Use Cases: Dark Web

The Dark Web module extends the Bolster Web module by detecting potential threats from anonymous sites. These sites include marketplaces, forums, and paste sites used for selling sensitive information.

The following diagram illustrates a typical approach for using the Dark Web module to mitigate most use cases.

Basic use cases for the Dark Web module include:

• Compromised accounts
• Stolen credit cards
• Executive monitoring (doxing)
• Phishing kits
• Leaked source code

Compromised Accounts on the Dark Web

When threat actors steal account credentials, they often post a portion of the information on the Dark Web. At first, they will post a portion of the information for sale. After several months, the entire data set is likely to be available.

You can use the Bolster Dark Web module to detect compromised accounts that surface on the Dark Web sites monitored by Bolster.

Step 1: Add Search Terms

To catch mentions of compromised accounts, you can look for Breach Data For Sale containing your email domain.

Click Submit to start your new search.

Step 2: Confirm Search Results

Your search launches immediately after you submit it. Once it is done, you can review the Active Findings list to confirm that you are identifying the intended information.

You can use a filter to quickly show only the findings related to the search you created in step 1.

Click Apply to confirm that your search is netting the results you intended.

Click an entry to review the sensitive information detected.

Step 3: Create a Playbook

Once you confirm that the information is of interest, you can create a playbook under Automation to automatically route information from this search on a regular basis.

A well-formed playbook will filter out the noise and irrelevant findings, leaving the primary findings to focus on.

In this case, the playbook might:

• include results from the last 2 days
• show emails that include your email domain
• collect the results of the search you created
• send a CSV to the configured Slack channel every Monday

Stolen Credit Cards on the Dark Web

Credit card issuers can get out ahead of stolen credit cards by monitoring the Dark Web for credit card numbers up for sale.

Step 1: Add Search Terms

A financial institution wanting to detect stolen credit cards being sold on the Dark Web would focus search terms on the bank identification number (BIN). This initial sequence of numbers on a credit card identifies the issuing institution.

Click Submit to start your new search.

Step 2: Confirm Search Results

Your search launches immediately after you submit it. Once it is done, you can review the Active Findings list to confirm that you are identifying the intended information.

You can use a filter to quickly show only the findings related to the search you created in step 1.

Click Apply to confirm that your search is netting the results you intended.

Click an entry to view the sensitive information detected.

Step 3: Create a Playbook

Once you confirm that the information is of interest, you can create a playbook to automatically route information from this search on a regular basis.

A well-formed playbook will filter out the noise and irrelevant findings, leaving the primary findings to focus on.

In this case, the playbook might:

• include results from the last 2 days
• show credit card numbers that include your BIN
• collect the results of the search you created
• send a CSV to the configured Slack channel every Monday

Executive Monitoring on the Dark Web (Doxing)

C-suite executives are frequent targets of monitoring by threat actors looking for information to use against a company. This sort of information is posted on the Dark Web.

You can use the Bolster Dark Web module to detect this information when it surfaces.

Step 1: Add Search Terms

To detect the spread of potentially damaging information about an executive, search terms would target anything on the Dark Web that includes the executive’s full name.

Click Submit to start your new search.

Step 2: Confirm Search Results

Your search launches immediately after you submit it. Once it is done, you can review the Active Findings list to confirm that you are identifying the intended information.

You can use a filter to quickly show only the findings related to the search you created in step 1.

Click Apply to confirm that your search is netting the results you intended.

Click an entry to view the sensitive information detected.

Step 3: Create a Playbook

Once you confirm that the information is of interest, you can create a playbook to automatically route information from this search on a regular basis.

A well-formed playbook will filter out the noise and irrelevant findings, leaving the primary findings to focus on.

In this case, the playbook might:

• include results from the last 7 days
• collect the results of the search you created
• send a CSV to the configured Slack channel every Monday

Phishing Kits on the Dark Web

Phishing kits are posted on the Dark Web for sale to anyone with access to the post site. You can purchase phishing kits to anticipate where the next attack will come from.

Step 1: Add Search Terms

Typical search terms to detect phishing kits would focus on postings that include the company name and the term “phish”.

Click Submit to start your new search.

Step 2: Confirm Search Results

Your search launches immediately after you submit it. Once it is done, you can review the Active Findings list to confirm that you are identifying the intended information.

You can use a filter to quickly show only the findings related to the search you created in step 1.

Click Apply to confirm that your search is netting the results you intended.

Click an entry to view the sensitive information detected.

Step 3: Create a Playbook

Once you confirm that the information is of interest, you can create a playbook to automatically route information from this search on a regular basis.

A well-formed playbook will filter out the noise and irrelevant findings, leaving the primary findings to focus on.

In this case, the playbook might:

• include results from the last 2 days
• collect the results of the search you created
• send a CSV to the configured Slack channel every Monday

Leaked Source Code on the Dark Web

Source code leaks are a form of intellectual property (IP) leak.

Step 1: Add Search Terms

Search terms for leaked source code might start with the company and/or product name.

Click Submit to start your new search.

Step 2: Confirm Search Results

Your search launches immediately after you submit it. Once it is done, you can review the Active Findings list to confirm that you are identifying the intended information.

You can use a filter to quickly show only the findings related to the search you created in step 1.

Click Apply to confirm that your search is netting the results you intended.

Click an entry to view the sensitive information detected.

Step 3: Create a Playbook

Once you confirm that the information is of interest, you can create a playbook to automatically route information from this search on a regular basis.

A well-formed playbook will filter out the noise and irrelevant findings, leaving the primary findings to focus on.

In this case, the playbook might:

• include results from the last 2 days
• collect the results of the search you created
• send a CSV to the configured Slack channel every Monday