The Dark Web Is Not An Attack Vector
Shalabh Mohan | Area 1 Security | @area1security
But what about the dark web? If you’re in the business of keeping your organization secure, you probably hear that question pretty often. And whether you’re a CISO being asked by your CEO, or a CIO getting grilled by the board, not only do you have to protect your company from the vastness of the internet, now you have to guard it against the endless ether of the dark web.
What is important to understand is that the “dark web” is self-contained, and consequently, it is not an attack vector.
Most people would be excused for thinking our cybersecurity challenges come from this “dark web,” since it is brought up in every reference to hacking in popular culture. But the “dark web” as most people talk about it doesn’t exist. Yes, there are systems of anonymized websites that require specific access, or browsers like The Onion Router (TOR). An estimated 96% of the internet is not indexed by search engines such as Google or Bing, but for almost entirely benign reasons, like pages having paywall or pages being private company intranets or databases.
And while there are parts of the internet that are “hidden” or “dark,” let’s explore why it is virtually impossible to launch attacks from this “dark web.” TOR exit nodes, the places that connect you to the larger web after your identity has been masked, are useless as attack launch points since that list is public and they are easily blocked. The websites that actually use TOR are mostly forums, and it is true that they can be used to buy, sell, and swap hacked information. There is a whole suite of companies that spend their time infiltrating these forums and some of that information can be useful. Our security team monitors these as one of many inputs to understand actor behavior, but in terms of actually launching attacks, the “dark web” is completely sealed off.
For someone to talk to you, visit you, or hack you, they have to have an IP address, a web domain, a URL, or an email domain. Nothing happens without those primitives being in place. If any of those exist, the word “dark” no longer applies. Your attacker is on the open web, the surface web. And all of our phishing detections apply.
For something to be truly “dark,” it needs to have a non-routable public IP or be a Bogon IP, which are reserved IP spaces that are not allocated or in use. It’s not that these attacks are impossible to imagine, but they would have to exist with the very people who run the web, like IANA, Regional Internet Authorities, or the U.S. Government. If those entities start attacking us, we have much bigger problems…
Dark vs. Long
Area 1 Security identifies and stops phishing across the entire web, including the “long web,” the statistical long-tail of the surface web, and where more than 95% of all cyberattacks live. These accessible, but unindexed pages include newly observed domains (NODs), newly registered domains (NRDs), and proximity domains — all of which have little to no traffic. They are not pages you could easily find with Google, which causes people to mistake them as “dark.” But they are not dark, they are simply new or unknown and thus the perfect staging grounds for actors to launch their phishing campaigns.
The long web is where attacks begin. And lucky for you, it’s a place we crawl. Attacks coming from the long web are discoverable, and better yet, stoppable. Area 1 has a unique and powerful combination of web crawling infrastructure, early attack discovery algorithms, and enough computing horsepower to process it all and take action before phishing campaigns even launch.
Every week, day, even hour, we discover new and emerging campaigns in their earliest stages. With this visibility, we can protect our customers from the #1 cybersecurity threat to organizations large and small — phishing. The web is big, but it’s also finite. It doesn’t matter where a campaign is hidden, whether it’s right on the surface web you are familiar with, or hidden far into the long web — it still exists, and as a result, it’s still findable.
“If it bleeds, we can kill it,” Arnold Schwarzenegger observed. For us, it’s more like: “If it has an IP, URL, domain, or email address we can find it.”
And we do.
Learn more about how our high-speed crawlers discover pre-attack phishing activity on the long web — before attacks are launched and in time to change outcomes for organizations.
