The dark web is one of the most misunderstood areas of the internet. In popular culture it appears either as a lawless underworld where anything can be purchased or as an impenetrable mystery accessible only to sophisticated hackers. Neither portrait is accurate. The dark web is a real part of the internet with genuine criminal activity, but understanding it clearly, rather than through exaggeration, is what allows organizations and security professionals to address the threats that originate from it.
At arthemis-asso.com you will find a cybersecurity and computers magazine covering threat intelligence, dark web monitoring, information security, and practical security guidance for professionals and organizations.
What the Dark Web Actually Is
The internet has three layers that are commonly described, though the boundaries between them are not always precise. The surface web is the portion indexed by search engines and accessible to anyone with a browser. The deep web is everything that is not indexed by search engines: webmail, online banking, content behind paywalls, private databases, and most of the content that requires authentication to access. The dark web is a specific portion of the deep web that requires specialized software to access and is intentionally designed to provide anonymity to both users and operators of websites.
The dark web is primarily accessed through the Tor (The Onion Router) network. Tor routes internet traffic through a series of volunteer-operated servers, encrypting it at each step, so that neither the origin nor the destination of any communication can be easily determined by any single point in the network. Websites hosted on Tor use .onion addresses rather than conventional domain names and are only accessible through the Tor browser.
The dark web is not exclusively criminal. It is used by journalists communicating with sources in authoritarian countries, by political dissidents in regimes that monitor internet communications, by whistleblowers, by privacy advocates, and by security researchers. Many legitimate news organizations maintain .onion versions of their websites to provide access in countries where they are blocked. The anonymity that makes the dark web useful for these purposes also makes it attractive for criminal activity.
Criminal Activity on the Dark Web
The dark web hosts a range of criminal marketplaces and services that are directly relevant to enterprise cybersecurity. Understanding what is available there is essential for organizations assessing their threat exposure and for security teams conducting threat intelligence.
Stolen credentials are among the most commonly traded commodities on dark web markets. Following data breaches, compromised username and password combinations are sold in bulk. These credentials are used in credential-stuffing attacks against the services where the original breach occurred and against other services where victims reused passwords. Organizations can monitor dark web markets for their own email domains to identify when employee credentials appear in breach data.
Ransomware-as-a-Service operations market their services on dark web forums, recruiting affiliates who will conduct attacks in exchange for a share of ransoms. These forums also host discussions of techniques, tools, and targets, providing threat intelligence about emerging attack methods and which industries or organization types are being targeted.
Initial access brokers sell access to compromised corporate networks on dark web markets. A broker who has established a foothold in an organization’s network through phishing or vulnerability exploitation can sell that access to ransomware affiliates or other threat actors. Monitoring dark web markets for references to an organization’s name or domain can provide early warning that access to its network is being sold.
Personally identifiable information (PII) stolen in data breaches, including identity documents, financial records, and healthcare data, is traded on dark web markets. The presence of an organization’s customer or employee data on dark web markets indicates a breach that may not yet have been detected through internal monitoring.
Dark Web Monitoring as a Security Practice
Dark web monitoring is the practice of systematically searching dark web markets, forums, and paste sites for information relevant to an organization’s security. It has become a standard component of threat intelligence programs for organizations with meaningful data breach risk.
The information types most relevant to enterprise dark web monitoring are compromised credentials associated with organizational email domains, references to the organization by name in threat actor forums, stolen data that appears to originate from the organization’s systems, and vulnerabilities in the organization’s public-facing infrastructure that are being discussed or sold.
Automated dark web monitoring services index accessible dark web content and alert organizations when relevant data is detected. These services have meaningful limitations: they can only index content that is accessible without payment or authentication, and significant criminal activity occurs in closed forums that require invitation or payment to access. Nonetheless, they provide a useful layer of threat intelligence that complements internal security monitoring.
Manual threat intelligence investigation by trained analysts provides deeper access to closed communities and can identify threats that automated monitoring misses. Security teams with the capability to conduct dark web investigations can track specific threat actor groups, monitor discussions about their organization or industry, and gather intelligence about imminent attacks.
Implications for Security Operations
Dark web intelligence should be integrated into security operations rather than treated as a separate function. Credentials discovered on dark web markets should trigger immediate password resets and investigation of whether the accounts were accessed using those credentials. References to the organization in threat actor forums should inform elevated monitoring and defensive posture. Vulnerability information circulating among attackers should be prioritized for remediation.
The legal and ethical dimensions of dark web investigation require attention. Security teams conducting dark web investigations must do so in ways that do not involve purchasing illegal goods or services, even for research purposes. Many jurisdictions have laws that could implicate researchers who participate in illegal markets, and organizational legal counsel should be consulted on the boundaries of permissible dark web investigation.
Dark web intelligence is one input among many into a security program, not a substitute for strong preventive controls. Organizations that implement MFA, maintain good patching discipline, monitor their endpoints and network, and have rehearsed incident response plans are resilient regardless of what threat actors are discussing on dark web forums. Dark web monitoring adds intelligence to a strong security foundation; it cannot compensate for the absence of one.