Dark Web Monitoring and Data Integrity

By Tammy Harper, Senior Threat Intelligence Researcher at Flare

When people think about dark web monitoring, they often focus on the Confidentiality and Availability components of the CIA triad. Confidentiality directly maps to data protection and privacy initiatives, while Availability maps to digital and cyber resilience objectives. However, as more organizations adopt data analytics, they need to ensure data’s integrity. 

At its core, data integrity relies on the following fundamental principles of ALCOA+:

• Attributable: data traceability and accountability 
• Legible: readability and understandability
• Contemporaneous: data recording occurring at the time of an actual event
• Original: deduplication to reduce discrepancies
• Accurate: preciseness and truthfulness to prevent errors 
• Complete: full data context without gaps or missing information

At a high level, these issues may not seem related to data theft or compromised security. As organizations store their data in the cloud, they need to consider the data integrity risks arising from those activities and where dark web monitoring can help mitigate them. 

Data Integrity Challenges in a Multi-Cloud Environment

In many ways, the data integrity challenges that you face parallel your security and data exfiltration concerns. 

Unauthorized Access to Cloud Databases

A malicious actor who gains unauthorized access to your cloud databases not only has the opportunity to exfiltrate data but can also make unauthorized modifications to the data. 

For example, if hacktivists want to undermine research, making unauthorized modifications to a database containing medical trial data can impact long-term healthcare goals. In this case, the unauthorized modifications could impact several fundamental ALCOA+ principles, including:

• Attributable: Unauthorized data modifications mean you can no longer appropriately trace data to its source. 
• Legible: Ransomware attacks can encrypt stored data and make it unusable. 
• Contemporaneous: Changes made after initial recordation no longer occur at the same time as the event. 
• Accurate: Unauthorized modifications mean you are unable to prove preciseness and truthfulness. 
• Complete: Unauthorized data deletion can leave you without data’s full context. 

Software Supply Chain Compromise

According to recent research, the global cost of software supply chain attacks to businesses will reach nearly $138 billion by 2031. For organizations whose developers use cloud resources, like GitHub, the potential compromise risks are two fold:

• Unauthorized changes to source code by gaining access to a programmer’s GitHub credentials
• Hardcoded environment secrets that can include database credentials, third-party service API keys, or cloud platform credentials

If malicious actors can gain unauthorized access to your GitHub, they can make changes to the source code that undermine your application security efforts, like removing data validation mechanisms to create a backdoor vulnerability. Meanwhile, if they gain unauthorized access to an API key, they can undermine data integrity at the database level. 

If attackers use hardcoded secrets, data’s integrity is impacted similarly to potential database access and unauthorized modifications. In addition, unauthorized modifications to source code could impact several fundamental ALCOA+ principles, including:

• Attributable: You no longer know which developer updated source code. 
• Accurate: Unauthorized source code changes can lead to inaccuracies that impact your application’s security, like changing data flows to create vulnerabilities.

Compromised Data Pipeline Tools

Your data pipelines tools transmit data from relational databases and Software-as-a-Service (SaaS) applications using a push mechanism, API call, or replication engine. 

These pipelines act as the foundation for your data analytics so unauthorized modifications can have far reaching impacts. Malicious actors can be competitors or hacktivists who seek to disrupt your organization’s forecasting capabilities. Equally concerning, if you use data pipelines for security data, access to these can undermine your security analytics. 

While similar to the impacts arising from unauthorized database modifications, compromised pipeline tools can impact data integrity across the ALCOA+ principles as follows:

• Legible: Malicious actors with unauthorized access to data pipeline tools could impact data transformation, undermining your schema mapping and making it unusable. 
• Accurate: Unauthorized modifications to data streaming or batched in pipelines can create errors. 
• Complete: Unauthorized deletions of data sources or datasets can create gaps, leading to inaccurate and unreliable analytics models. 

How Dark Web Monitoring Improves Data Integrity

Dark web monitoring helps you identify the data leaks – including from GitHub repositories – that can undermine your data’s integrity. 

Identify compromised credentials

By scanning the dark, deep, and clear webs as well as illicit Telegram channels, you can proactively identify leaked or stolen account credentials. Employees often use their corporate email accounts on external websites without you realizing it. 

When you identify compromised credentials, you can take proactive steps to mitigate unauthorized data access and modification risks, like changing passwords for potentially stolen databases, GitHub, or data pipeline tool accounts. 

Identify infected devices

Stealer malware enables malicious actors to impersonate victims and engage in account takeovers or distribute ransomware. Infostealer malware sold on the dark web and through illitic Telegram channels often includes information like:

• Unique credentials
• Financial data
• Cookies to bypass multi-factor authentication (MFA)

By monitoring for infected devices, you can take a proactive approach to data integrity. First, by identifying infected devices, you can mitigate unauthorized data access and modification risks. Second, you reduce the risk that attackers will deploy a ransomware attack that makes data unusable. 

Detect targeted threats

Corporate espionage and hacktivism may target a specific company’s data, not just to steal it but to undermine its integrity. For example, over the last few years, attackers have disproportionately targeted the critical infrastructure of NATO countries. While disrupting operations may be one reason, nation-state espionage and hacktivism would be others. In these situations, identifying dark web mentions of your organization’s name or assets can protect data integrity.

Threat Intelligence Is Critical

While threat intelligence collection and monitoring may be time consuming, using automated solutions can help you integrate dark web monitoring more cost-efficiently. As your external attack surface continues to expand across the digital landscape, you need to incorporate dark web monitoring as part of your overarching data integrity and governance objectives to augment your cybersecurity program. 

---

Disclosure: This article mentions a client of an Espacio portfolio company.