Beware of Myths and Misleading Claims in the Market for Threat Intelligence Offerings Pertaining to the Deep & Dark Web
The market for threat intelligence offerings remains inundated with confusing claims that can overwhelm even the most seasoned security professional. As I’ve written previously, much of this confusion stems from the loose interpretation of terms like “open web intelligence,” “automated intelligence,” and “digital risk,” as well as the inconsistent extent to which these offerings can deliver on their claims. All claim to leverage intelligence from the Deep & Dark Web, but can they really?
1. “Open web intelligence” is largely search engine and social media driven, with a myriad of other easily accessible sources.
2. “Automated intelligence” is a misnomer; while automation is critical in building the right technology to empower humans to glean actionable intelligence, it cannot deliver true contextual intelligence from the Deep & Dark Web on its own.
3. “Digital Risk” monitoring is important, but it’s more of a clean-up crew that is only useful after a strategic intelligence program is launched and executed. Unless you know what you’re looking for, digital risk monitoring really just monitors known information, leaving a large gap of what you don’t know.
The Deep & Dark Web is not the only source for information that clients need for better protection, but the activities occurring in the underground can inform risk and decision-making better than than those that have already reached the surface. In order for organizations and the market at large to understand how these areas of the Internet are truly made to be effective, we need to debunk some myths and explain what the Deep & Dark Web really is.
Myth 1: The Deep Web and the Dark Web are One and the Same
As more organizations recognize the importance of gaining visibility beyond the open web, many may assume that the Deep Web and the Dark Web are the same thing. Here’s how they differ:
● The Deep Web refers to the broad swath of the Internet that traditional search engines cannot access. In addition to housing vast amounts of mundane — and often benign — data, the Deep Web is also home to password-protected forums, chat services like Internet Relay Chat (IRC), file sharing and P2P technologies such as BitTorrent, and the entirety of the Dark Web.
● The Dark Web is a subcomponent of the Deep Web that is only accessible to users who have installed specialized browsing software, such as Tor or I2P. Many forums, websites, and marketplaces on the Dark Web offer highly-anonymized environments for those seeking to conduct malicious activities and purchase illicit goods and services.
The Deep Web is to the Dark Web what a rectangle is to a square. In other words, while a Dark Web forum is also technically a Deep Web forum, the converse is not true. Semantics aside, it’s crucial to be able to distinguish between the two — especially when it comes to threat intelligence, which I will discuss next.
Myth 2: The Dark Web is “More Malicious” than the Deep Web
A common misunderstanding among both the threat intelligence community and general public alike is the perception that what occurs within the Dark Web is far more malicious than what occurs within the Deep Web. All it takes is a quick Google search to reveal a plethora of fear-inducing headlines and threatening imagery surrounding the Dark Web. And yet, the Deep Web is seldom referred to as more than the section of the Internet in which the Dark Web exists. For example:
● The Dark Web represents the furthest, most dangerous corners of the Deep Web
● The Dark Web is home to the utmost elite cybercriminal forums
The problem is, although the Dark Web does facilitate many types of malicious activity — so do many sections of the Deep Web. When organizations remain fixated on the Dark Web, they may overlook the fact that, for example, many of the most elite forums and communication channels frequented by some of the most dangerous criminals are housed within sections of the Deep Web that exist outside of the Dark Web.
Myth 3: The Dark Web is more difficult to access than the Deep Web
While organizations may assume that accessibility poses a substantial barrier for those seeking to reach the Dark Web, that is not typically the case. It’s crucial to recognize that virtually anyone with an Internet connection can download Tor or I2P to access the Dark Web. Under most circumstances — and security risks aside — simply accessing many of the sites, marketplaces, and message boards within the Dark Web is fairly straightforward.
However, although no special software are required to enter the most elite Deep Web forums that exist outside the Dark Web — these can typically be reached via a normal web browser as long as the user knows the correct URL and login credentials — the process is rarely easy. Gaining entry to many of these invite-only and/or password-protected forums can be extremely challenging and typically requires users to first establish respectable reputations and build trusting relationships with forum users and administrators. Even among those with extensive experience and subject matter expertise, gaining entry to the utmost elite Deep Web forums can take months or longer to achieve.
Myth 4: Dark Web Intelligence is more valuable than Deep Web Intelligence
In most cases, the value of true, relevant intelligence from the Deep & Dark Web is rarely overstated. Such intelligence has become essential for safeguarding critical assets, proactively addressing cyber and physical threats, and mitigating risk. But sometimes, this reality can be clouded by the circulation of statements that overemphasize the value and capabilities of intelligence derived from Dark Web sources. For example:
● The Dark Web is an untapped source for actionable threat intelligence
● Data from the Dark Web is the ultimate key to an effective threat intelligence program
● Threat intelligence from the Dark Web provides full visibility into the threat landscape
Not only do these sentiments hyperbolize the value of intelligence derived from Dark Web sources while understating the value of their Deep Web counterparts, they fail to address the fact that many cybercriminals operate within both the Deep Web and the Dark Web. This means that organizations without visibility into both regions may be unaware of crucial details and context surrounding certain actors, vulnerabilities, and threats.
As a hypothetical example, let’s say that a hospital database containing the medical records of thousands of patients is posted for sale on Alphabay, a well-known Dark Web marketplace. Shortly thereafter, the threat actor who accessed, stole, and offered the database for sale then heads over to an elite Deep Web forum to converse with other like-minded threat actors about the common vulnerability that enabled him to compromise the database.
Since the hospital’s threat intelligence team had been monitoring various Dark Web sites including Alphabay, they were aware of the database compromise and offered sale. However, since the team lacked visibility into the aforementioned Deep Web forum and thus the threat actor’s subsequent discussion, they remained unaware of the critical vulnerability that led to the compromise of thousands of patients’ medical records.
Regardless of an organization’s threat intelligence strategy, capabilities, or consumption, all can agree that “blind spots” pertaining to malicious actors, threats, or vulnerabilities can be detrimental. Unfortunately, myths and misleading claims in the market for threat intelligence offerings pertaining to the Deep & Dark Web continue to make it increasingly difficult for organizations to decipher the true extent to which many of these offerings can help reveal these blind spots. Above all else, organizations should recognize that safeguarding critical assets, proactively addressing cyber and physical threats, and assessing and mitigating risk accurately and effectively requires comprehensive visibility into both the Deep and the Dark Web.