts that show up in a data dump somewhere on the internet, be it the public side or Dark Web.
The most common controls used to accomplish this are Multifactor Authentication (MFA) for remote access and employee education to reduce credential re-use. MFA is used to authenticate any user connection originating from outside your organization’s perimeter. It also protects cloud services (e.g. email, payroll and benefits websites).
Employee education is essential because many of those data dumps come from other organizations where your employees have an account and have used their work email address as the username. For example, Jim is an Accountant at ACME. Jim opens an account at Macy’s department store and using his ACME email address and uses the same password from ACME for ease of recall. If Macy’s experiences a data breach and Jim’s username and password is stolen, the criminals assume that Jim has likely given them the credentials needed to access his ACME email account and/or VPN.
In our opinion, Dark Web scans provide very little in terms of ROI. Instead of investing in them, we recommend utilizing free resources to monitor for accounts contained in public data dumps and to invest in maturing your control environment via the proper implementation of a well-designed MFA solution. You should also augment that with employee education on the risks of credential re-use.