Dark Web Monitoring

What is The Dark Web?

The Dark Web is the deliberately hidden part of the Internet, which is the natural habitat of hackers and cyber criminals. This ‘dark side’, can only be accessed with specialist knowledge, and specific software tools such as TOR (The Onion Router), Riffle, Freenet, and I2P (Invisible Internet Project).

Whenever there is a data breach, the stolen personal data usually ends up on the Dark Web. There are currently over 6.5 billion sets of hacked credentials already posted on the Dark Web, and the number is growing fast.


Only 4% of the Internet is publicly accessible, using normal search engines such as Google, Yahoo, or Bing. This is known as the Surface Web.

The other 96% of the Internet, is made up of the Deep Web.

Within the Deep Web are a subset of Dark Nets.

It is the collection of these Dark Nets that make up the Dark Web.



Service Overview

To subscribe to the Dark Web Monitoring service, you will be required to register your domain(s),and/or individual email address(es).

This will be added to the Cloud Reputation database, and Network Box will perform a Dark Web analysis to check if your details have been posted.

When the analysis is complete, Network Box will send you a detailed report on any compromised credentials.

After the initial report has been sent, further reports will be delivered, as and when additional credentials with the domains being monitored, appear on the Dark Web.

Network Box is only scanning for user credentials, and confidential data is not analysed.

For the IT manager

If breaches are discovered, the IT manager will receive an alert detailing the following:

■ Total number of breaches found
■ Number of plaintext/cracked passwords breached
■ Number of hashed passwords breached
■ Number of breaches domain is affected by
■ List of email addresses breached
■ Breach details of compromised email addresses
■ List of breaches domain is affected by

Additional notes:

The presence of specific email addresses and passwords in these breaches implies that this information is generally available on the Dark Web.

It is possible that some of these accounts on public websites were not setup by the particular user, but by others. This may be considered a false positive.

The primary concern is that the same passwords used on external systems, may also be used on internal systems.

■ If plaintext passwords are breached,that means either the plaintext password was originally released, or hackers have subsequently reversed the hash to find the plaintext password. In either case, the plaintext password is generally available on the Dark Web.

■ If hashed passwords are breached, that means they have not yet been reverse hashed, but may be at some time in the future.

As a matter of policy and to protect the sensitivity and security of this data, Network Box will not provide plaintext or hashed passwords to anyone except for the authenticated and confirmed end-users at the breached email address, as well as authorised Network Box staff. IT managers, will not have access to these passwords.

It would be prudent to force a password reset on internal systems for these accounts. In general, PCI style password policies should also be enforced to enforce 90 day (or so) password changes and other good password practices.

Users should be encouraged NOT to use their work email address for non-work related websites. (It is estimated that about thirty percent of people, reuse the passwords on multiple sites.)

A secondary concern is that these email addresses and passwords may be used in targeted phishing attacks.

You should consider using this as an opportunity for end-user education concerning such phishing activity (and general Internet trust) – not just for these users, but also other high level and high risk staff.