Why the ‘dark web’ is becoming a cyber security nightmare for businesses
I was running a resilience exercise with a client recently when someone asked about the scenario we were using to test the client’s cyber incident management plan. “What’s the ‘dark web’? Why haven’t our spy agencies done anything about it?”
In the scenario, a malicious employee had stolen a large amount of data from their employer utilising a ‘hacker-for-hire’ service they’d found on the ‘dark web’ using Tor (the onion router) - software that enables anonymous communication over the internet. The dark web is an ungoverned and seemingly ungovernable area of the internet where you can browse and communicate with complete anonymity.
Policing the dark web
Journalists, activists and campaigners in the US, Europe, China, Iran and Syria rely on Tor to maintain the privacy of their communications and avoid reprisals from government. But people engaged in terrorism, cybercrime, child abuse and drug dealing are increasingly using it1.
To answer my client’s question, I explained the National Security Agency (NSA) and UK Government Communications Headquarters (GCHQ) have devoted considerable efforts and resources to infiltrating the service. But, in response, activists who want to stop governments ‘spying’ on people are developing a wide range of tools to thwart that infiltration. They’re advocating the use of strong cryptography and privacy-enhancing technologies – software that ensures complete anonymity – and believe this will enable social and political change. Inevitably criminal groups and terrorists also use those tools to commit illegal acts undetected.
The widespread availability of dark web forums dedicated to freely sharing privacy-enabling technologies, intrusion software and exploitable code means global law enforcement agencies face an uphill struggle. There’s a growing number of technically-savvy ‘amateur hackers’ carrying out cyber-attacks, though as yet they’ve had little impact2. But for businesses that means even the average customer could buy a cyber-attack service anonymously – or possibly learn to conduct their own cyber-attack – without being caught.
What you can do to become ‘cyber-resilient’
- Protect against ransomware. Hackers love it. Attacks on governments (like the 2015 attack on the UK Parliamentary Digital Service), as well as hospitals, banks, and even some utility services, are on the rise. Awareness training for employees will build a strong and informed security culture. Coupled with robust technical prevention controls that brings a high level of resilience. And creating an effective business continuity plan will help in the event of a ransomware attack.
- Update outdated technology. Organisations with legacy IT equipment and computer systems are at higher risks of security breaches because a lot of older IT technology wasn’t designed to thwart modern day attacks. An effective information security strategy alongside an appropriate IT security budget is critical for ensuring all your technology can keep pace with evolving threats.
- Rehearse regularly. Businesses often have continuity plans in place to deal with things like weather events or terrorism, but not cyber-attacks. And too often, organisations only have IT-centric plans in place – it’s important to regularly exercise crisis management teams and leadership decision-making in the context of cyber security so that you’re well-drilled. It’s also essential to make sure insurance is as comprehensive as possible.
The sheer complexity of the dark web means it’s unlikely hacktivist groups will be regulated any time soon. In the meantime, it’s clear that criminal groups are arming themselves with freely-available technologies that are making their job even easier, and their victims’ job all that more difficult.
- The Guardian, NSA and GCHQ target Tor network that protects anonymity of web users, 4 October 2013
- Europol, The Internet Organised Crime Threat Assessment (IOCTA) 2016, 2016