This article featured in a CISO MAG’s edition.
Contributed by Souti Dutta, Lead Threat Analyst – SOC Services, Paladion
The Internet has become an “essential fixture” in people’s life. Apart from posting captured moments on Instagram, tweeting life’s experiences on Twitter, and browsing funny cat videos on YouTube, the Internet can allow you to travel beyond its surface to the deep, dark corners of the virtual world. Such corners are generally termed as the Dark Web.
In recent years, there has been an upsurge in interest and curiosity for the Dark Web. Frequent headlines on the existence of hidden marketplaces that serve as hotbeds of drugs, arms trafficking, fraud, hacking, etc., or the supposed freedom (anonymity) on the Dark Web have lured the common man into these dark virtual alleys.
The Dark Web has coexisted within the Deep Web (a segment of WWW that is opted out from being indexed and unavailable through regular search engines like Google, Yahoo, etc.) for years. It is a digital space, particularly, for carrying out malicious activities with the cloak of anonymity.
Is the Dark Web a growing concern for enterprises?
A study has estimated that only 0.03% of sites on the internet fall under the Dark Web category, which are 30,000 or less sites. However, its growing popularity, ease of access and mass adoption have created serious concerns among security practitioners.
Anyone possessing a free piece of software like Tor can gain access to the Dark Web anonymously. In corporate environments, where thousands of employees access various IT resources, even a single exposure to the Dark Web can bring down defences. Below is a summarized list of risks accessing the
Dark Web using tools like TOR can bring:
Exposes an organization to malware and botnet attacks: Individuals/groups that operate ‘Exit Nodes’ or ‘TOR relays’ on a TOR network can abuse it by turning it to a malware distribution point without the knowledge of the employee using it. Thus, leaving an organization network susceptible to malware attack via received responses (wrapped with malware) from such rogue nodes. The Dark Web maintains CnC communication with the organization, which creates further risk.
Exposes an organization to DDoS attacks: If employees turn their hosts into nodes, which participate in the global Dark Web (e.g. Tor nodes) network, it can elevate the risk of bandwidth exhaustion or DDoS-like situation. The corporate network relaying large volume of Dark Web traffic is the primary reason for either high bandwidth consumption or bandwidth saturation.
Allows employees to bypass security controls: Traffic to the Dark Web is always wrapped in encryption, so monitoring of network traffic between the originator and the destination host is hard to crack. This means employees can freely view illegal sites, purchase contraband goods using corporate resources with ease, etc. In addition, it allows employees to circumvent several security controls without any extra effort.
Becoming the data exfiltration point: The ‘Exit Nodes’ are susceptible to sniffing attacks, so if non- encrypted data is out there, it can be captured and utilised in a malicious way. Internal hosts participating in Dark Web activities can get infected with malware that exfiltrates data, leaving the organization susceptible to data theft.
Employees turning rogue insiders: A recent study noted a new trend among cybercriminals where they spend considerable resources to recruit insiders. The primary goal behind such recruitment is to steal data, plant malware, enhance domain knowledge, etc.
Loss of reputation: Organizations can be held responsible for any illegal activities carried out on the Dark Web especially hosting of Dark Web network nodes, which are involved in transporting illegal data or in activities such as hacking, DDoS attacks, spying, etc.
Blacklisting: An organization found hosting Dark Web nodes can risk its IP being added to an Internet blacklist, which can lead to unnecessary restrictions from various service providers.
Limiting Access to Dark Web from Inside the Business Network
Preventing access to the Dark Web and detecting instances can be a real challenge. There are currently no readymade solutions to monitor and stop such attempts. So, the solution lays in a combination of security best practices, technology, user awareness, and a refined security policy on usage of the Dark and Deep Web and associated applications. We’ve listed a few recommendations below:
Stop internal users from downloading, installing/running Tor: Tor (and other similar applications such as I2P) is the key to gain access to the Dark Web. Users should not have access to the Tor website from where they can acquire the installer or a portable version of the application. So, by deploying application whitelisting and limiting access rights, it is possible to prevent running such applications. Controls on USB ports should also be implemented to prevent running any portable instance of such applications.
Maintaining a known Dark Web/Tor node list: The primary reason behind maintaining a list of known Tor nodes is to limit any outbound traffic to the Dark Web. An explicit outbound connection deny to all such IPs (Exit Nodes) will minimize the live traffic destined to the Dark Web. It is also necessary to device an internal list of hosts who were involved in generating traffic to those IPs / nodes. It is also necessary to keep the node IP list relevant and updated. One can utilize available feeds to capture such IPs.
Outbound traffic containing self-signed certificate data: Dark Web is a known consumer of self-signed certificates (certificates not created by recognized certificate authorities). Such certificates allow data encryption between clients, nodes or servers. Hence, blocking such outbound SSL traffic will not only meet the best practice requirements, it will actively limit exposure to the Dark Web.
Clear Policy on Dark Web/Tor usage: Along with implementing security controls, it is important to ensure the corporate security policy talks about accessing the Dark Web and usage of proxy software (Tor). The updated security policy should clearly state the imposed limitations and prohibitions on the access of the Dark Web using proxy software over the corporate network and resources.
User Awareness: Organizations should conduct sessions where employees and partners that use IT services should understand the risks related to the Dark Web.
The curiosity around the Dark Web is obvious but if this discovery is made on a corporate network, it can make an organization vulnerable to cyber attacks. Employees unwittingly use the Tor network as a proxy to circumvent blocked sites, etc. It is important for employees to be educated about the risks such proxy software can bring to the organization to prevent risks the Dark Web can bring.
Organizations should also monitor all virtual activities by employees regardless of seniority or technical expertise within the corporate environment to ensure optimal cybersecurity.
The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.