Many companies underestimate the risk of information about them circulating in the hidden part of the internet. The darknet is not a mystical place, but rather a sealed-off area that can only be accessed using special software and often serves as a trading hub for stolen data and illegal services. When companies appear there, they often only find out once damage has already been done. However, there are clear ways to keep track of things and identify early on whether your own company is affected.
To find out whether their own company is mentioned, companies tend to use specialized dark web monitoring services. These services automatically scan parts of the darknet for company names, email addresses, or other unique identifiers. Since the darknet is not indexed like the regular internet, such monitoring cannot guarantee complete coverage. Nevertheless, it provides valuable information about potential risks. If a hit is detected, a notification is sent before the published information can be used for attacks.
Although your company can also conduct manual searches on the darknet, these searches are often not as comprehensive as those performed by commercial providers.
Barriers to research
To conduct research on the darknet, you need sources. In this case, the places where cybercriminals like to hang out. With a little online research, you can quickly find various forums, marketplaces, leak blogs from ransomware groups, chat groups, and other websites on the darknet.
However, the next hurdle is access to these platforms. Understandably, criminals do not want everyone to be able to browse their sites. These sites therefore often have restricted access. In concrete terms, this means that in order to access a forum, you may first have to prove that you have had an account on another forum for several years. As an alternative, you are often offered the option of paying a one-time “admission fee” in cryptocurrency. However, whether access is actually granted after that certainly varies from case to case. In any case, there is no guarantee – you should always bear in mind that you are dealing with criminals.
Once you have overcome the hurdle of access restrictions, the next step is to know what you are looking for. Depending on the type of website, criminals use different names, spellings, or descriptions. For example, access data for a specific domain (e.g., “vpn.example.org”) may be offered for sale. Sometimes, leak blogs that publish stolen company data from ransomware attacks also contain the full company name or parts of it, or even abbreviations of the company. In darknet forums, the company in question is sometimes only described in general terms. For example, access to a manufacturing company from Germany with an annual turnover of €85 million may be offered. This makes it difficult to find your own company.
Clear processes for handling darknet findings
In order for the findings from darknet research to deliver real added value, the company must also have clear processes in place for emergencies. As soon as a clue emerges, it should be determined who will be informed, what measures will be taken, and how extensive the internal analyses need to be. Everything must be carefully planned, from changing compromised passwords to checking affected systems and preparing public communications. A quick and coordinated response is crucial to limiting damage.