Diving into the dark web is inevitable when you start talking about cybersecurity. We’ll get real with you: There’s a lot of intense stuff out there.
Of course, beyond a certain vague fearmongering, the majority of people can’t offer any actual facts about the dark web. The term “dark web” doesn’t mean dark as in evil—it means dark as in unindexed. In other words, it’s made up of websites and internet services that search engines like Google don’t index. For example, Google and other mainstream search engines can’t track VPNs. They’re encrypted so unauthorized personnel can’t see what’s being transferred across them. When you work from home, or you transfer files from one of your organization’s locations to another, all of that traffic isn’t indexed and made searchable on the wider internet. There’s a whole lot going on that we’re totally in the dark about—because it’s invisible to Google.
First stop: The internet’s black market
TOR, a free software for anonymous communication, is a pseudo-anonymous encrypted network that can be used as part of masking yourself online—so nobody can see what you’re browsing. It’s basically the black market of the internet, the Knockturn Alley for all you Harry Potter fans out there.
It’s also possible to host websites and other internet services on TOR, as well as consume them. In short, TOR is sort of an “internet within the internet,” where entering and exiting offers some limited degree of anonymization, but not enough to keep the spooks at bay. The Invisible Internet Project (I2P) is a separate, very similar, and reasonably well-known project. I2P will protect your identity in situations where your privacy would be compromised on the public internet.
Beyond TOR and I2P are an unlimited and ever-changing number of darknets. They’re easy enough to set up—you and some friends can roll your own with WASTE, an encrypted collaboration tool that’s secure enough to share whatever you like with whoever you like. If you want to get creative, you can set up WASTE nets within TOR and really make whatever you’re doing slow and inefficient. It’s up to you.
This ability—setting up darknets and even hiding them within other darknets—means that nobody will ever know exactly what’s on the internet. If someone wants to hide what they’re doing, they can. Of course, it only takes one slip to reveal you’re up to something. Once the all-seeing eye of the world’s spy agencies is upon you, no article stating “facts about the dark web” will hide you.
The black market online is reflective of the black market offline. The only difference is that offline, you need to spend a lot more time and take a reasonable number of physical security risks in order to find the really outrageous underground markets.
The darker side of the dark web
I want to impress exactly how diverse the dark web really is.
On the dark web, credit cards will be traded. Criminals and the curious will learn how to hack into IT systems, including ones that you run. Tools and software will be traded that will assist in attacking your network. When someone breaches your network—and they will—anything they steal will be sold on the dark web. ITDMs can’t defend themselves by hiring hackers to “hack the hackers back,” which is both illegal and completely futile. Salvation’s also pretty hard to find in hiring researchers to troll dark web forums looking for the next big attack; there are security companies that do that for you. Invest in them.
The IT risks that an organization will encounter from the dark web are the same as those that will be encountered from anywhere else. The existence and proliferation of the dark web doesn’t change how people can access networks. All that it does is provide them a means of communication wherein it is possible to minimize the risks of law enforcement listening in.
Those looking for facts about the dark web in order to defend themselves are looking for a magic rock that keeps away tigers. Instead, what we need is a better approach to IT security—one that focuses not on better walls to keep the bad guys at bay, but on better detection of when the defences are breached, and better incident response.
The current industry movement towards isolation-based security is creating the sort of defences we need to answer today’s IT threats. Technologies such as containerization can allow for automated characterization and profiling of individual workloads and their communications traffic. This can feed into next generation compromise detection that relies heavily on big data analytics, machine learning and artificial intelligence. In turn, this information can help feed both classic filter and list technolgies as well as modern automated incident response solutions.
These are the security technolgies of the future. Some of them are available today, in relatively early form, but the fact that that none of these are magical solutions must be reiterated. No security software, no product will ever take the place of business practice alterations and regular external audits by qualified consultants.
Fears about the dark web are ultimately fears that the bad guys—both state sanctioned and not—know more than we do. Additionally, attackers only need to find one flaw to compromise a network, while defenders need to defend against literally everything in order to stay compromise-free.
Attackers know more than we do. They always will. All of our networks will be compromised. Accept this and move on. If you can’t keep the bad guys out, focus on knowing when they’ve gotten in and on having a (hopefully automated) plan for what to do when they compromise you.
That’s the real lesson of the dark web. Nothing learned there will help keep our networks safe, nor are there magic solutions to the IT security risks they post. The solution to dark web IT nightmares is to invest in technologies and services that know what normal looks like, detect the unexpected, and then do something about it.