Serious About Insider Threats? Start Paying Attention to the Dark Web

Insiders keen on making money from the valuable data your organization holds need only use a TOR browser to connect with buyers, hackers, and everyone else who doesn’t have your organizations best interest at heart.

Employees can pose an insider threat to the organization in a variety of ways. At the end of the day, with 76% of data breaches being financially motivated, the primary goal of malicious insiders is usually to monetize data, credentials or access.

So, where does an employee with access to, say, credit card numbers or personally identifiable information (PII) go to sell it?  It’s not like you can just search “who wants to buy 10,000 credit card numbers?”

Or can you?

The web as we know it is actually divided into a few parts. There’s the clear web. It’s the part that’s publicly indexed and searched that you use every day. Then there’s the deep web – this is the part that’s not indexed.  Even your company has a server or two that isn’t indexed by the search engines, but is connected to the Internet – those are all part of the deep web.

Lastly, there’s the dark web. This is a very small part of the web that is only accessible using a special browser called TOR (The Onion Router). This browser connects you to an underground world of websites where just about everything that is considered bad in this world is for sale.

Employees can take advantage of the Dark Web basically in four ways:

1. Sell Data – There’s plenty an employee can sell on the Dark Web: company secrets, credit card data, PII (such as social security numbers), and more.
2. Sell Credentials – Hackers are constantly seeking access to any company’s network (even yours). No matter the company, there are still ways to make money by moving laterally within a network until access to systems that interact with money (e.g., payroll, accounts payable, etc.) is attained. Even the smallest business with a network has access to thousands of dollars.
3. Be Solicited – While collusion only makes up 2% of all data breaches, there are those on the Dark Web that aren’t interested in doing the internal digging themselves, but will solicit the help of an insider, working together to steal valuable information.
4. Transfer Data – the TOR browser can be used to send files, making it a less obvious way to exfiltrate data from the organization.

Organizations serious about protecting against insider threats – as well as detecting them when they happen – should consider a layered security approach that includes the following:

• Block endpoint-based VPNs – Most Dark Web experts will tell you to use a VPN to anonymize your endpoint as the source of traffic.Employees desiring to go on the Dark Web may use a VPN to obfuscate their use of the TOR browser.
• Block the TOR Browser – Application whitelisting may be useful to keep TOR from being run.
• Monitor Employee Activity – The use of Employee Monitoring Software that watches for application use, network traffic, site names, and other indicators of Dark Web activity will help to detect when employees begin to dabble in the Dark Web.

There’s no guarantee that malicious insiders will use the Dark Web, but it’s important to educate yourself on how the Dark Web can play a role in insider threats. By putting security controls in place, you can lower the risk of the use of the Dark Web by employees when on corporate endpoints.