Dark Web Threats: Data Breaches Get Headlines, But Other Threats Loom Large Online
New database breaches are reported every day, most of which reveal insufficient security protocols were in place to prevent such an attack from occurring.
If businesses know there’s a good chance their data may be the target of attack and still are unable to prevent a breach, just imagine how difficult it would be to stop attacks they aren’t expecting.
Eric Olson, vice president of Intelligence Operations for LookingGlass Cyber Solutions, said most information security firms tasked with protecting businesses and their customers bias toward the thwarting attacks against a company’s computer network and databases — which would be fine if they were better at preventing those breaches.
The fact that there are billions of stolen credentials — usernames, passwords and other personal information associated with an account — floating around online “speaks to how ineffectual we as an industry and economy are [at] defending the network and the databases,” Olson said.
“For every breach that makes headlines,” Olson told International Business Times, “there are literally hundreds of smaller breaches that are happening, and the data from which are being sold, traded, posted or given away on the internet every day.“ He said his research team comes across as many as 800 new packages of stolen data each week.
What makes matters worse is while much of the attention and resources of cybersecurity is focused on combatting breaches, the landscape of threats continues to evolve and defenses against them are not keeping up.
Olson, a one-time “bean counter jerk” turned cybersecurity expert after being bored to tears by his tasks at an accounting firm, spends much of his time looking beyond the local network and searching for threats that often hide in plain sight.
At LookingGlass, Olson spends much of his time devising ways for him and his team to scour different parts of the internet — from public comments made on social media to stolen goods posted on black market bazaars on the dark web — to identify malicious actors who are looking for something other than a weak spot in a company’s computer network.
The types of threats Olson and his team come across can vary widely and, he said, are “evolving almost by the month” if not by the day.
He explained when his company first started providing protection to businesses, the biggest threat on the web was domain name squatting, a practice in which a person would register a web domain with the name of a business in hope of getting paid to give up the domain.
That type of behavior is still present online, but as the internet has grown ever more accessible, so too have the resources for those who present a risk to businesses, their brands and their customers.
Olson scours publicly available data to identify any number of threats to businesses. Those concerns may range from public relations and reputation risks to violations of copyrights and trademarks to warnings of real-world physical risks.
These threats present themselves in all sorts of ways but can’t be identified or stopped simply by blocking a threat actor’s IP address or keeping employees from visiting malicious websites or opening phishing emails.
As an example, Olson said one threat his firm came across appeared after a mass layoff at a company. One of the employees involved in the layoff, angry about losing his job and the fallout in his life that resulted, went online and began posting comments that he was planning on committing an act of violence against the company CEO’s 16-year-old child.
Olson said those types of threats are “far more real and common than you might imagine,” and come from everyone from disgruntled former employees to disillusioned staffers to angry customers. Instead of finding the posts after a person acts out anger, Olson and his team attempt to catch an offender before the act goes too far.
These and other types of threats exist in varying levels of openness online. Some sit on social media or publicly accessible sites while other potential threats to businesses happen under the cover of the dark web. Olson and LookingGlass sift through as much of it as they can.
Some can be found through automated processes that cast a wide net and gather as much data as possible to catch a potential threat. Other efforts require Olson and his team to go hands on.
“There’s no way to build a bot that can join a closed community of white, gray and black hat hackers if entrance exam requires a coding test … or communicating with the moderator in Ukrainian slang,” Olson said. Once past the initial gateway in those situations, information is often readily accessible without additional protection for everyone who has gained access to the online clubhouse.
It’s not uncommon for the dark web to be associated with shady activity, and Olson has spotted plenty — from the drug trade to hitmen and hackers for hire to massive collections of stolen account credentials. But not all of the web’s worrisome activities happen anonymously below the surface.
Olson said the dark web is “of no use of all” if you’re selling a product — hacked cable boxes, for example — that requires a mass consumer market. In that case, Craigslist, eBay and Facebook marketplaces reach a far wider audience and are more likely to contain the consumers for that product.
To oversimplify, Olson said, “the stuff that will land you in a county lockup for two weeks is probably on the surface web. The stuff that will land you in a federal penitentiary for the rest of your life is more likely to be on the dark web.”
Regardless of where the criminal activity may land the person partaking in it, there is little security efforts can do to pre-empt these types of threats.
“Most IT and information security professionals either ignore or underappreciate the risk landscape they are facing beyond defending against a data breach,” Olson said while noting that on the whole, data protection is still severely lacking as well.
There are a number of reasons for the types of risks that lurk online are being ignored, the primary one being the people who can protect against it are simply outnumbered by the people who may present a threat.
A survey of 641 information technology professionals conducted this year by the Enterprise Strategy Group found 45 percent of respondents indicated their organizations currently lack the necessary cybersecurity skills to deal with the increasing number of risks.
Nonprofit information security advocacy group ISACA found there will be a global shortage of 2 million cybersecurity professionals by the year 2019. There already are 40,000 information security roles and 200,000 cybersecurity positions that go unfilled each year in the U.S. alone, cybersecurity firm CyberSeek estimates, and job site Indeed reports 1 million are vacant worldwide.
Olson said American companies in particular “host an incredible array of valuable information” that makes them a target, and in most cases, security teams “just don’t have the talent to fight the battles.”
Adding to the lack of resources is an issue on the business side that sees security efforts primarily as a tax — it has to be paid, but there’s no reason to spend more on it than absolutely necessary.
“A board will look at security and say, ‘I have to check the box on compliance. I have to do the required steps.’ But beyond that, it’s a business decision,” Olson said. Companies are more likely to spend what is required to meet basic standards and do little more, opting for insurance protection against the rest rather than investing in the resources that could prevent the attacks in the first place.
That might work for the bottom line of the business, but Olson said doors and windows are left largely unlocked, allowing for data breaches and other attacks to be carried out successfully — an issue that doesn’t just harm businesses but also puts their customers at risk.
Both the IT talent gap and the gap between what it costs for good security and what businesses will spend on it require closing. Until then, most professionals will continue to keep their eyes focused on the local network out of necessity while other threats capable of doing significant damage loom in the distance.
Newsweek’s Structure Security conference on Sept. 26-27 in San Francisco will highlight the best practices that security professionals are using to protect some of the world’s largest companies and institutions, join us for two days of talks, workshops and networking sessions with key industry players – register now.