Most security programs are developed to prioritize the perimeter. The priority is to patch broken systems, secure endpoints, and train the workforce. While this is necessary, it is insufficient.
Nowadays, if organizations do not also watch the places where criminals trade and brag about their hacks – namely, the dark web – they miss key early warning signals.
The dark web is a part of the internet not indexed by search engines and commonly accessed using anonymizing tools like Tor. While the technology itself is legal and used by everyone from journalists to political dissidents for privacy, it also shelters criminal markets, leak sites and forums where ransomware gangs run wild.
For security teams, the combination of anonymity and low visibility makes the dark web a critical source for early-warning intelligence about stolen data, upcoming ransomware campaigns, and illegal access brokering.
Monitor Data Everywhere
In practice, dark web intelligence is the use of threat intelligence tools and services to continuously scan for company names, email domains or other unique identifiers in illicit dark web marketplaces. Early detection allows security teams to roll out password resets, notify affected parties, and contain the source of the leak before attackers can truly weaponize the information.
Even executive leadership is at risk. For example, if the last four digits of a CEO’s SSN start floating around hacker forums, that is a major red flag. Cybercriminals often will trade and share “fullz” (full identity packages) that include things like SSNs, addresses, and birth dates of high-profile individuals.
Credential leaks found on dark web forums are often used in large-scale credential stuffing attacks, targeting enterprise portals and third-party integrations, such as the RockYour2021 leak.
For this reason, it is important that organizations use dark web intelligence to monitor for any leaked PII for leadership. Following any discovery, security teams should alert the executive at risk, step up identity protection measures, and internally investigate how that information was leaked.
This is not a typical IT security task like patching a server; it’s a key dark web intelligence step to preempt targeted attacks such as executive impersonation or blackmail. This kind of dark web monitoring goes beyond standard perimeter security. It’s about hunting for warning signs that key data is already in criminals’ hands.
Track Initial Access Brokers
Security teams should also keep tabs on the shadowy marketplaces where Initial Access Brokers (IABs) operate. IABs are criminals specializing in breaking into corporate networks and then selling access to others on underground forums. IAB marketplaces are linked to RaaS (Ransomware-as-a-Service) ecosystems. Major ransomware gangs like Conti, LockBit, and BlackCat are known to purchase access via IABs
By routinely scanning for relevant access offers on dark web marketplaces, teams know when to go into high alert and investigation. This might involve auditing all remote access points (VPN, RDP, etc.) for any sign of compromise, and checking if any credentials were recently stolen. Even beyond catching a direct sale of a company network, monitoring IAB forums reveals the tactics criminals use to break in.
Essentially, knowing what’s being sold on the dark web helps teams shore up entry points before the same thing can be tried on them. The key is to proactively look at how attackers are targeting similar companies and adjust accordingly.
Watch Ransomware Leak Sites
Ransomware groups have become notorious for using the dark web to publicize their crimes. Many of these gangs run “leak sites” on the dark web where they list victims and post stolen data if the victim doesn’t pay up. Security teams should make a habit of monitoring these sites for the following three advantages:
- When there are several successive hits against organizations in one sector, that signals active targeting. Companies in that same sector should be put on high alert.
- If a partner, supplier, or competitor appears, organizations have immediate cause to check any shared data flows.
- Criminals will sometimes discuss upcoming targets or share insider tips about companies. Keeping an ear to the ground in those spaces means possibly catching wind of indications of who the gang will attack next.
The goal here is to not be the last to know. If there are any signals that an organization is at risk, then that intel should be used to reinforce defenses ahead of any direct attack. It’s about anticipating the hit by studying the enemy’s playbook in real-time.
Make Dark Web Intelligence Part of Daily Operations
All these measures, from leaked data scans to lurking on criminal forums, are about going beyond the usual cybersecurity checklist. Perimeter security is a must-have but it might not alert a breach until after it happens.
Dark web intelligence, on the other hand, gives security teams the chance to see threats forming in the shadows. Ultimately, the dark web is an important source of threat intelligence. It is not only a reactive measure, but a key pillar of threat-informed defense and threat modelling. By tapping into it, teams can act on threats at the “pre-attack” stage, protect critical assets, and stay one step ahead of threat actors.
Ensar Şeker is CISO at threat intelligence company SOCRadar.
