A lot of IT services providers, such as MSPs (Managed Services Provider) and MSSPs (Managed Security Services Provider) are offering “Dark Web Monitoring” nowadays. We offer it as well. It is a great tool when used correctly and can be a great source of frustration when it is not.
The Dark Web is a moniker that describes that part of the internet that is not accessible by regular browsers and uses .onion extension for its website Uniform Resource Locator (URL). The information that is on there is sourced from a great number of databases, some that was leaked intentionally, some by accident, and some through a malicious breach. What is important to bear in mind is that this information has various levels of validity.
A typical Dark Web monitoring service scans these sites for data dumps and alerts you when your email address appears on there. In the vast majority of cases, the alert will be for a breach that happened some time ago, usually months, if not years back. The information that has been gathered will typically consist of some or all of the following: your email address, full name, home or business address, phone number, date of birth, Social Security Number, and a password. Keep in mind that a lot of this information can be gathered using regular internet and social media sites.
So why use this service? It will allow you to keep a pulse on which employee passwords are compromised, which employees use either weak passwords or use clearly discernable patterns when changing their passwords. It will also show which employees use their company emails for personal items, something that is often expressly prohibited by company policies. It is an excellent tool to monitor your exposure to social engineering attacks and can be used for security awareness training exercises/tests.
Do not, however, use this as a single source of truth regarding your security posture. Just because someone’s information is not available now, does not mean it has not been compromised. If you see on the report that there is a large number of personal information that suddenly appears in a report, get ready for your systems to be attacked using vectors gleamed from this information. In the same vein, just because your company and employee information is out there it does not mean you need to panic. As long you have proper controls in place and test them regularly all you may need is to adjust your testing and focus to account for the information received.
Feel free to reach out if you have any questions or are looking for some more guidance of how to best use this type of tool/service.