What to do if your company was mentioned on the Dark Web?
Data breaches have become a pervasive threat to businesses of all sizes, with cybercriminals constantly finding new ways to steal sensitive information. In recent years, high-profile data breaches have made headlines, causing reputational damage for the affected companies. A statistical overview of the data breach problem and cybercriminal activity on the Dark Web is provided on a Kaspersky’s Securelist.com. In this article, we will provide insights into how businesses should handle data breaches and the steps they can take to mitigate the impact of such incidents.
Incident response: approach, steps and roles
Before we dive into incident response process, it's essential to discuss how Dark Web incidents fit into
the classic approach to incident response. Effective incident management is carried out in several steps.
Incidents related to breaches announced on the Dark Web are the same as others in terms of response, but
there are some differences in the first steps: preparation, detection and analysis.
Verifying Dark Web threats and evaluating their severity requires special methods. If the incident is
verified and confirmed, the incident response (IR) team can use the relevant standard IR playbooks to
respond.
-
Preparation
Prepare the people, processes, and technologies in the organization required to manage Dark Web incidents efficiently
-
Detection
Define detection scenarios for Dark Web mentions and required tools/services
-
Analysis
Investigate the mention and assess its threat level
-
Verification
Verify the incident and start the incident response process
There are three typical roles involved in the incident response process:
-
Cyber Threat Intelligence (CTI) Analyst
who handles and initially processes the CTI alert and creates an incident.
-
Security Operations Center (SOC) Analyst
who investigates the identified incident.
-
Incident Responder
who performs the necessary actions to respond to the threat.
It's not important how you name the roles, and they can be combined or split – the overall workflow will stay the same.
Preparation
For Dark Web-related threats, monitoring is set up in a special way. There are two possible approaches to this: create your own system for monitoring Dark Web resources, or use a solution specially designed for this purpose, such as Kaspersky Digital Footprint Intelligence.
If you choose the first option you must take the following minimum set of actions:
- Compile a list of Dark Web resources to monitor, relevant to your threat model.
- Deploy infrastructure (VPN, Tor; external virtual hosts for acquiring the data).
- Register special accounts on forums for intelligence purposes, since some forums require an account, making it more difficult for law enforcement or researchers to access the resource and acting as an entry barrier to casual visitors.
- Assign responsible persons for maintaining the infrastructure and an up-to-date list of Dark Web resources.
Choosing the second option, a ready-made solution, will save you resources and time.
An equally important aspect of Dark Web monitoring is the scope. It's not enough to just define the dataset to be monitored. The scope of what is monitored should be always up-to-date. The table below contains recommendations for how frequently the scope should be updated for different data items.
frequency of update Comment
Example: kaspersky[.]com
Detection
Ideally, the detection stage should involve automatic alerts when specific information is found on Dark Web resources or in data dumps being analyzed on your threat intelligence platform. A CTI analyst (or another responsible person) may perform the search manually, but in this case the response will not be immediate.
Here's a list of basic alert types:
- Company name mentioned on the dark web
- Company domain mentioned on the dark web
- Company IP address/range mentioned on the dark web
- Company brand or product mentioned on the dark web
- Company domain mentioned in databases of leaked credentials
- Employee name or email address mentioned on the dark web
- Company partner/supplier mentioned on the dark web
- Company with similar profile (location, industry) mentioned on the dark web
Analysis
After receiving an alert that your company was mentioned on the Dark Web, the first thing to do is to verify it: is the message a real threat or just a fake? The dark web is home to cybercriminals, so it's no surprise that sometimes they try to sell fake data to each other. At the analysis stage, CTI analysts investigate and assess the risk.
It's necessary to try and answer the following questions: which information is for sale, who is selling it, and where. The more information you can collect, the faster and more effectively you can respond to the threat.
Analyze the source
Dark Web content comes from many sources: forums, private blogs, and messengers. Each platform has its own
rules, audience, and specialty. Some forums are easy to register on, some require an invite from an
already-registered member, and some are only for a selected group of "trusted" people. And of course, the
likely validity of the content differs for each sourсe. Some forums have a strict moderation policy where
all messages and posts are reviewed by the administrators.
Ransomware blogs are another example of a source. Ransomware blogs are usually Tor websites where
ransomware actors disclose information about victims, provide details on breaches, and set deadlines for
the ransom. In some cases, ransomware groups publish the compromised data for free, but usually they are
offering to sell the data or trying to pressure the victim company by attracting public attention. If a
company appears in the blog of a ransomware actor, there is a high probability that this company has been
hit by ransomware. But of course, there are cases of bluffs or mistakes – for example, when LockBit
claimed they had compromised Darktrace's internal systems, but the company confirmed that there was no
evidence of compromise.
Analyze the profile of the offer's author
Many forums have a rating system: you can see how many posts the user has published and get an idea of how experienced they are. It's also a good idea to investigate the user's past activity, if the Dark Web resource offers this ability: how active has the user been, have they already had successful sales?
Analyze the author's activity
How the community responds to a message is not an indicator of its validity, but it can sometimes give
more context. For example, on forums or chats, participants may write comments thanking the author or,
in contrast, saying that data is fake.
It should be noted that some forums carefully monitor the quality of content, and in the event of a fake
publication, the author is blocked.
But even when it looks like the community is not interested in the publication, the deal can take place "behind closed doors". Some cybercriminals prefer to discuss details in private messages, specifically requesting this in the post and leaving their contact information. Moreover, the escrow service is highly popular in the community. Some forums even have this service built in. You can read more in our article about dark web deals and regulatory mechanisms.
Based on the source and author's background you can create an attacker profile and understand their interests. Are they an APT (Advanced Persistent Threat) group, a hacktivist with basic tools and TTPs (tactics, techniques and procedures) or a cybercriminal group? Perform a quick risk assessment because not all alerts are equal in terms of risk and damage. Other factors you can analyze are how recently the publication was made, the price, and the type of data for sale.
The freshness
If we take all the messages on the Dark Web as a whole, only a small number are truly fresh publications. Some databases have been continuously republished for a decade.
The price
Money has always been the main motivation for cybercriminal activity. The price is usually a good indicator of the value, volume, and criticality of the data.
The sales model
The sales model varies from message to message, often depending on the type of data for sale. Generally, there are three sales models: free distribution, for sale to anyone and sale to one buyer only.
The data type
A huge amount of data is sold on the Dark Web, for various different purposes. In this article we're focusing on the most popular and harmful types of data leaks.
Verification
The next step is to verify the find. The main purpose of verification is to make sure that data has really been leaked, and then initiate the incident response procedure accordingly.
Data breaches
Usually, the seller publishes a sample of the data to help potential buyers assess the value of the database on offer. There are cases when the leakage is actually just publicly available data (a fake leak) or an old leak mixed with other data. For the affected organization this helps not only to verify the leak, but also to determine its source.
Accesses
It's straightforward to verify whether an account for sale is a real threat. If someone is selling access, that means they must have gained access. Logical, no? So, in this case, the verification step is essentially incident investigation.
Compromised accounts
Accounts for sale are email addresses and passwords or hashes. Compiling a list of affected users based on
email addresses will facilitate the process of account verification. Since the email addresses are mostly
quite predictable (for example, in companies the domain is usually the company's name, while the first
part is the name and/or surname of the employee), cybercriminals can generate them or obtain them using
public intelligence sources. So, you may encounter invalid email addresses, as well as email addresses
belonging to former employees.
No matter what type of account was leaked, or the current status of the employee, it's important to check
all the accounts careful to identify any leaked ones.
A lot of credentials are stolen using credential stealers and then leaked to the Dark Web. Many malware
stealer logs available on the Dark Web contain not only the account credentials, but also the source of
the leak – the URL string of the resource where the user was authenticated, as well as the date of
compromise and metadata from the user's device. Check if corporate resources are present in the logs. If
you find an account that was leaked from the corporate or internal system, it could indicate that the
corresponding corporate machine was compromised. So, the list of users is not exhaustive; it's necessary
to identify and check all relevant and potentially affected hosts.
Before the next stage of incident investigation, it's essential to communicate with all stakeholders. The main four groups are top management, regulatory authorities (in case of law violation), media and customers.
Top management
To promptly alert top management is a must. The communication should cover all aspects of the incident along with steps proposed and taken to address it.
Media
Once an incident has been confirmed, the subsequent step, following the notification of affected parties such as clients, and the completion of necessary measures to mitigate the risks linked to the data leak, involves preparing a public statement in cooperation with legal and PR departments.
Regulatory authorities
In many cases, according to the legislation, it's necessary to inform the regulatory authorities when an incident is detected.
Customers
In certain situations, it may be necessary to inform clients of compromised accounts. This notification prompts them to take immediate action, such as changing their password and enabling multi-factor authentication.
Containment
When investigating an incident, it's necessary to conduct analysis of the affected IT-systems and
users.
The first crucial question is: how did the data leak happen? The second is: do the cybercriminals still
have access to the affected system?
Data breaches
If there's any uncertainty about the source of the leak, it makes the work of the technical experts much more difficult. So, it's very important to conduct a primary analysis early on in the investigation. Starting out by identifying systems that handled the data makes swift identification of the attack vector that much easier.
Regarding incident investigation, let's look at two typical scenarios – differing in terms of the type of compromise – that are highly likely to occur in practice.
In the first scenario, an attacker compromises the database-driven web application or website. The most common reasons for the leak are outdated software, unpatched CVEs, and weak passwords for the admin panel. For the most part, to prevent recurrence of the incident, it's enough to analyze the affected web server logs and take immediate actions to close the vulnerability.
In the second case, sensitive data becomes available because the infrastructure has been compromised in some way. Data exfiltration can be both the main purpose and also collateral damage – when the leaked database is just the tip of the iceberg.
Accesses
The possibilities of an investigation vary significantly according to information available. If you are 99% sure that your access is for sale and the post contains some details (for example, your company is explicitly mentioned in the post, your SOC detected the relevant malicious activity, and so on), analyzing the logs is a sensible move. For example, if you have an RDP Gateway, analyze the event logs, find the suspicious account, and close the access. In some cases, a company may consider such a reaction unnecessary. Of course, there's a possibility that you'll be spending time and resources on investigating a nonexistent threat. But if it does exist, responding rapidly means preventing an attack.
Compromised accounts
From the perspective of incident investigation let's divide the compromised accounts into 2 categories:
- Compromised accounts found in public leaks and/or leaked from personal devices.
- Compromised accounts leaked from corporate devices.
In both cases it's important to check the validity of the accounts. If the account is confirmed as valid, conduct analysis of the affected IT-systems and users' behavior in order to find suspicious events.
If someone used a corporate email address for personal use and it leaked from a third-party resource, this is a question of adherence to security policies.
In case a user account was compromised internally, for example, via infostealer, the corporate device might be infected and the incident could become a serious complication. This is because the credentials could be for a domain user account, making highly sensitive information available for potential attackers.
When it comes to accounts, "age" doesn't matter – overlooking old accounts is a mistake. Old accounts can pose a threat because the password may not have been changed, or may have been repeated. Besides, if an account was compromised via infostealer, the user device could still be infected, so attackers can obtain up-to-date passwords even if the user changes them. It is crucial to have robust endpoint protection in place. This security measure plays a vital role in eliminating attacks across all possible vectors.
Sometimes, conducting a full incident investigation is impossible for an internal team – it's a time-consuming process, requiring not only resources but also the relevant competence and experience. In this case, it's recommended to engage qualified industry experts.
Eradication & recovery
The exact actions in the eradication and recovery steps depend on the type of the threat. You need to find the root cause of the incident and return affected systems back into business operation. The following are possible steps to restore the system to a functional state.
Accesses
- Limit remote access to the compromised systems
- Lock the compromised accounts
- Eliminate the presence of the attacker in the infrastructure
Data breaches
- Eliminate the vulnerabilities
- Change passwords for the affected accounts and systems
- Eliminate the presence of the attacker in the infrastructure
Compromised accounts
- Change passwords for the compromised accounts
- Notify any potentially compromised employees and ask them to change their leaked passwords on third-party resources
- Ensure that no suspicious activities connected to these accounts took place
- Enforce a strict password policy
- Perform a full antivirus check of the affected corporate devices and machines using an endpoint protection product
Should I pay for the data?
Demands for ransom raise another sensitive question. Should you pay the cybercriminals to try and keep the data safe? We always recommend not paying the cybercriminals.
Studies indicate that giving in to ransomware demands does not guarantee that your files will be returned. In fact, 20% of individuals who paid the ransom did not get their files back. For businesses, too, paying the ransom does not ensure the secure and reliable return of files. Criminals who have already infected your computer with harmful malware and stolen your files are unlikely to act with integrity after receiving their payment. Furthermore, paying ransoms only motivates cybercriminals to continue their activities, resulting in production of more malware and greater difficulties for everyone.
Communication
At the end of incident investigation and response, the question remains: how to communicate with the media and customers?
If notified promptly, potentially affected clients of the company-victim can safeguard their accounts and prevent further compromise by changing their password and enabling multi-factor authentication. It's worth noting that in some cases, having an antivirus installed on the device is still necessary, as certain types of malware can steal newly changed passwords.
Fines from regulators and unpleasant headlines might make you want to stay quiet. The increased attention of regulators and tougher penalties means financial damage as the result of a breach is becoming a more tangible threat year on year. In 2022, the company Didi Global received one of the biggest data privacy fines ever, a scorching $1.2 billion. Smaller fines could still be significant for smaller companies. At the same time, the media is watching cyber-incidents closely and presenting them to the public.
These financial, regulatory and reputational risks may hurt, but it's better to be the first to declare. Proper communication shows how serious you are about the breach and protecting stakeholders.
Should I inform customers about the leak?
We believe that communication is very important in case of a data leak. It's about informing all concerned parties, including customers, partners, and legislative bodies.
My company was not mentioned on the Dark Web, am I safe?
The simple answer is no – sooner or later, your company's name will appear on the Dark Web, as the merciless statistics show. Even if you can't find any direct mentions of your company, there's still the possibility of finding a related threat in some corner of the dark web. For example, access data may be sold without mentioning the brand, or there may be the threat of leaked data of counterparties or compromised employee credentials.
It's challenging to monitor cyberthreats on daily basis, but there's a big chance that your sensitive business data is out there somewhere. From this perspective, threat intelligence has become a must in today's world, in order to keep track of leaks in a real-time. In the end, Dark Web monitoring will become a valuable source of threat detection for your team.
Consider Dark Web monitoring as a part of your cybersecurity defense before you have to face such incidents. Set up a monitoring procedure and assign it to your SOC or joint teams to carry out on a continuous basis. Full procedures and playbooks adapted for the SOC are available in our Incident Response Playbook.
Incident Response Guideline
This guideline provides steps for successfully dealing with three common Dark Web threats: breaches, sale of access and sale of compromised accounts
Disclaimer:
It's essential for companies to consult with legal experts and adhere to the laws and regulations applicable in their region to ensure that their dark web monitoring activities are legal and ethical. Additionally, transparent and ethical practices should guide their approach to cybersecurity and data protection. If you encounter any difficulties with a step, don't hesitate to reach out to experts specializing in Dark Web threats and incident response. You can continue progressing through the steps, but it's important to remember that seeking their assistance can help you address the threat more effectively.
Has your company been mentioned on the Dark Web?
Can you identify the origin of the mention?
How to do it:
1) Try different approaches for accessing various Dark Web sources:
- Deploy infrastructure for accessing Dark Web resources and hiding your origin (for example, VPN).
- If the source requires registration, you might consider creating an account specialized for intelligence purposes. Some sources may require special software to access, like the Tor browser or a particular messenger.
2) Search for all the mentions:
- If there are many posts with the same content, the initial mention should be your top priority to analyze.
- Cybercriminals have many resources at their disposal to advertise the leak. Other members of the community can also re-share it. Consider creating a full lists of mentions for additional analysis.
Is it possible to create an attacker profile?
How to do it:
1) Evaluate the perpetrator’s (author of the post in the Dark Web) level of experience:
- Rating. Look for the date they registered or their forum rating (are they a new or experienced user?).
- Former activity. Search for previous messages/posts by the author.
- Participation on other forums. Search for users with the same username on other forums and Dark Web resources.
- Community gratitude. Observe how other members have expressed thanks or complaints to this perpetrator.
2) Analyze the threads the user normally participates in. Does the message/post relate to their main area of interest?
3) Search for the perpetrator’s “successful” activity:
- Is it possible to find out what happened with previous offers? Try to find any evidence that the user has made any successful deals.
- Have the offers received any kind of attention from the community? View reactions and comments from other forum members.
Can you estimate the risk posed by the announcement?
How to do it:
1) Check the date of the offer. How long has it been available on the underground resource? Is it a new offer or an old one?
2) Check the newness. Sometimes cybercriminals republish old breaches, presenting them as fresh new breach. Search for topic matches in old posts and messages.
3) Check the content of the breached data. Analyze the price, value, and volume of compromised data, the format offered, and so on.
4) Check the deal conditions. Is the offer free or for sale? Is it for sale to anyone or to one buyer only?
Identify the threat type
Can you verify the data breach?
How to do it:
1) Check the data samples that the attacker has provided for proof that they really have data worth paying for. The samples could be part of the advertisement or published separately on request (for example, in the comments section).
Before opening any files downloaded from the dark web, it's crucial to exercise caution and scan them with an antivirus program. It's also recommended to run them in an isolated environment for added security.
2) Analyze all the information available in the message: the exact source of the breach, the date of compromise, the data format, and other proofs of data authenticity.
3) Compare the information collected from the advertisement with the real data you have. Does your company work with such data? Does your company have a system/service that operates with this information?
Can you scope the breach?
How to do it:
1) Identify the initial access point that was used to compromise the system. Did the attacker leverage a database connected with the website, or an internal database management system with a comprehensive set of data on corporate employees and operations?
2) Perform a detailed inspection of the system that you suspect has been compromised. Analyze available log files to reconstruct the attack chain and ensure that other systems are not compromised.
3) If necessary, extend the scope of the analysis.
4) Identify the amount of data which may have been compromised. The author can only be selling a small portion of the obtained data.
Have you already mitigated the effects of the breach?
How to do it:
1) Notify company management and all concerned stakeholders, including customers, partners and regulators. Notify law enforcement bodies in accordance with the local legal requirements for reporting incidents, especially if the breach exposed customer data.
2) Depending on the initial vector, eliminate the cause of the breach to prevent similar attacks in the future:
- Fix any vulnerabilities found
- Disable accounts if the attacker gained access using actual credentials
- Ensure that all the latest patches are installed
3) If forensic analysis is required, isolate the system containing the breached data.
Have you carried out the remediation and lessons learned stages?
How to do it:
1) Conduct root-cause analysis. Ensure that you apply all possible methods to prevent the incident from happening again.
2) Analyze whether your current threat model is relevant. Review your current procedures and policies and compliance with security controls.
3) Analyze your current prevention measures, such as intrusion detection systems, antimalware solutions.
4) Review accesses and rights.
5) Eliminate vulnerabilities.
6) Change passwords for affected accounts and systems and enforce a strict password policy.
7) Monitor network traffic to detect if an attacker attempts to initiate connection again.
8) Continue monitoring the Dark Web to find re-publications of the same breaches on different forums.
9) Implement a program to improve staff awareness in information security, and conduct periodic training to monitor the awareness of each employee.
Can you verify that the access actually belongs to your company?
How to do it:
1) Analyze all the information available in the message. Look for matches in geolocation, annual revenue, and types of systems mentioned; basically, try to verify if the post is about your company.
2) Analyze the type of access on offer, look for matches in tools and contractors.
Can you identify a compromised system?
How to do it:
1) Analyze available log files and try to find signs of unauthorized access to the system.
2) Ensure that there are no other systems affected by an attacker. If necessary, expand the scope of the analysis.
3) If you can't find any evidence of unauthorized access to company resources, but you're sure that the access is related to your company, consider the possibility that it may be insider activity and conduct an investigation.
Have you disabled remote access?
How to do it:
1) Notify employees responsible for the system that you suspect has been compromised.
2) Eliminate the possibility of unauthorized access to infrastructure happening again. Depending on the initial access vector discovered, do the following:
- Fix any vulnerabilities found
- Disable accounts if the intruder gained access using known credentials
- Ensure that all the latest patches are installed
Have you investigated any actions performed through remote access?
How to do it:
Analyze available log files and check the activity of the account. Did the user successfully reach corporate resources? Did the user have the possibility to copy/delete/download information?
Have you carried out the remediation and lessons learned stages?
How to do it:
1) Conduct root-cause analysis. Ensure that you apply all possible methods to prevent the incident from happening again.
2) Analyze whether your current threat model is relevant. Review your current procedures and policies and compliance with security controls.
3) Analyze your current prevention measures, such as intrusion detection systems, antimalware solutions.
4) Review accesses and rights.
5) Eliminate vulnerabilities.
6) Change passwords for affected accounts and systems and enforce a strict password policy.
7) Monitor network traffic to detect if an attacker attempts to initiate connection again.
8) Continue monitoring the Dark Web to find re-publications of the same breaches on different forums.
9) Implement a program to improve staff awareness in information security, and conduct periodic training to monitor the awareness of each employee.
Can you identify which account(s) were breached and put for sale on the Dark Web?
How to do it:
1) Create a list of all breached email addresses and categorize them as follows:
- If the account has an email address on the corporate email domain, mark it as "Employee account".
- If the account has an email address on a third-party email domain, mark it as a "Corporate resource user". This can be a partner/client or contractor account.
- If the account has a login without an email domain, check that it is not a domain user account or an administrator or service account. If you find such an account, mark it as "Domain or service account".
- Other accounts can be considered partner/customer accounts.
2) Check that users with such usernames really exist and have not been bruteforced. If you have additional information, such as the URL or resource where the user was authenticated, you can ask the owner of the resource to verify the existence of the email address or login.
It's a good idea to optimize the checking process by categorizing the accounts by type and priority.
Can you confirm the account breach?
How to do it:
1) Check the validity of passwords for corporate/domain/service accounts. Since the breach could have happened at any time in the past, it's important to review not only new passwords, but old ones too.
2) As it's usually not possible to check the validity of user accounts, you should assume that they are valid.
3) Prioritize accounts for further investigation. If you find a valid account, take immediate actions to disable it.
Is the account still valid?
How to do it:
1) Change the passwords of the compromised accounts and notify the account owners. If the compromised account belongs to an employee, ask them to change the password or use the identity and access management system to force the password change.
2) Consider disabling compromised accounts until the password is changed.
3) Advise account owners to change their passwords on other/third-party resources, if they use the same passwords for different resources.
Have you investigated the account breach?
How to do it:
Using the information available, try to identify the source of the breach.
If it is a leaked database:
- Check these accounts for associated suspicious activity. If such activity is detected, investigate further.
If the source of the leak is credential stealers/malware infection:
- Perform a full antivirus scan of affected personal/corporate devices and machines using an endpoint protection product.
- Check these accounts for associated suspicious activity. If such activity is detected, investigate further.
Have you carried out the remediation and lessons learned stages?
How to do it:
1) Conduct root-cause analysis. Ensure that you apply all possible methods to prevent the incident from happening again.
2) Analyze whether your current threat model is relevant. Review your current procedures and policies and compliance with security controls.
3) Analyze your current prevention measures, such as intrusion detection systems, antimalware solutions.
4) Review accesses and rights.
5) Eliminate vulnerabilities.
6) Change passwords for affected accounts and systems and enforce a strict password policy.
7) Monitor network traffic to detect if an attacker attempts to initiate connection again.
8) Continue monitoring the Dark Web to find re-publications of the same breaches on different forums.
9) Implement a program to improve staff awareness in information security, and conduct periodic training to monitor the awareness of each employee.
Without continuous monitoring of the Dark Web, cybercriminals’ discussions involving the company’s brand may go unnoticed. The first step in this case would be to implement Dark Web monitoring on a constant basis.
- For a data breach: Monitor mentions of the company’s names and main domains.
Cybercriminals usually mention the official or shorter name of the company, abbreviations, or the main domain.
- For sale of access: Monitor sales of access by the company’s geolocation and industry.
Cybercriminals prefer not to mention the company’s name in the offer, so as not to lose the access. There are attributes which the cybercriminals usually put in the message such as the company’s geographic location, industry, size and annual revenue.
- For compromised accounts: Monitor new account leakages based on mentions of corporate email domains or corporate resources.
Sensitive accounts can be found on internal resources (such as local or internal IP addresses). Use AD domain as keyword to increase surface of search.
Incident Response Playbook: Dark Web Breaches
Get full procedures and playbooks adapted for the SOC. Create new playbooks or adjust an existing playbook collection to smoothly integrate Dark Web threat response into your SOC response portfolio. Train your team in advance to handle such cases and be prepared. Add these exercises to your Tabletop Exercise (TTX) or drills program.