Cyber ​​skills for sale: what leaders can learn from the dark web

The dark web is not only home to illegal drug and weapons marketplaces, although those are certainly out there. It is also becoming a crucial recruitment platform for cybercriminal gangs.

As the infrastructure behind ransomware-as-a-service becomes more professional and sophisticated, the dark web – unregistered websites accessible only through encrypted technologies like the Tor network – is a key space to understand how cyberattackers operate. For businesses, it can provide valuable insights into how criminal gangs target white-collar IT professionals and why they succeed.

What is the Dark Web and Who Uses It?

There is a lot of mystification surrounding the so-called dark web. The name conjures up images of 90s hacker aesthetics and Mr. Robot-style cyberpunk worlds. But in reality, the dark web simply refers to a private, usually encrypted network that is not visible on the public internet that most of us use every day. It usually requires some knowledge, such as how to connect to and navigate the Tor network, to access it.

Despite the ominous name and murky reputation, not all dark web deals are shady. “There are a huge number of people who are active there for perfectly legitimate reasons,” says Mark Frankel, who teaches a course on the dark web for The London Interdisciplinary School. Users might be political dissidents in countries facing repression, for example, or they might have a need to circumvent online censorship.

Others’ needs may be more prosaic. Some users may have recently been evicted from their homes without a permanent address, so they can’t get their drugs through the usual legal channels. Others may need to protect their anonymity for a variety of reasons, Frankel adds: “Dark web users may be people who have had previous run-ins with the authorities. They’re perfectly legitimate, but they still prefer to operate in a more secretive environment.” Many simply don’t want to be tracked on the open web, like the rest of us every day.

How Cybercriminals Use the Dark Web

But there are those who use the dark web for criminal purposes. Perhaps the most notorious are the dark web marketplaces, such as the now-closed Silk Road and Hydra Market, where users were able to freely trade in illegal goods.

An increasingly lucrative revenue stream beneath the drugs, weapons and counterfeit goods is cybercrime. Dark web markets, even after international law enforcement crackdowns, were set to be worth $1.7bn (£1.3bn) in 2023. Given that most individual ransomware payments totalled over $1m (£760,000), it’s fair to assume that cybercrime represents a fairly large portion of the dark web’s market value.

These marketplaces allow users to pay for attacks “as-a-service” – where the technical expertise to carry out the attack is outsourced. Buyers can pay for criminals to launch ransomware or Distributed Denial-of-Service (DDoS) attacks, or to target individuals for their passwords or for other fraudulent purposes.

Services offered to buyers on a dark web marketplace

The dark web is not only a place to recruit new customers in the underworld, it is also a place to learn, as cybercriminals use dark web forums to discuss new tactics and developments in malware.

Criminals have been caught debating which large language models are best for executing phishing attempts and which are better suited for coding malware. Etay Maor, chief security strategist at security platform Cato Networks, says attackers can be found on Russian-language forums discussing WormGPT, which they claim is the first generative AI-powered malware. Despite the fact that it turned out to be functionally useless.

On these forums, the dark web has become a new recruiting platform for people with machine learning skills, introducing a new competitor in the search for people with these highly sought-after capabilities. This has left companies, looking for people with the skills needed to master emerging technologies like GenAI, competing with cybercriminals for the same talent.

The Cybercrime Skills Shortage

For many legitimate security professionals, their jobs are increasingly thankless. A recent report from defense think tank RUSI found that cybersecurity workers are often blamed when things go wrong, and that in the event of an attack, they have reported long hours, fatigue and even PTSD-like symptoms afterwards. With legitimate infosec professionals reporting burnout and poor job prospects, some are turning to dark web forums to find work, according to cyber industry group CIISec.

“We’ve seen several groups, including the notorious ransomware gang Lockbit, looking for people,” Maor adds. “They’re listing the technical capabilities they’re looking for on dark web forums and Telegram channels.” What’s even more worrying is that these potential recruits aren’t necessarily trading legitimate jobs for illicit ones—they’re doing both at the same time. “We’ve seen insiders advertising the access they have, including at major telecoms,” Maor continues.

“Ultimately, people have to feed themselves,” he says. “When there are conflicts in the world like Russia-Ukraine, people lose their jobs. You see people come up and say, ‘I can do X or I was an employee of company Y,’ and they get recruited.”

How Business Leaders Can Use the Dark Web

There are many ways that corporate executives can use the dark web to improve their operations. Marketers can use it to gain valuable information about what counterfeits of their products look like, while CISOs can gain insights from discussions about emerging threat models.

For businesses curious about the methods criminals use to subvert existing software or exploit vulnerabilities to attack companies, discussions on the dark web can provide a clue. Maor cites the example of the LockBit cybercriminal group, which repurposed a free tool from cybersecurity firm Kaspersky to disable Windows Defender antivirus software on its victims’ machines.

Frankel argues that HR managers at legitimate organizations can find highly educated, innovative and technical talent on the dark web, just as the FBI and CIA regularly scour black-hat hacker events for cyber talent.

Insider Threats and Beyond: Lessons on People and Process

The key lesson for IT leaders is to look at their own people and processes.

Cyber ​​threats like ransomware are not going away. While organizations can scour the dark web for signs of a potential attack, it is nearly impossible to monitor every potential source.

Understanding the prevalence of dark web access brokers, many of which automate the discovery of vulnerabilities in corporate networks, should encourage cyber leaders to not only secure their own perimeter, but also to monitor business partners and secure their entire supply chain.

Given the increase in security professionals who also perform criminal work, organizations would be wise to implement zero-trust access management policies so that individuals only have access to what they need to do their jobs. “The weakest link is usually people, from insider threats to an employee clicking on a malicious link to someone gaining a foothold in your company’s internal networks,” said Mantas Sasnauskas, head of security research at Comparitech.

That means ensuring that security is embraced at every level of the organization, while also ensuring that data handling policies comply with security frameworks like NIST and ISO 27001. “As a great meme points out, hackers don’t care about your policies,” says Sasnauskas. “So you need to consider whether your policies and procedures are actually working.”

Companies also need to learn to treat their employees well. The fact that employees in cyber increasingly feel undervalued, overworked, underpaid and burned out should be cause for concern. Companies that treat their employees better are also more resilient, according to recent research.

While the dark web may seem inaccessible to those running a legitimate business, we can learn important lessons from these digital dark spaces.