29 min.

What to do if your company was mentioned on the Dark Web?

Data breaches have become a pervasive threat to businesses of all sizes, with cybercriminals constantly finding new ways to steal sensitive information. In recent years, high-profile data breaches have made headlines, causing reputational damage for the affected companies. A statistical overview of the data breach problem and cybercriminal activity on the Dark Web is provided on a Kaspersky’s Securelist.com. In this article, we will provide insights into how businesses should handle data breaches and the steps they can take to mitigate the impact of such incidents.

Incident Response Guideline

This guideline provides steps for successfully dealing with three common Dark Web threats: breaches, sale of access and sale of compromised accounts

Disclaimer:

It's essential for companies to consult with legal experts and adhere to the laws and regulations applicable in their region to ensure that their dark web monitoring activities are legal and ethical. Additionally, transparent and ethical practices should guide their approach to cybersecurity and data protection. If you encounter any difficulties with a step, don't hesitate to reach out to experts specializing in Dark Web threats and incident response. You can continue progressing through the steps, but it's important to remember that seeking their assistance can help you address the threat more effectively.

Has your company been mentioned on the Dark Web?

1
2
3

Identify the threat type

?
4
5
6
7
4

Can you verify that the access actually belongs to your company?

How to do it:

1) Analyze all the information available in the message. Look for matches in geolocation, annual revenue, and types of systems mentioned; basically, try to verify if the post is about your company.

2) Analyze the type of access on offer, look for matches in tools and contractors.

5
6
7
8
4

Can you identify which account(s) were breached and put for sale on the Dark Web?

How to do it:

1) Create a list of all breached email addresses and categorize them as follows:

  • If the account has an email address on the corporate email domain, mark it as "Employee account".
  • If the account has an email address on a third-party email domain, mark it as a "Corporate resource user". This can be a partner/client or contractor account.
  • If the account has a login without an email domain, check that it is not a domain user account or an administrator or service account. If you find such an account, mark it as "Domain or service account".
  • Other accounts can be considered partner/customer accounts.

2) Check that users with such usernames really exist and have not been bruteforced. If you have additional information, such as the URL or resource where the user was authenticated, you can ask the owner of the resource to verify the existence of the email address or login.

It's a good idea to optimize the checking process by categorizing the accounts by type and priority.

5
6
7
8
1

Without continuous monitoring of the Dark Web, cybercriminals’ discussions involving the company’s brand may go unnoticed. The first step in this case would be to implement Dark Web monitoring on a constant basis.

  • For a data breach: Monitor mentions of the company’s names and main domains.

Cybercriminals usually mention the official or shorter name of the company, abbreviations, or the main domain.

  • For sale of access: Monitor sales of access by the company’s geolocation and industry.

Cybercriminals prefer not to mention the company’s name in the offer, so as not to lose the access. There are attributes which the cybercriminals usually put in the message such as the company’s geographic location, industry, size and annual revenue.

  • For compromised accounts: Monitor new account leakages based on mentions of corporate email domains or corporate resources.

Sensitive accounts can be found on internal resources (such as local or internal IP addresses). Use AD domain as keyword to increase surface of search.

Incident Response Playbook: Dark Web Breaches

Get full procedures and playbooks adapted for the SOC. Create new playbooks or adjust an existing playbook collection to smoothly integrate Dark Web threat response into your SOC response portfolio. Train your team in advance to handle such cases and be prepared. Add these exercises to your Tabletop Exercise (TTX) or drills program.