Silvano Rebai - Fotolia
Should large enterprises add dark web monitoring to their security policies?
Security expert Nick Lewis says dark web monitoring can help enterprises gather threat intelligence, but enterprises need to understand how to validate the data they find.
Many breaches have been detected based on activity on the dark web, such as customer databases being sold. Should large enterprises consider looking for threats using dark web monitoring? If so, should they use human analysts or automated scanning?
Dark web monitoring is the new artisanal way to gather threat intelligence. Incorporating threat intelligence both proactively and reactively into an information security program has value, but understanding the data sources, how the data is validated and how it is shared is critical to getting value from it.
One aspect of this is the value gained from monitoring the dark web. The dark web is often unaccounted for in enterprise security policies because as a smaller, private part of the deep web, it requires special software and browsers for access. As a result, it has become the source of a large amount of cybercrime.
The advice I gave on hacker chatter in 2011 still holds true in terms of monitoring activity on the dark web. Monitoring hacker chatter has some value, as does monitoring the dark web, but enterprises need to determine if what hackers are talking about poses a threat to their organizations.
To that point, one aspect of dark web monitoring is looking for the sale of customer or human resource databases. While looking for general threat intelligence may be done best by organizations with dedicated resources, looking for canaries in a coal mine or watermarks to identify whether a customer database or other sensitive data is available on the dark web could alert an enterprise to a security incident in one of its systems or at a third-party entrusted with its data.
By searching for specific data that should not exist in another data source using dark web monitoring, you can investigate to determine if there was a security incident internally or elsewhere if the data is found outside the enterprise.
As with hacker chatter, you can periodically perform an automated search of the dark web to look for the canary or the watermark and then manually investigate.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)