The dark web is a place on the internet that’s hidden from search engines. The forums and websites on the dark web are only reachable with encrypted requests which makes it a safe haven for attackers and identity thieves. With the confidence of anonymity, identity thieves buy or sell victims personal information on these virtually invisible dark web sites, forums, and chat rooms.
Some of the data that is being exchanged on these dark web sites are names, phone numbers, email addresses, passwords, credit card numbers, fake domains, phishing pages, and more.
The Dark Web Monitoring services allows organizations to be aware of such breaches and respond (change password, expire a credit card, notify a user, etc.) as soon as they receive a notification that information has been leaked or seen on the dark web.
As with any other breach or alert, the key is to identify and respond early, before any major damage is done. This is where DarkOwl comes into play. DarkOwl is a Darknet Intelligence provider offering access to the world's largest dataset of darknet and deep web content. DarkOwl enables organizations to effectively search, monitor, and receive alerts when leaked data appears on the darknet.
Now DarkOwl customers can use SIRP’s security orchestration and automation capabilities to search, investigate and respond to data leaks occurring on the Dark Web.
The organizational and customer information is usually the top privacy concern for the organizations. With the ever expanding footprint of digital services, protecting this information and monitoring for possible breaches poses a number of challenges. The core challenge in these situations is time to respond. For example, if you’ve found that a password of an employee has been leaked on the dark web, the real difference would be how soon you act and either change that password or lock down that email address with proper notifications.
Security teams can automate the dark web monitoring and response by creating playbooks in SIRP. These playbooks help analysts get alerts of possible leaks from Dark Owl and then define appropriate remedial actions.
Consider an example where SIRP received an alert against a BIN number that you are monitoring on DarkOwl. Based on the predefined rules, a playbook will get executed to check if certain data has been leaked.
After verifying the data (BIN numbers and credit cards associated to the organization), the playbook is set to:
The entire execution and decision flow of the playbook looks something like this:
Consider an example where SIRP received an alert against an email address that you are monitoring on DarkOwl.
Based on the predefined rules, a playbook will get executed to check if certain data has been leaked. After verifying the data (i.e. if received data contains references to one of the monitored email addresses), the playbook is set to:
The entire execution and decision flow of the playbook looks something like this:
New domains and subdomains are created as part of the normal operation of the Internet Domain Name Service (DNS). Unfortunately, bad actors commonly use newly created domains for criminal activities like spam, malware distribution, or botnet command and control (C&C). Attackers use the new domains within the first few minutes of creating them—making it difficult to build effective domain-based blocking policies.
Analysts can use SIRP playbook that uses domain reputation from DarkOwl to identify the risk score of a domain. It then uses a cloud-based security policy enforcement tool to block access to the domain.
Primary functions of the playbook are:
After verifying the data (i.e. Checking the “domain score”), the playbook is set to:
If domain score is equal to 3 (i.e. <30%):30%):
If domain score is greater than 3 but less than 6 (i.e. >30% and <60%):60%):
If domain score is greater than 6 (i.e. >60%):
Note: DarkOwl calculates the score based on multiple factors. Greater score means greater “hackishness” of the domain.
Consider an example where SIRP received an alert against a domain name that you are monitoring on DarkOwl or an analyst searched for a domain name manually using SIRP’s automation playground. Based on the predefined rules, a playbook will get executed to take appropriate response actions.
After verifying the data (i.e. Checking the “Information Tag”), the playbook is set to:
If Information Tag contains “Confidential” or “Restricted”:
If Information Tag contains “Internal”:
If Information Tag contains “Pubic”:
With this type of integration, the time from an alert from the dark web to its response reduces dramatically. Analysts can actively monitor dark web for possible leaks leveraging DarkOwl’s monitor and search actions, and enrich their findings using 100s of other integrations available in SIRP. Other than orchestrating and automating dark web monitoring and response, analysts can also correlate the data ingested from other security technologies as well as organizational risks, asset importance, threat intelligence, and vulnerabilities.