An owl in darknesss

Dark Web Monitoring is a detection tool – meaning it can give you the ability to contain possible damage before a cyberattack happens.

What a password on the dark web means

The rest of the story

At times when Bryley has proposed its Dark Web Monitoring service to clients one thing that shows up for clients a lot is old passwords that haven’t been used in years.

On the surface that may feel like a relief, but that’s not the whole story.

That old password in the report comes associated with a company email address. If that address is active, criminals have the start of a dossier — and accumulating the information to build dossiers is a function well-suited to expanding AI criminal tools.

Here’s a common path for a leaked credential pair: Most people reuse passwords1. With a live email address and a password, bots test those credentials across thousands of sites — banks, credit card accounts, cloud email accounts, social media. Multifactor authentication (MFA) can block many of the attempts. But MFA doesn’t negate the value of the email address itself. It’s the beginnings of a dossier. And the start of the more targeted kinds of attacks that follow.

AI tools can also scrape information from an organization’s website, social media – also general data broker sites that aggregate personal information. And the AI can stitch together what it finds with the original email address and password. The result is a profile detailed enough to support vishing (voice phishing — has the phone number related to the email address been published to the web somewhere?) or targeted email phishing that impersonates actual vendors, colleagues or family members.

One thing to keep in mind about criminal operations: many mirror legitimate structures. So while your sales team nurtures prospects, criminals target their lists of dossiers and patiently — drip drip drip — reach out, looking for a hit. But that’s the end of the analogy, because these are just organized conmen.

Fundamental defenses that are worth it

So Bryley recommends MFA on all accounts – prioritizing email and financial systems. Bryley recommends you not use email or texting as the second factor in MFA — those communications can be compromised relatively easily. By contrast a physical security key or authenticator app usually means an attacker has to physically take the device, in addition to having obtained stolen credentials – and the compromise of both of these forms of security is not likely.

Enforcing unique and strong passwords (at least 15 hard-to-guess characters) per site limits the reuse problem.

Employee security awareness training about credential exposure, so staff recognize phishing, vishing and Business Email Compromise (BEC) attempts — helps your employees be a stronger line of defense.

Dark web monitoring searches for your organization’s email addresses in underground criminal internet activity. If one of your employees’ email addresses shows up in a database, you and/or your assigned admin are alerted so that steps can be taken to change what’s affected by the leaked credentials – for the purposes of trying to block criminal abuse.

Why watch the dark web?

The dark web is anonymous and allows the criminals’ actions to be untraceable. It is the chief online home for criminal activity. Stolen credentials are shared on forums and sold in marketplaces. In these virtual places ransomware is available as a subscription: a criminal licenses a ransomware variant and can send it in phishing campaigns or include it on websites controlled by the criminal.

You don’t want your organization’s data on the dark web. Dark web monitoring helps give early warning if it is there, so you can act.

Every employee counts

Your company president’s account carries significant account permissions — if the president’s credentials are on the dark web, that’s a problem. But Jim in shipping, if his credentials are compromised – that’s a problem, too.

Both of these people may face sustained phishing and vishing attempts. Both may be subject to BEC: it can take the form of the spoofed president emailing accounting to pay a fraudulent invoice, or a faked supplier sending Jim new banking instructions ahead of a scheduled payment.

An employee’s password has been found – now what?

Reset the password for the exposed account. Find out if that password was reused on other accounts; reset those too. Review recent account activity for signs of unauthorized access – a trained IT professional like at Bryley can help you assess these. Notify the affected employee – they need to know they’re likely targets, be able to recognize the probable attack forms and have strategies to respond.

Then find out what that leaked account can access. Email credentials may give access to shared drives, financial platforms, project management tools or HR. Figure out where the employee either logs in with the email credentials or where those credentials function as a recovery option.

Why Bryley

But dark web monitoring is not just the exploratory tools. When a dark web alert happens organizations generally need someone to show what the alert means and that can guide them about what to do next.

Bryley has been securing New England businesses since 1987. In the cases where Bryley is managing IT, with dark web alerts we also bring knowledge of those organizations’ infrastructure, users and systems’ weaknesses. With that kind of background Bryley can cut right to containment of any potential damage – dark web monitoring is a powerful tool in a managed IT partnership.

So contact your Bryley representative, or if you don’t have one, contact Roy Pacitto via email or phone him at 978•562•6077 x217.

1 www.securitymagazine.com/articles/100765-78-of-people-use-the-same-password-across-multiple-accounts

Connect with a Bryley IT expert to discuss your IT