Darknet and Deepnet: What (not only) CISOs and CIOs should know
by Tina Siering
As the current Darknet Study 2023 by the security researchers of Botiguard shows, numerous data of German companies are available for download or purchase on the Darknet due to data leaks. Almost 60 percent of all companies and public institutions examined are affected. It can be assumed that some of those affected are unaware of this. A disturbing result, which gives reason to take a closer look at the three layers of the internet (clearnet, deepnet and darknet) and to give important security tips, especially for surfing the darknet.
One of the best-known metaphors to illustrate the internet is an iceberg:
The visible part above symbolises the Clearnet (also: Clear Web), i.e. the indexed part that is accessible with standard browsers.
By far the most extensive area (about 90% of the entire internet), however, is the Deepnet (also: Deep Web) below the surface of the water. Here you will find company databases, streaming servers and online storage that are not indexed by search engines. In principle, the Deep Web is open to everyone, but much of the content is secured, for example to protect company secrets. No special tools are required for access, but knowledge is needed to locate the content in order to find this information.
The Darknet (or Dark Web) is a relatively small part of the Deep Web. The pages of the Darknet cannot be found by the usual search engines or browsers. Access requires special encryption such as the Tor network ("The Onion Router"), which guarantees anonymity when surfing. Only with the help of these anonymisation networks can pages in the darknet be accessed either directly ("peer-to-peer") or with knowledge of the exact URL.
However, the anonymity offered is not only of interest to criminals, but also to legitimate users who need targeted protection for their communication, such as journalists, the politically oppressed, dissidents or opposition members from dictatorially ruled countries. The encrypted structure allows, among other things, access to regionally blocked content and circumvention of censorship. Anonymity allows journalistic sources to remain unidentified in some cases and whistleblowers to share their findings with the public.
In particular, government agencies or financial institutions may need direct access to information that is only available through sources on the darknet. In many cases, these companies are not only looking for leaked access data or company information. They also need information about potential threat actors, evolving (new) attack vectors or active exploits.
How criminals use the Darknet for their machinations
Due to the encrypted communication and the associated anonymity, criminals take advantage of the Darknet: The darknet contains forums, web shops and trading platforms for services and goods that are otherwise either illegal or subject to strict legal regulations. In short, a trading place for crimes and illegal goods of all kinds, whereby the offers are usually paid for in cryptocurrencies.
To make matters worse, companies and employees also leave many data traces on the internet. Hackers collect this data from a wide variety of sources and offer it on the darknet and on illegal sites. Especially after a security incident, masses of data end up on the darknet. Information such as names, email addresses, credit card data and passwords are coveted on the darknet, among other things to carry out malware or ransomware attacks using phishing emails.
Cybercriminals use the darknet for their own purposes, for example to acquire leaked company data or to commission RaaS services. The Darknet Study 2023 by Botiguard with 26,000 analysed companies from 80 industries and categories shows how dangerous the illegal offer in the Darknet is for companies: Up to 60 % of all company data examined had been found for paid download on Darknet marketplaces - including data from many German companies.
Why CIOs and CISOs should know about the Darknet
Although the Clearnet is presumed to be the greater threat for successfully executed cyber attacks, CISOs and CIOs should also be familiar with and in the structures of the Darknet and act true to the motto "know your enemy" - because cyber criminals are active on the Darknet.
Gathering useful information about possible threat scenarios on the darknet is crucial to protect companies from future threats. IT security teams can gain valuable insights through targeted actions that will help them protect their organisations from attacks.
- Monitoring the current malware market
- Tracking down illegal databases and checking for data leaks
- Locating stolen credentials
- Detecting access to corporate networks offered for sale
- Knowledge about the accumulation and exchange of knowledge between cyber criminals (e.g. current types of malware, strategies, collusion on exploits).
In order to effectively protect a company from cyber criminals, knowledge about the data offered on the Darknet is also of great importance, because cyber criminals use compromised accounts, e.g. to launch attacks with spear phishing or brand spoofing.
And the cybercriminals find the basis for these attacks and campaigns: In the Darknet.
It is crucial for CISOs and CIOs to be aware of the potential threats on the darknet while ensuring maximum IT security. Although the Clearnet may be considered a greater threat for successful cyberattacks, Darknet research provides valuable information about potential threat scenarios that can help organisations protect themselves against cybercriminals.
However, any user researching on the darknet must be aware of the possible sources of danger and should therefore ensure maximum IT security.
To stay safe on the Darknet, we recommend the following security measures:
1. Use the Tor browser together with a VPN service for additional security: The Tor browser disguises the IP address, while a VPN service encrypts all traffic and provides additional anonymity.
2. Deploy an Endpoint Security solution: Endpoint Security protects network endpoints, such as computers and mobile devices, from security risks and cyber attacks.
3. Create a separate "online persona" for the darknet: Using a separate identity can protect one's privacy and minimise the risk of tracing or identification.
4. Use an identity protection tool: This helps to disguise personal information and prevent sensitive data from falling into the wrong hands.
5. Do not download files from the darknet: Downloading files from the darknet carries the risk of transferring malware or viruses to your own device.
6. Disable ActiveX and Java in all available network settings: Disabling ActiveX and Java reduces vulnerability to certain types of cyber-attacks that could exploit these technologies.
7. Set up access restrictions to the Tor-enabled device: Setting up access restrictions can prevent unauthorised access to the device and increase security.