You have probably heard of the term ‘Dark Web’ before. It was likely discussed in the context of illegal underground trading, narcotics, human trafficking, political extremism or criminal cyber-activity. It is known as the proverbial seedy underbelly of the Internet and conjures images of a covert network of nefarious activity.
While the Dark Web has certainly been pathologised, it has also become increasingly corporatised, with the sale of exploits and corporate data at its core. Yes, it poses a risk for enterprise security, but is also a useful resource for cybersecurity professionals…
In order to discuss the Dark Web (also referred to as the dark net), it is important to first outline where it sits within the Internet as a whole:
The Surface or Clear Web
Most of us use the surface web in our day to day tasks, with a host of online retailers and businesses held on this part of the Internet. These sites are easily accessible via a multitude of popular search engines and browsers, and there is no need to enter a password or be vetted prior to accessing these sites.
The Deep Web
While the deep web is sometimes likened to or mistaken for the dark web, that is certainly not the case. The two are often confused for one another because they are not indexed and, in most cases, some sort of authentication is required. But unlike the dark web, deep websites are part of a majority of people’s daily tasks; things like school library databases are intentionally blocked by web crawlers because they cannot be accessed by just anyone. Other examples include:
- Internal company or educational institution’s intranet systems.
- Password protected personal accounts, such as social media, banking, or email accounts.
- Timed test sites – for online certifications or schooling.
The Dark Web
This is typically considered the innermost subset of the deep web, however, it is inaccessible via common browsers. In order to access the dark web, you need a special browser, such as Tor – ‘The Onion Router.’ Tor essentially reroutes page requests and makes the user’s IP address untraceable and unidentifiable.
Due to its widespread use and popularity for accessing this part of the Internet, Tor has become fairly synonymous with the dark web – but there are other browsers from which one is able to gain access, such as I2P – the ‘Invisible Internet Project.’
The Dark Web is often spun as a catch-all phrase for a massive, wholly criminal part of the Internet, but is this really the case?
Yes… and no. It is important to note that Tor and I2P are not illegal software and the Dark Web is not blatantly illegal to browse. While a majority of the activity on the dark net is – for lack of a better word, dark – it is also home to a lot of non-criminal activity. People find a sense of community there, and connect over fairly benign things, such as recipe sharing, while others use it because they are living under an oppressive regime that censors the open Internet or are hostile towards specific ways of life.
Some speculate that the dark web is a massive part of the internet, but ideas about its size are fairly skewed due to a vast amount of sensationalised misinformation spread on the surface web. According to one website, the dark web makes up about 5% of the total internet and the domain estimates are around 7000 to 30,000. Another puts estimates at around 8400 live sites out of over 55000 domains. 
Part of the reason it is so difficult to quantify and analyse is because of its fleeting and ever-changing nature, however, this is also due to difficulty with access. Within cybercriminal networks, one must prove that they are a) not law enforcement or researchers and b) veritable hackers who can hold their own.
Interestingly, in the wake of a some of the biggest dark net take downs, remaining live sites have increased their security and offer increasingly corporatised, ‘reliable’ services – hoping not to lose customers or their reputation. 
Dark Web Concerns for Information Security
On that note, there is a plethora of illicit material to be found, and moreover, a myriad of tools and services that present a great risk to enterprise security. Drugs, fraudulent documents such as fake passports or birth certificates, social security numbers, weapons and weapon grade chemicals, hacked government data, fake luxury items and murder-for-hire can all be found on the dark net. In recent years skimmer devices that grab bank or credit card data have been fairly sought after.
What is more concerning for information security is the prolific amount of readily available malicious code, Ransomware-as-a-Service (RaaS), DDos-as-a-Service, (DDoSaaS) or hacking ‘for hire.’ There is a multitude of technically savvy people selling their intellect as part of larger exploits and the Dark Web is the perfect place to connect these skilled individuals with others that have the motivation to put these skills towards ill-intended purposes.
Monitoring the Dark Web
When an organisation is targeted with ransomware or another security breach, stolen information – whether that be usernames, passwords, contact information, geographical location, government documents and so on – typically ends up on dark web marketplaces. From January to June 2020, ransomware attacks rose by over 150% compared to the previous 6 months, and with this massive increase in stolen data, it is essential that both individuals and enterprises find ways to monitor their data on this seemingly ungovernable part of the web. 
The website ‘Have I Been Pwned?’ is a useful tool that individuals can use to keep track of if their data has been breached and moreover if it has ended up on a dark web marketplace. Users enter their email and are given a list of breaches their data was involved in and what kinds of information was exposed. There is also a comprehensive list of ‘who’s been Pwned’:
While RaaS, DDoSaaS and other vulnerability exploits posted on the dark web pose a significant risk for infosec, this part of the Internet can also be a great tool in combating threat. While accessing the dark web and passing vetting processes might be difficult for the average lay person, cybersecurity experts have the knowledge and skills to navigate this rather chaotic environment and show that they have the skills needed to access certain groups.
From there they are able to gain situational awareness, monitor threat and get insight on what criminals are targeting. In this way, the dark net acts as a valuable source of contextualised threat intel, and allows for a proactive and well-informed approach to combating emerging threat.