Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Dark Web Monitoring

Dark Web Monitoring

Section titled “Dark Web Monitoring”

6 automated security scanners

Insider Threat Monitoring

Section titled “Insider Threat Monitoring”

Purpose: The Insider Threat Monitoring Scanner is designed to detect potential insider threats by monitoring dark web and paste site chatter for indicators of malicious activity related to internal access, data leakage, and other suspicious behaviors. This tool helps organizations identify vulnerabilities that could be exploited by insiders for financial gain or espionage.

What It Detects:

  • Dark Web Chatter: The scanner searches for mentions of the company’s name on dark web forums and message boards where malicious actors might discuss sensitive information.
  • Paste Site Chatter: It also scans publicly accessible paste sites like Pastebin, Justpasteit, and Throwbin for any pastes containing keywords related to internal access or data leakage.
  • Accidental Exposure: The scanner looks for mentions of internal email headers in the text content, which might indicate accidental exposure of sensitive information.

Inputs Required:

  • Domain: The target organization’s domain name (e.g., example.com).
  • Company Name: The legal and commonly used name of the company being monitored.

Business Impact: This scanner is critical for organizations as it helps in identifying potential insiders who could misuse their access to steal valuable data or intellectual property. Early detection can prevent significant financial losses, damage to reputation, and compliance issues.

Risk Levels:

  • Critical: The scanner identifies active discussions of internal access and sensitive data on both dark web and paste sites, indicating a high risk of insider threat.
  • High: There are indications of potential insider threats but no confirmed malicious activity on external forums or pastes.
  • Medium: Some keywords related to internal information are found in the text content, warranting further investigation.
  • Low: No significant findings indicate an active insider threat.
  • Info: Minimal incidental findings that do not pose a direct risk but could be used for informational purposes.

Example Findings:

  1. The scanner detected a Pastebin post discussing “internal access” and “sensitive data leakage,” which triggered a critical alert due to the potential insider threat.
  2. A discussion on a dark web forum about the company’s name was flagged as high risk, indicating that sensitive information might be circulating among malicious actors.

Attack Planning Detection

Section titled “Attack Planning Detection”

Purpose: The purpose of this scanner is to monitor for dark web and paste site chatter indicating attack planning. It searches through various platforms such as Pastebin, GitHub, and onion sites for keywords related to exploits, vulnerabilities, and malicious activities.

What It Detects:

  • Detection of potential attack planning indicators on Pastebin, GitHub, and onion sites by searching for specific keywords like “exploit”, “vulnerability”, etc.
  • Identification of chatter snippets containing these keywords in their content.
  • Collection of sources and snippets where the keywords are found to provide further context.

Inputs Required:

  • <domain>: The target domain to be scanned.
  • <company_name>: The name of the company associated with the domain, used for search queries.

Business Impact: This scanner is crucial as it helps in identifying potential threats and malicious activities that may indicate an attack planning scenario. By detecting such chatter, organizations can take proactive measures to secure their systems and data, mitigating potential damage from cyber attacks.

Risk Levels:

  • Critical: If the scanner detects a high number of keywords related to exploits or vulnerabilities across multiple platforms in a short period, this indicates a critical severity as it suggests active planning of malicious activities.
  • High: If the scanner finds evidence of attack planning but not at a critical level, such as several instances of keyword usage on different platforms, it is considered high risk.
  • Medium: Moderate risk levels are indicated by scattered instances of keywords or less frequent occurrences across fewer platforms.
  • Low: Informational findings suggest minimal use of keywords or isolated instances that do not necessarily indicate active attack planning but can be monitored for trends.

Example Findings:

  1. The scanner flagged multiple mentions of “exploit” and “vulnerability” on Pastebin, indicating a potential ongoing attempt to gather information for exploiting known weaknesses in the system.
  2. An instance where “SQLi” was detected on an onion site suggested that reconnaissance activities are being conducted with advanced tools not directly accessible via traditional search engines but detectable through specialized platforms like onion sites.

IP Monitoring

Section titled “IP Monitoring”

Purpose: The IP Monitoring Scanner is designed to identify and alert about potential threats such as source code leaks, product cracking, counterfeiting activities, vulnerabilities, and threat actors by monitoring mentions on the dark web. It leverages advanced technologies like Shodan, VirusTotal, AbuseIPDB, and a hypothetical dark web API to scan for indicators of compromise (IoCs).

What It Detects:

  • Source Code Leaks: Patterns indicating exposed or leaked source code, such as “exposed|leaked|breached”, “unauthorized access”, and “data dump”.
  • Product Cracking: Indicators of malware, ransomware, trojan, command and control (C2), and other activities associated with product cracking.
  • Counterfeiting Activities: Patterns suggesting unauthorized production or replica/imitation products mentioned on the dark web.
  • Vulnerability Exploits: Detection of known vulnerabilities and exploits marked by specific identifiers like CVE numbers and zero-day exploits.
  • Threat Actor Indicators: Identification of potential threat actors or attack vectors, including nation-state actors, advanced persistent threats (APTs), and well-known threat groups like Fancy Bear and Lazarus.

Inputs Required:

  • domain (string): The primary domain to analyze for monitoring purposes.
  • company_name (string): A company name used for searching related statements on the dark web.
  • keyword (string): A specific keyword relevant to the product or service being monitored, which helps in identifying potential threats more accurately.

Business Impact: This scanner is crucial for organizations as it proactively identifies and responds to potential security breaches that could lead to significant financial losses, legal repercussions, and damage to brand reputation. It enables swift action by providing real-time threat intelligence and actionable insights into the vulnerabilities and malicious activities targeting your organization’s assets.

Risk Levels:

  • Critical: Conditions where there is a direct exposure of sensitive information or critical systems compromised that could lead to immediate data breaches or system failures.
  • High: Situations involving unauthorized access attempts, potential product cracking activities, or significant vulnerabilities in the infrastructure that pose a high risk of exploitation.
  • Medium: Vulnerabilities and exploits that are less severe but still represent a medium risk for potential security incidents.
  • Low: Informal findings indicating minor issues such as unintentional exposure of non-sensitive information or minor system misconfigurations, which do not significantly impact the overall security posture.
  • Info: Non-critical findings providing informational insights about general online mentions that are not directly related to specific threats but could be indicative of broader market presence or public discussions.

If risk levels are not explicitly defined in the README, it can be inferred that Critical and High risks would typically involve immediate attention due to their potential impact on critical systems or sensitive data, while Medium and Low risks might require routine monitoring and possible mitigation actions based on context.

Example Findings:

  • A source code leak detected on a compromised server mentioned on the dark web, indicating unauthorized access and potential exposure of proprietary information.
  • Malware activity associated with product cracking activities found in the threat intelligence feeds, suggesting active exploitation attempts to gain unauthorized access or data manipulation.

Executive Targeting Monitoring

Section titled “Executive Targeting Monitoring”

Purpose: This scanner monitors for dark web and paste site chatter targeting company executives. It searches for specific keywords related to executive positions within a company and checks for any mentions of potential data breaches or unauthorized disclosures.

What It Detects:

  • Dark web chatter mentioning specific executive roles (CEO, CFO, etc.).
  • Potential PII leaks indicated by the presence of personal information such as email addresses, phone numbers, social security numbers, etc.
  • Unauthorized disclosure of sensitive company data through mentions in chat forums or discussion boards on dark websites and paste sites.

Inputs Required:

  • domain: The target domain for which to scan executive roles and potential PII leaks.
  • company_name: The name of the company whose executives are being targeted by the scanner.

Business Impact: Monitoring the dark web and paste sites is crucial as these platforms often host discussions about sensitive information, including data breaches and unauthorized disclosures. This can directly impact a company’s reputation, lead to legal consequences, and potentially expose customers or stakeholders to significant risks.

Risk Levels:

  • Critical: The scanner identifies specific executive roles being discussed in forums where sensitive information could be disclosed.
  • High: There are indications that PII might be at risk due to mentions of potential leaks but no concrete evidence of a breach.
  • Medium: The scanner detects general chatter about the company but does not specifically mention any executive or sensitive data.
  • Low: No significant findings indicating executive role discussions or potential PII leaks are detected.
  • Info: Minimal chatter is observed, and it does not impact executive roles or sensitive information.

Example Findings:

  1. The scanner identified CEO as a topic of discussion on a dark web forum, raising concerns about possible data exposure.
  2. A mention of potential PII in the company’s database was detected, prompting further investigation into compliance and security measures.

Product Instance Monitoring

Section titled “Product Instance Monitoring”

Purpose: The purpose of this scanner is to identify potential vulnerabilities and exposure points in a company’s products by searching for exploit codes, vulnerability disclosures, leaked credentials, and other sensitive information across various dark web gateways, code repositories, paste sites, and potentially exposing login pages or instances powered by the company’s products.

What It Detects:

  • Exploit Codes and Vulnerabilities: The scanner searches for evidence of exploits and vulnerabilities related to the company’s products on GitHub and GitLab repositories.
  • Leaked Credentials: Sensitive information such as passwords, admin credentials, and configuration details are sought on paste sites like Pastebin and others.
  • Product Exposure Points: Potential exposure points in the product are identified through search engine queries that target login pages or instances powered by the company’s products.

Inputs Required:

  • Domain: The main website domain of the company for targeted searches.
  • Company Name: The official name of the company to be used in search queries.
  • Product Names (Comma Separated): Specific product names or keywords related to the company’s offerings that are searched for across various online platforms.

Business Impact: This scanner is crucial as it helps in identifying potential security risks and weaknesses before they can be exploited by malicious actors. It ensures that sensitive information remains protected and enhances overall cybersecurity posture by uncovering hidden vulnerabilities and exposure points.

Risk Levels:

  • Critical: The scanner identifies critical issues such as undisclosed vulnerabilities leading to remote code execution or unauthorized data access.
  • High: High-risk findings include known exploits being actively searched for, which could lead to significant security breaches if not addressed promptly.
  • Medium: Medium severity includes the discovery of sensitive information that might be used in phishing attacks or other forms of social engineering if leaked further.
  • Low: Low and informational severity findings are typically related to minor exposure points that can be mitigated through standard security practices but do not pose immediate threats.

Example Findings:

  1. A critical vulnerability was identified in the company’s flagship product, which could lead to remote code execution if exploited by attackers.
  2. Sensitive information such as passwords and configuration details were found on a paste site, indicating potential insider threats or data leakage risks.

This structured output ensures that the purpose, detection capabilities, input requirements, business impact, risk levels, and example findings are clearly communicated for the scanner in question.

Corporate Exposure Monitoring

Section titled “Corporate Exposure Monitoring”

Purpose: The purpose of this scanner is to monitor for exposed corporate credentials, documents, and data across various online platforms such as public paste sites, GitHub repositories, and dark web gateways. It aims to identify potential vulnerabilities that could compromise sensitive information related to the company’s operations.

What It Detects:

  • Exposed Credentials: This scanner detects instances where corporate credentials are publicly exposed on platforms like Pastebin, Justpaste, and throwbin. These include passwords, API keys, and other sensitive authentication details.
  • Internal Documents: The scanner searches for internal company documents that may be leaked or accessible via public repositories on GitHub and GitLab. These documents can range from confidential reports to proprietary software code.
  • Data Leaks: By scanning the dark web, this tool identifies potential data leaks related to the company’s operations, including customer data, financial information, and other PII (Personally Identifiable Information).

Inputs Required:

  • Domain: The target domain for which the security posture is being assessed.
  • Company Name: The name of the company whose sensitive information is at risk through various online platforms.

Business Impact: This scanner’s findings are critical to maintaining the confidentiality, integrity, and availability of sensitive corporate data. Unauthorized exposure of such information can lead to significant financial losses, legal repercussions, and damage to the company’s reputation.

Risk Levels:

  • Critical: Findings that directly compromise high-value assets or intellectual property without any prior warning.
  • High: Significant vulnerabilities that could be exploited by malicious actors to gain unauthorized access to sensitive information.
  • Medium: Vulnerabilities that pose a moderate risk but require immediate attention to mitigate potential threats.
  • Low: Informal findings that do not directly impact security but are still relevant for continuous improvement and best practices adherence.

Example Findings:

  1. A password stored in plain text on a public Pastebin post poses a significant threat as it can be easily accessed by anyone with the right tools or knowledge.
  2. An internal document repository hosted on GitHub was found to be publicly accessible, potentially exposing confidential company reports and strategic plans.