Fri, Mar 8, 2024
Many organizations focus on addressing the risks within their internal attack surface while overlooking the potential threats created by their external digital footprint on the surface, deep and dark web. This article outlines how companies can significantly mitigate this risk by combining digital risk protection with their detection and response approach.
An effective detection and response capability is essential for monitoring key assets and ensuring that they are comprehensively defended. Traditional detection and response strategies focus on detecting threats as early as possible during an attack, with the aim of containing and eradicating them before they can cause damage. Despite continuous investment in their internal defenses, businesses continue to fall victim to persistent cyberattacks. This is because they overlook their external defenses in addressing the risks associated with all levels of the internet.
Organizations have a greater chance of reducing the likelihood and impact of an attack if they can extend their detection efforts into their external digital footprint across the surface, deep and dark web. Companies intending to use or currently using managed threat detection and response (MDR) services can benefit by combining them with digital risk protection. By adding external sources into their threat detection and response strategy, they can extend visibility into the earliest stages of an attack, reconnaissance and resource development tactics as well as the post-compromise stages of an attack (such as extortion or the sale of IP, as shown in Figure 1).
Figure 1: Digital risk protection provides additional coverage of adversary tactics before and after a compromise.
Digital risk protection is a branch of threat intelligence that provides pre- and post-compromise visibility by continuously monitoring the surface, deep and dark web for potential signs of targeted attacks or existing data leakage on parts of the web that are hidden from search engines, unindexed or obfuscated in closed communities.
Pre-compromise, being armed with this type of intelligence can help security teams enhance their defenses on the basis of greater clarity on exactly who is planning to attack the organization and how they plan to do it.
Post-compromise, this insight can provide security teams with early signs of a breach and enable them to take necessary action to limit its potential impact.
Digital Risk Protection also helps to protect brand reputation by scanning the surface web for brand misuse, impersonation and domain spoofing that could lead to threats against employees, customers and suppliers.
With the deep and dark web making up approximately 96% of the internet that is unindexed, obscured or intentionally difficult to find, it’s no surprise that cybercriminals are constantly taking advantage of it to plan their attacks or sell stolen information onto persistent threat actors for further compromise. Dark web monitoring can play an important role in addressing the risk this creates for organizations.
Dark web monitoring provides a proactive, intelligence-driven approach for gauging exposure and defending against threats both before and after compromise. It works in three ways:
Gaining this information after the merger or acquisition has been completed can also help to ensure that vulnerabilities or exposures are not inherited and that defenses are updated if an exposure or data leakage has occurred.
Figure 2: Russian Market is a marketplace where actors can buy listings which contain saved data from browser extensions (e.g. usernames, passwords, cookies). Once the actor buys the listing, they can then try to access those domains/resources using the saved information
Figure 3: Medical database stolen from a health care provider being sold by a threat actor to the underground community
Alongside the serious risks presented by the deep and dark web, organizations should also carefully monitor for those associated with the surface web. Integrating surface web within your threat detection and response strategy is especially valuable for organizations’ that rely heavily on brand reputation. This includes medium to large enterprises where company brand is a significant risk, such as retail and e-commerce companies, banking and finance institutions and industries holding highly sensitive data for multiple stakeholders (e.g., private equity, law firms, insurance and health care).
Attackers may target these types of businesses to create fake websites in their name or impersonate their domains to launch phishing attacks on their customers. Brand/domain monitoring can help organizations mitigate these risks by keeping track of the open web for domain impersonations, threats to company executives, spoofed websites and social media profiles.
However, as important as it is, monitoring is only one side of effective brand and domain defense. It should be followed with swift response using threat takedowns. This is where evidence is gathered and submitted as part of a formal request to the source platform owner, such as the internet service provider or platform owner for them to remove harmful content from the internet. As a time-consuming and specialized process, this should be managed by takedown experts with proven expertise in how to format and submit valid takedown requests to law enforcement, domain registrars and hosting sites.
Use Case | Attack Scenario | How Surface Web Monitoring Helps |
---|---|---|
Domain Spoofing and Phishing | Attackers create domain names by manipulating your brand and targeting your customers, suppliers or internal employees to compromise their data. This is done by continuously creating look-a-like domains with a couple of characters that are different from those of the legitimate domain name. These spoofed domains are used to create phishing sites, sell counterfeit products or steal login credentials. Threat actors will then also use these domains to conduct business email compromise (BEC) scams, deliver malware and create ransomware attack lures. | Brand and domain monitoring services use a list of target domains and/or brand keywords to search across the surface web for signs of spoofed sites that use typosquatting or other copycat techniques and can initiate a takedown request with the internet service provider by providing evidence of the threat. |
Brand Misuse and Impersonation (Web/Social/Mobile Apps) | Cybercriminals create fake apps and social media profiles designed to impersonate your brand. They can then use these compromised channels to scam customers, spread misinformation to impact share prices and take over mobile devices using malware, or facilitate browser hijacking. | Surface web monitoring hunts for misinformation and brand impersonations across the web, social media and mobile app stores. Human analysts then work directly with the app stores or social media platforms to ensure that the fake content is removed. |
VIP/Executive Protection | Executives are targeted for a variety of online attacks due to their high visibility and high value. | Mitigates online abuse with content moderation on owned and paid social content to safeguard VIPs’ digital spaces. |
The MITRE ATT&CK framework is commonly associated with tactics, techniques and procedures (TTPs) that can be put into network, endpoint or cloud detection controls. However, the framework is also useful for showing how dark web intelligence can shine a light on attackers right at the beginning of their campaigns, informing organizations’ defenses so that they can stop their adversaries at the first stage of the “kill chain.” This means that leveraging digital risk protection services give organizations a much better chance of identifying the tactics that could be at risk of being overlooked by MDR services.
Examples of this include:
While digital risk protection across the surface, deep and dark web is a valuable data source for threat detection activities, organizations can face a number of challenges when integrating it into their detection and response strategy. These include:
Combining managed detection and response with digital risk protection delivers key security advantages to organizations, including:
Detect threats before anyone else in your industry while maintaining end-to-end visibility and proactive response through Kroll’s digital risk protection expertise coupled with our Responder MDR service. Threat intelligence drawn from our status as the world’s leading incidence response (IR) provider and 3,000+ IR engagements a year fuels our MDR and threat intelligence services by providing tailored insight into adversary behavior and earlier detection of malicious activities.
We leverage industry-leading intelligence collection technology and human expertise to find exposed, stolen or leaked company information on the deep and dark web. Our analysts utilize proprietary information collected from investigations and closed sites used by criminals to gain early insights into activity that could indicate a targeted attack on your organization.
Discover Our Digital Risk Protection Services
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Proactively safeguard your organization’s digital assets and accelerate visibility of online threats.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.