Increasingly businesses are monitoring the darknet for clues that their company and customer data is being exposed. But it’s no easy task.



Last week, The Guardian reported that Australians’ Medicare numbers were being offered for sale on a darknet marketplace for the equivalent of $30 in Bitcoins each.



Human Services minister Alan Tudge said the data’s availability was likely the result of “traditional criminal activity” as opposed to a hack, implying that it was being accessed using a legitimate login to a health system.

The government has now commissioned a review of the Health Professionals Online Services (HPOS) system – a suspected source – and referred the ‘Medicare Machine’ service to the Australian Federal Police for investigation.

For the government, the Guardian-revealed darknet listing was the first indication that they had a potential insider leaking citizen information online.

The insider threat is often considered the Achilles’ heel of a company’s security posture. And the rise of hidden marketplaces makes it easier than ever for those rogue employees to gain financially from their malicious activity.

Increasingly businesses are monitoring the darknet for clues that their company and customer data is being exposed. But it’s no easy task.

Shine a light

James Nunn Price, cyber risk leader for Deloittein the Asia Pacific region, recounts an incident involving one of the consultancy giant’s European clients, a large energy company.

“We do monitoring for them and we were able to pick up on a dark web market that one of their systems administrators was selling their remote access VPN logging details – because they disagreed with the policy of fracking,” he said.

“And they were looking to sell that on a dark web for someone to come in and, you know, destroy their systems or their organisation because they disagreed, ethically, with what they were doing. I'm not sure the ethics of what they were trying to do!”

Once detected and relayed to the organisation, the company was able to pinpoint the perpetrator.

“It does happen,” Nunn Price says.

It’s horror stories like this that are prompting more and more businesses to monitor the darknet.

“Organisations can do this themselves. Very large organisations sometimes have their own threat analysts that have the technical capability and tradecraft to be able to perform this type of work,” says Gartner research vice president Craig Lawson, who is soon publishing a market guide for threat intelligence services.

Others subscribe to portals “that allow for searching and investigations of this content without having to access it” or engage third party threat analysts “who can provide tailored information”, Lawson adds.

While some organisations take a DIY approach to scouring marketplaces, the work is resource heavy and potentially risky says Anthony Vaccaro, senior information security analyst with AusCERT which is employed by a number of companies to monitor the darknet on their behalf.

“Some organisations are checking the darknet for information leaks. A lot of organisations don't have the resources – generally time, although some knowledge is required – to keep an eye on darknet activity,” Vaccaro explains. “There are varying levels of risk depending on the areas and sites you access.”

While accessing darknet sites is initially straightforward, maintaining anonymity can become quite complex. Tor-based markets are also subject to deanonymisation attacks, and connecting to Internet Relay Chat servers – which are occasionally used to communicate with sellers – would also need to be done with a proxy or method of masking the originating address.

“If you don't have the necessary skills to maintain this level of operational security it may be better to leave it to a service provider,” Vaccaro adds.

Deloitte offers darknet monitoring from its global Cyber Intelligence Centre and has done for around five years. Interest in the service has spiked in Australia in the last 18 months, Nunn Price says.



Darker corners

Keeping track of global darknet marketplaces is intensive work. While automation is used to scour the illicit marketplaces, a lot of manual effort goes in too. Even the darknet has darker corners; Deloitte has a team of analysts working to infiltrate these hidden, hidden marketplaces.

“They will go into some of these sites and take part in chat channels and forums, around the periphery – we don't actually partake in any illegal activity. What you find is that there are circles of trust,” says NunnPrice.

“What is important is that we want our analysts to get trusted enough to get invited. Then they can kind of lurk on it – they don’t post to it – sitting there, reading what others are posting.”

It can be tough work for the analysts. It is not only data on sale. As well as being a ‘shopping mall of drugs’ there is disturbing content too.

“Unfortunately ours analysts come across a lot of shocking and illegal content,” says Nunn Price. “On some of these forums you can get a lot of pornography, you can get a lot of extreme content. And that’s something we have to protect our analysts from. We try to automate as much as possible, but it’s still a manual process at the end of the day.”

It’s also a 24 hour job. Things are “appearing and disappearing” on the darknet all the time, says Nunn Price.

Unmapped and intricate

Even with targeted monitoring of marketplaces, finding leaked data on the darknet is difficult.

Regarding the ‘Medicare machine’ story, Tudge claimed last week that “investigations into activities on the dark web occur continually”.

“The darknet is a large, unmapped and intricate space, and although AusCERT and other companies do track a lot of activity, it's virtually impossible to see everything that's going on,” Vaccaro explains.

Nevertheless, darknet monitoring services are potentially hugely valuable, and a proactive way of identifying insider threats. They provide a mitigation against the huge risk of customer data, intellectual property and company funds being leaked, not to mention the reputational damage and regulatory finesthat could come as a result.

The problem is not going away and the incentives to act as an insider are growing. Research from RedOwl and IntSights, published in February, noted a rise in appeals from hackers on the darknet, seeking to employ insiders.

“In one instance, a hacker solicited bank insiders to plant malware directly onto the bank’s network,” the report said. The researchers found that one hacker offered to pay the insider “seven figures on a weekly basis” for access to a bank’s computer.

“To any CIOs or CISOs, I would say: What is the cost of breached data to your organisation? What would be the impact if your customer data was exposed? What is the damage that can be done if staff accounts are compromised?” Vaccaro says. “If you understand the impact, then you can evaluate whether the cost of such services balance against the benefits of a monitoring service.”