dfi.kaspersky.com
Open in
urlscan Pro
93.159.228.40
Public Scan
Submitted URL: https://ml.kaspersky.com/ODAyLUlKTi0yNDAAAAGTFTKTCaz_ZLdwqtM1nNNGxEhk_7kkjZ9TevcLYA3-eaOrAKhwGpGEeJbGfe3jlY25i3C9_hg=
Effective URL: https://dfi.kaspersky.com/blog/dark-web-threats-response-guideline?mkt_tok=ODAyLUlKTi0yNDAAAAGTFTKTCYAews4DcMZ_qUFfQy3gAAQ...
Submission: On May 14 via api from BE — Scanned from DE
Effective URL: https://dfi.kaspersky.com/blog/dark-web-threats-response-guideline?mkt_tok=ODAyLUlKTi0yNDAAAAGTFTKTCYAews4DcMZ_qUFfQy3gAAQ...
Submission: On May 14 via api from BE — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="black mktoForm mktoHasWidth mktoLayoutLeft" id="mktoForm_26516" novalidate="novalidate" data-captcha="true">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true"><span
id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true"><span
id="InstructLastName" tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="Title" id="LblTitle" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><input id="Title" name="Title" placeholder="Job Title" maxlength="255" aria-labelledby="LblTitle InstructTitle" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true"><span id="InstructTitle"
tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"><span id="InstructEmail"
tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="Company" id="LblCompany" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><input id="Company" name="Company" placeholder="Company" maxlength="255" aria-labelledby="LblCompany InstructCompany" type="text" class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true"><span
id="InstructCompany" tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="Country" id="LblCountry" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired mktoSelectPlaceholder" aria-required="true">
<option value="">Country</option>
<option value="Abkhazia">Abkhazia</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Aland Islands">Aland Islands</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="American Samoa">American Samoa</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antarctica">Antarctica</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermuda">Bermuda</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia">Bolivia</option>
<option value="Bonaire, Sint Eustatius and Saba">Bonaire, Sint Eustatius and Saba</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="British Indian Ocean Territories">British Indian Ocean Territories</option>
<option value="British Virgin Islands">British Virgin Islands</option>
<option value="Brunei Darussalam">Brunei Darussalam</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Canada">Canada</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="China">China</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Cocos (Keeling) Islands">Cocos (Keeling) Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo (DRC)">Congo (DRC)</option>
<option value="Congo (Republic of)">Congo (Republic of)</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Cote D'Ivoire">Cote D'Ivoire</option>
<option value="Croatia">Croatia</option>
<option value="Cuba">Cuba</option>
<option value="Curacao">Curacao</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Eswatini">Eswatini</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Falkland Islands">Falkland Islands</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="France">France</option>
<option value="France, Metropolitan">France, Metropolitan</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="French Southern Territories">French Southern Territories</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Germany">Germany</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guam">Guam</option>
<option value="Guatemala">Guatemala</option>
<option value="Guernsey">Guernsey</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Heard Island And Mcdonald Islands">Heard Island And Mcdonald Islands</option>
<option value="Honduras">Honduras</option>
<option value="Hong Kong">Hong Kong</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iran">Iran</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Isle of Man">Isle of Man</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jersey">Jersey</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="KDPR">KDPR</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Korea">Korea</option>
<option value="Kosovo">Kosovo</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Lao Peoples Democratic Republic">Lao Peoples Democratic Republic</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Libya">Libya</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macau">Macau</option>
<option value="Madagascar">Madagascar</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Micronesia">Micronesia</option>
<option value="Moldova">Moldova</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Myanmar">Myanmar</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="Netherlands Antilles">Netherlands Antilles</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue">Niue</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="North Macedonia">North Macedonia</option>
<option value="Northern Mariana Islands">Northern Mariana Islands</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palau">Palau</option>
<option value="Palestinian Authority">Palestinian Authority</option>
<option value="Panama">Panama</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn">Pitcairn</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Qatar">Qatar</option>
<option value="Reunion">Reunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Rwanda">Rwanda</option>
<option value="Saint Barthelemy">Saint Barthelemy</option>
<option value="Saint Helena">Saint Helena</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Saint Martin (French part)">Saint Martin (French part)</option>
<option value="Saint Pierre and Miquelon">Saint Pierre and Miquelon</option>
<option value="Saint Vincent and The Grenadines">Saint Vincent and The Grenadines</option>
<option value="Samoa">Samoa</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Sint Maarten (Dutch part)">Sint Maarten (Dutch part)</option>
<option value="Slovakia">Slovakia</option>
<option value="Slovenia">Slovenia</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="South Georgia and Sandwich Islands">South Georgia and Sandwich Islands</option>
<option value="South Ossetia">South Ossetia</option>
<option value="South Sudan">South Sudan</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Sudan">Sudan</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard and Jan Mayen">Svalbard and Jan Mayen</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Syria">Syria</option>
<option value="Taiwan">Taiwan</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania">Tanzania</option>
<option value="Thailand">Thailand</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Togo">Togo</option>
<option value="Tokelau">Tokelau</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks and Caicos Islands">Turks and Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="United Kingdom">United Kingdom</option>
<option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option>
<option value="United States of America">United States of America</option>
<option value="United States Virgin Islands">United States Virgin Islands</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Vatican City State">Vatican City State</option>
<option value="Venezuela">Venezuela</option>
<option value="Viet Nam">Viet Nam</option>
<option value="Wallis And Futuna Islands">Wallis And Futuna Islands</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderState"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="Phone" id="LblPhone" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><input id="Phone" name="Phone" placeholder="Phone Number" maxlength="255" aria-labelledby="LblPhone InstructPhone" type="tel" class="mktoField mktoTelField mktoHasWidth mktoRequired" aria-required="true"><span id="InstructPhone"
tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="Nodes__c" id="LblNodes__c" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label><input id="Nodes__c" name="Nodes__c" placeholder="Number of workstation" maxlength="2000" aria-labelledby="LblNodes__c InstructNodes__c" type="number" class="mktoField mktoNumberField mktoHasWidth mktoRequired" min="" max="" step=""
aria-required="true"><span id="InstructNodes__c" tabindex="-1" class="mktoInstruction"></span></div>
</div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="Campaign_Medium" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow mktoFlexRow">
<div class="mktoFieldDescriptor mktoFormCol">
<div class="mktoFieldWrap mktoRequiredField"><label for="subscriptionSingleOptIn" id="LblsubscriptionSingleOptIn" class="mktoLabel mktoHasWidth">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth mktoRequired"><input name="subscriptionSingleOptIn" id="subscriptionSingleOptIn" type="checkbox" value="yes" aria-required="true"
aria-labelledby="LblsubscriptionSingleOptIn InstructsubscriptionSingleOptIn" class="mktoField"><label for="subscriptionSingleOptIn" id="LblsubscriptionSingleOptIn"></label></div><span id="InstructsubscriptionSingleOptIn" tabindex="-1"
class="mktoInstruction"></span>
</div>
</div>
<div class="mktoFormCol">
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth">
<p><em>I agree to provide my contact information to Kaspersky (first name, last name, email address, phone, country postal code) to be contacted by Kaspersky sales representatives by phone for a personalized offer that could be based, in
particular, on geography and company size information provided; to receive information via email about Kaspersky products and services including promotional offers, product updates and premium assets like white papers, webcasts, videos,
events; to participate in surveys to vocalize opinion on various aspects of Kaspersky business, in particular, about products, and technical support. I understand that I can withdraw this consent at any time via unsubscribe link from
email or via </em><a href="https://www.kaspersky.com/web-privacy-policy"><em>Privacy Policy</em></a></p>
</div>
</div>
</div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subscriptionTextVersion" class="mktoField mktoFieldDescriptor mktoFormCol" value="3"></div>
<div class="mktoFormRow"><input type="hidden" name="utm_campaign" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="utm_content" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="utm_medium" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="utm_source" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="utm_term" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="klig__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="clientid__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow"><input type="hidden" name="gclid__c" class="mktoField mktoFieldDescriptor mktoFormCol" value=""></div>
<div class="mktoFormRow" id="g-recaptcha-26516">
<div style="width: 304px; height: 78px;">
<div><iframe title="reCAPTCHA" width="304" height="78" role="presentation" name="a-mshplrbetkgj" frameborder="0" scrolling="no"
sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox allow-storage-access-by-user-activation"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Lf2eUQUAAAAAC-GQSZ6R2pjePmmD6oA6F_3AV7j&co=aHR0cHM6Ly9kZmkua2FzcGVyc2t5LmNvbTo0NDM.&hl=de&v=vjbW55W42X033PfTdVf6Ft4q&size=normal&cb=p8uncfu967lm"></iframe>
</div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple"><button type="submit" class="mktoButton" data-om-cta="send">DOWNLOAD THE REPORT</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="26516"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="802-IJN-240">
</form><form class="black mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
* Threat Intelligence
* Solutions
* Industries
* Products
* Services
* Resource Center
* About Us
* Arabic
* Chinese Simplified
* Dutch
* English
* German
* Italian
* 日本語
* Portuguese Brazilian (PT-BR)
* Russian
* Spanish
* Spanish Latin American (ESLA)
* Turkish
* Overview
* Service coverage
* How it works
* Benefits
* Blog
* Get in touch with team
Get in touch with team
* Arabic
* Chinese Simplified
* Dutch
* English
* German
* Italian
* 日本語
* Portuguese Brazilian (PT-BR)
* Russian
* Spanish
* Spanish Latin American (ESLA)
* Turkish
29 min.
WHAT TO DO IF YOUR COMPANY WAS MENTIONED ON THE DARK WEB?
Data breaches have become a pervasive threat to businesses of all sizes, with
cybercriminals constantly finding new ways to steal sensitive information. In
recent years, high-profile data breaches have made headlines, causing
reputational damage for the affected companies. A statistical overview of the
data breach problem and cybercriminal activity on the Dark Web is provided on a
Kaspersky’s Securelist.com. In this article, we will provide insights into how
businesses should handle data breaches and the steps they can take to mitigate
the impact of such incidents.
Download Incident Response Playbook Go to Incident Response Guideline
INCIDENT RESPONSE: APPROACH, STEPS AND ROLES
Before we dive into incident response process, it's essential to discuss how
Dark Web incidents fit into the classic approach to incident response. Effective
incident management is carried out in several steps.
Incidents related to breaches announced on the Dark Web are the same as others
in terms of response, but there are some differences in the first steps:
preparation, detection and analysis.
Verifying Dark Web threats and evaluating their severity requires special
methods. If the incident is verified and confirmed, the incident response (IR)
team can use the relevant standard IR playbooks to respond.
* PREPARATION
Prepare the people, processes, and technologies in the organization required
to manage Dark Web incidents efficiently
*
* DETECTION
Define detection scenarios for Dark Web mentions and required tools/services
*
* ANALYSIS
Investigate the mention and assess its threat level
*
* VERIFICATION
Verify the incident and start the incident response process
*
* CONTAINMENT
Isolate compromised systems and take initial actions to prevent further
damage
*
* ERADICATION
Eliminate components involved in the incident and address the main root cause
*
* COMMUNICATION
Organize communication with media and customers
THERE ARE THREE TYPICAL ROLES INVOLVED IN THE INCIDENT RESPONSE PROCESS:
* CYBER THREAT INTELLIGENCE (CTI) ANALYST
who handles and initially processes the CTI alert and creates an incident.
* SECURITY OPERATIONS CENTER (SOC) ANALYST
who investigates the identified incident.
* INCIDENT RESPONDER
who performs the necessary actions to respond to the threat.
It's not important how you name the roles, and they can be combined or split –
the overall workflow will stay the same.
PREPARATION
For Dark Web-related threats, monitoring is set up in a special way. There are
two possible approaches to this: create your own system for monitoring Dark Web
resources, or use a solution specially designed for this purpose, such as
Kaspersky Digital Footprint Intelligence.
If you choose the first option you must take the following minimum set of
actions:
1. Compile a list of Dark Web resources to monitor, relevant to your threat
model.
2. Deploy infrastructure (VPN, Tor; external virtual hosts for acquiring the
data).
3. Register special accounts on forums for intelligence purposes, since some
forums require an account, making it more difficult for law enforcement or
researchers to access the resource and acting as an entry barrier to casual
visitors.
4. Assign responsible persons for maintaining the infrastructure and an
up-to-date list of Dark Web resources.
Choosing the second option, a ready-made solution, will save you resources and
time.
An equally important aspect of Dark Web monitoring is the scope. It's not enough
to just define the dataset to be monitored. The scope of what is monitored
should be always up-to-date. The table below contains recommendations for how
frequently the scope should be updated for different data items.
Monitoring scope Recommended
frequency of update Comment
The full/official name of the company and its subsidiaries Check every month or
in case of any M&A deals, if new names appear Write the names in different
languages (including English and the languages of the company's country of
origin and its countries of operation)
Shortened names of the company and its subsidiaries, including abbreviations
Check every month or in case of any M&A deals, if new names appear Write the
names in different languages (including English and the languages of the
company's country of origin and its countries of operation)
The list of key partners/suppliers with their names and main domains Check every
month or in case of any M&A deals, if new names appear Write the names in
different languages (including English and the languages of the company's
country of origin and its countries of operation)
The list of domains and subdomains of the company and its subsidiaries Check
every week or when new domains are registered or old ones expire without renewal
Sometimes cybercriminals mention domain names with square brackets in order to
avoid detection. Expand the search using square brackets
Example: kaspersky[.]com
The list of IP ranges of the company and its subsidiaries Check every week or in
case of registration of new IP ranges/rejection of old ones -
The names of executives and public persons Check every month or in case of
organizational structure change -
The keywords, including the main geolocation features (country, region) and
industry Check every six month or in case of a large number of false positives
Keep in mind that there will be many false positives. Restrict the keywords
based on your capacity to monitor alerts
The list of company brands and products Check every three months or in case of
new products or rebranding Example: Kaspersky Digital Footprint Intelligence
(DFI)
DETECTION
Ideally, the detection stage should involve automatic alerts when specific
information is found on Dark Web resources or in data dumps being analyzed on
your threat intelligence platform. A CTI analyst (or another responsible person)
may perform the search manually, but in this case the response will not be
immediate.
HERE'S A LIST OF BASIC ALERT TYPES:
* Company name mentioned on the dark web
* Company domain mentioned on the dark web
* Company IP address/range mentioned on the dark web
* Company brand or product mentioned on the dark web
* Company domain mentioned in databases of leaked credentials
* Employee name or email address mentioned on the dark web
* Company partner/supplier mentioned on the dark web
* Company with similar profile (location, industry) mentioned on the dark web
ANALYSIS
After receiving an alert that your company was mentioned on the Dark Web, the
first thing to do is to verify it: is the message a real threat or just a fake?
The dark web is home to cybercriminals, so it's no surprise that sometimes they
try to sell fake data to each other. At the analysis stage, CTI analysts
investigate and assess the risk.
It's necessary to try and answer the following questions: which information is
for sale, who is selling it, and where. The more information you can collect,
the faster and more effectively you can respond to the threat.
ANALYZE THE SOURCE
Dark Web content comes from many sources: forums, private blogs, and messengers.
Each platform has its own rules, audience, and specialty. Some forums are easy
to register on, some require an invite from an already-registered member, and
some are only for a selected group of "trusted" people. And of course, the
likely validity of the content differs for each sourсe. Some forums have a
strict moderation policy where all messages and posts are reviewed by the
administrators.
Ransomware blogs are another example of a source. Ransomware blogs are usually
Tor websites where ransomware actors disclose information about victims, provide
details on breaches, and set deadlines for the ransom. In some cases, ransomware
groups publish the compromised data for free, but usually they are offering to
sell the data or trying to pressure the victim company by attracting public
attention. If a company appears in the blog of a ransomware actor, there is a
high probability that this company has been hit by ransomware. But of course,
there are cases of bluffs or mistakes – for example, when LockBit claimed they
had compromised Darktrace's internal systems, but the company confirmed that
there was no evidence of compromise.
ANALYZE THE PROFILE OF THE OFFER'S AUTHOR
Many forums have a rating system: you can see how many posts the user has
published and get an idea of how experienced they are. It's also a good idea to
investigate the user's past activity, if the Dark Web resource offers this
ability: how active has the user been, have they already had successful sales?
ANALYZE THE AUTHOR'S ACTIVITY
How the community responds to a message is not an indicator of its validity, but
it can sometimes give more context. For example, on forums or chats,
participants may write comments thanking the author or, in contrast, saying that
data is fake.
It should be noted that some forums carefully monitor the quality of content,
and in the event of a fake publication, the author is blocked.
But even when it looks like the community is not interested in the publication,
the deal can take place "behind closed doors". Some cybercriminals prefer to
discuss details in private messages, specifically requesting this in the post
and leaving their contact information. Moreover, the escrow service is highly
popular in the community. Some forums even have this service built in. You can
read more in our article about dark web deals and regulatory mechanisms.
Based on the source and author's background you can create an attacker profile
and understand their interests. Are they an APT (Advanced Persistent Threat)
group, a hacktivist with basic tools and TTPs (tactics, techniques and
procedures) or a cybercriminal group? Perform a quick risk assessment because
not all alerts are equal in terms of risk and damage. Other factors you can
analyze are how recently the publication was made, the price, and the type of
data for sale.
THE FRESHNESS
If we take all the messages on the Dark Web as a whole, only a small number are
truly fresh publications. Some databases have been continuously republished for
a decade.
THE PRICE
Money has always been the main motivation for cybercriminal activity. The price
is usually a good indicator of the value, volume, and criticality of the data.
THE SALES MODEL
The sales model varies from message to message, often depending on the type of
data for sale. Generally, there are three sales models: free distribution, for
sale to anyone and sale to one buyer only.
THE DATA TYPE
A huge amount of data is sold on the Dark Web, for various different purposes.
In this article we're focusing on the most popular and harmful types of data
leaks.
VERIFICATION
The next step is to verify the find. The main purpose of verification is to make
sure that data has really been leaked, and then initiate the incident response
procedure accordingly.
DATA BREACHES
Usually, the seller publishes a sample of the data to help potential buyers
assess the value of the database on offer. There are cases when the leakage is
actually just publicly available data (a fake leak) or an old leak mixed with
other data. For the affected organization this helps not only to verify the
leak, but also to determine its source.
ACCESSES
It's straightforward to verify whether an account for sale is a real threat. If
someone is selling access, that means they must have gained access. Logical, no?
So, in this case, the verification step is essentially incident investigation.
COMPROMISED ACCOUNTS
Accounts for sale are email addresses and passwords or hashes. Compiling a list
of affected users based on email addresses will facilitate the process of
account verification. Since the email addresses are mostly quite predictable
(for example, in companies the domain is usually the company's name, while the
first part is the name and/or surname of the employee), cybercriminals can
generate them or obtain them using public intelligence sources. So, you may
encounter invalid email addresses, as well as email addresses belonging to
former employees.
No matter what type of account was leaked, or the current status of the
employee, it's important to check all the accounts careful to identify any
leaked ones.
A lot of credentials are stolen using credential stealers and then leaked to the
Dark Web. Many malware stealer logs available on the Dark Web contain not only
the account credentials, but also the source of the leak – the URL string of the
resource where the user was authenticated, as well as the date of compromise and
metadata from the user's device. Check if corporate resources are present in the
logs. If you find an account that was leaked from the corporate or internal
system, it could indicate that the corresponding corporate machine was
compromised. So, the list of users is not exhaustive; it's necessary to identify
and check all relevant and potentially affected hosts.
Before the next stage of incident investigation, it's essential to communicate
with all stakeholders. The main four groups are top management, regulatory
authorities (in case of law violation), media and customers.
TOP MANAGEMENT
To promptly alert top management is a must. The communication should cover all
aspects of the incident along with steps proposed and taken to address it.
MEDIA
Once an incident has been confirmed, the subsequent step, following the
notification of affected parties such as clients, and the completion of
necessary measures to mitigate the risks linked to the data leak, involves
preparing a public statement in cooperation with legal and PR departments.
REGULATORY AUTHORITIES
In many cases, according to the legislation, it's necessary to inform the
regulatory authorities when an incident is detected.
CUSTOMERS
In certain situations, it may be necessary to inform clients of compromised
accounts. This notification prompts them to take immediate action, such as
changing their password and enabling multi-factor authentication.
CONTAINMENT
When investigating an incident, it's necessary to conduct analysis of the
affected IT-systems and users.
The first crucial question is: how did the data leak happen? The second is: do
the cybercriminals still have access to the affected system?
DATA BREACHES
If there's any uncertainty about the source of the leak, it makes the work of
the technical experts much more difficult. So, it's very important to conduct a
primary analysis early on in the investigation. Starting out by identifying
systems that handled the data makes swift identification of the attack vector
that much easier.
Regarding incident investigation, let's look at two typical scenarios –
differing in terms of the type of compromise – that are highly likely to occur
in practice.
In the first scenario, an attacker compromises the database-driven web
application or website. The most common reasons for the leak are outdated
software, unpatched CVEs, and weak passwords for the admin panel. For the most
part, to prevent recurrence of the incident, it's enough to analyze the affected
web server logs and take immediate actions to close the vulnerability.
In the second case, sensitive data becomes available because the infrastructure
has been compromised in some way. Data exfiltration can be both the main purpose
and also collateral damage – when the leaked database is just the tip of the
iceberg.
ACCESSES
The possibilities of an investigation vary significantly according to
information available. If you are 99% sure that your access is for sale and the
post contains some details (for example, your company is explicitly mentioned in
the post, your SOC detected the relevant malicious activity, and so on),
analyzing the logs is a sensible move. For example, if you have an RDP Gateway,
analyze the event logs, find the suspicious account, and close the access. In
some cases, a company may consider such a reaction unnecessary. Of course,
there's a possibility that you'll be spending time and resources on
investigating a nonexistent threat. But if it does exist, responding rapidly
means preventing an attack.
COMPROMISED ACCOUNTS
From the perspective of incident investigation let's divide the compromised
accounts into 2 categories:
1. Compromised accounts found in public leaks and/or leaked from personal
devices.
2. Compromised accounts leaked from corporate devices.
In both cases it's important to check the validity of the accounts. If the
account is confirmed as valid, conduct analysis of the affected IT-systems and
users' behavior in order to find suspicious events.
If someone used a corporate email address for personal use and it leaked from a
third-party resource, this is a question of adherence to security policies.
In case a user account was compromised internally, for example, via infostealer,
the corporate device might be infected and the incident could become a serious
complication. This is because the credentials could be for a domain user
account, making highly sensitive information available for potential attackers.
When it comes to accounts, "age" doesn't matter – overlooking old accounts is a
mistake. Old accounts can pose a threat because the password may not have been
changed, or may have been repeated. Besides, if an account was compromised via
infostealer, the user device could still be infected, so attackers can obtain
up-to-date passwords even if the user changes them. It is crucial to have robust
endpoint protection in place. This security measure plays a vital role in
eliminating attacks across all possible vectors.
Sometimes, conducting a full incident investigation is impossible for an
internal team – it's a time-consuming process, requiring not only resources but
also the relevant competence and experience. In this case, it's recommended to
engage qualified industry experts.
ERADICATION & RECOVERY
The exact actions in the eradication and recovery steps depend on the type of
the threat. You need to find the root cause of the incident and return affected
systems back into business operation. The following are possible steps to
restore the system to a functional state.
ACCESSES
* Limit remote access to the compromised systems
* Lock the compromised accounts
* Eliminate the presence of the attacker in the infrastructure
DATA BREACHES
* Eliminate the vulnerabilities
* Change passwords for the affected accounts and systems
* Eliminate the presence of the attacker in the infrastructure
COMPROMISED ACCOUNTS
* Change passwords for the compromised accounts
* Notify any potentially compromised employees and ask them to change their
leaked passwords on third-party resources
* Ensure that no suspicious activities connected to these accounts took place
* Enforce a strict password policy
* Perform a full antivirus check of the affected corporate devices and machines
using an endpoint protection product
SHOULD I PAY FOR THE DATA?
Demands for ransom raise another sensitive question. Should you pay the
cybercriminals to try and keep the data safe? We always recommend not paying the
cybercriminals.
Studies indicate that giving in to ransomware demands does not guarantee that
your files will be returned. In fact, 20% of individuals who paid the ransom did
not get their files back. For businesses, too, paying the ransom does not ensure
the secure and reliable return of files. Criminals who have already infected
your computer with harmful malware and stolen your files are unlikely to act
with integrity after receiving their payment. Furthermore, paying ransoms only
motivates cybercriminals to continue their activities, resulting in production
of more malware and greater difficulties for everyone.
COMMUNICATION
At the end of incident investigation and response, the question remains: how to
communicate with the media and customers?
If notified promptly, potentially affected clients of the company-victim can
safeguard their accounts and prevent further compromise by changing their
password and enabling multi-factor authentication. It's worth noting that in
some cases, having an antivirus installed on the device is still necessary, as
certain types of malware can steal newly changed passwords.
Fines from regulators and unpleasant headlines might make you want to stay
quiet. The increased attention of regulators and tougher penalties means
financial damage as the result of a breach is becoming a more tangible threat
year on year. In 2022, the company Didi Global received one of the biggest data
privacy fines ever, a scorching $1.2 billion. Smaller fines could still be
significant for smaller companies. At the same time, the media is watching
cyber-incidents closely and presenting them to the public.
These financial, regulatory and reputational risks may hurt, but it's better to
be the first to declare. Proper communication shows how serious you are about
the breach and protecting stakeholders.
SHOULD I INFORM CUSTOMERS ABOUT THE LEAK?
We believe that communication is very important in case of a data leak. It's
about informing all concerned parties, including customers, partners, and
legislative bodies.
MY COMPANY WAS NOT MENTIONED ON THE DARK WEB, AM I SAFE?
The simple answer is no – sooner or later, your company's name will appear on
the Dark Web, as the merciless statistics show. Even if you can't find any
direct mentions of your company, there's still the possibility of finding a
related threat in some corner of the dark web. For example, access data may be
sold without mentioning the brand, or there may be the threat of leaked data of
counterparties or compromised employee credentials.
It's challenging to monitor cyberthreats on daily basis, but there's a big
chance that your sensitive business data is out there somewhere. From this
perspective, threat intelligence has become a must in today's world, in order to
keep track of leaks in a real-time. In the end, Dark Web monitoring will become
a valuable source of threat detection for your team.
Consider Dark Web monitoring as a part of your cybersecurity defense before you
have to face such incidents. Set up a monitoring procedure and assign it to your
SOC or joint teams to carry out on a continuous basis. Full procedures and
playbooks adapted for the SOC are available in our Incident Response Playbook.
Download Incidents Response Playbook
INCIDENT RESPONSE GUIDELINE
This guideline provides steps for successfully dealing with three common Dark
Web threats: breaches, sale of access and sale of compromised accounts
DISCLAIMER:
It's essential for companies to consult with legal experts and adhere to the
laws and regulations applicable in their region to ensure that their dark web
monitoring activities are legal and ethical. Additionally, transparent and
ethical practices should guide their approach to cybersecurity and data
protection. If you encounter any difficulties with a step, don't hesitate to
reach out to experts specializing in Dark Web threats and incident response. You
can continue progressing through the steps, but it's important to remember that
seeking their assistance can help you address the threat more effectively.
HAS YOUR COMPANY BEEN MENTIONED ON THE DARK WEB?
Yes
No
1
CAN YOU IDENTIFY THE ORIGIN OF THE MENTION?
How to do it:
1) Try different approaches for accessing various Dark Web sources:
* Deploy infrastructure for accessing Dark Web resources and hiding your origin
(for example, VPN).
* If the source requires registration, you might consider creating an account
specialized for intelligence purposes. Some sources may require special
software to access, like the Tor browser or a particular messenger.
2) Search for all the mentions:
* If there are many posts with the same content, the initial mention should be
your top priority to analyze.
* Cybercriminals have many resources at their disposal to advertise the leak.
Other members of the community can also re-share it. Consider creating a full
lists of mentions for additional analysis.
IS IT POSSIBLE TO CREATE AN ATTACKER PROFILE?
How to do it:
1) Evaluate the perpetrator’s (author of the post in the Dark Web) level of
experience:
* Rating. Look for the date they registered or their forum rating (are they a
new or experienced user?).
* Former activity. Search for previous messages/posts by the author.
* Participation on other forums. Search for users with the same username on
other forums and Dark Web resources.
* Community gratitude. Observe how other members have expressed thanks or
complaints to this perpetrator.
2) Analyze the threads the user normally participates in. Does the message/post
relate to their main area of interest?
3) Search for the perpetrator’s “successful” activity:
* Is it possible to find out what happened with previous offers? Try to find
any evidence that the user has made any successful deals.
* Have the offers received any kind of attention from the community? View
reactions and comments from other forum members.
2
3
CAN YOU ESTIMATE THE RISK POSED BY THE ANNOUNCEMENT?
How to do it:
1) Check the date of the offer. How long has it been available on the
underground resource? Is it a new offer or an old one?
2) Check the newness. Sometimes cybercriminals republish old breaches,
presenting them as fresh new breach. Search for topic matches in old posts and
messages.
3) Check the content of the breached data. Analyze the price, value, and volume
of compromised data, the format offered, and so on.
4) Check the deal conditions. Is the offer free or for sale? Is it for sale to
anyone or to one buyer only?
IDENTIFY THE THREAT TYPE
Is the post related to a data breach?
Is the post related to the sale of remote access?
Is the post related to the sale of compromised account(s)?
?
4
CAN YOU VERIFY THE DATA BREACH?
How to do it:
1) Check the data samples that the attacker has provided for proof that they
really have data worth paying for. The samples could be part of the
advertisement or published separately on request (for example, in the comments
section).
Before opening any files downloaded from the dark web, it's crucial to exercise
caution and scan them with an antivirus program. It's also recommended to run
them in an isolated environment for added security.
2) Analyze all the information available in the message: the exact source of the
breach, the date of compromise, the data format, and other proofs of data
authenticity.
3) Compare the information collected from the advertisement with the real data
you have. Does your company work with such data? Does your company have a
system/service that operates with this information?
CAN YOU SCOPE THE BREACH?
How to do it:
1) Identify the initial access point that was used to compromise the system. Did
the attacker leverage a database connected with the website, or an internal
database management system with a comprehensive set of data on corporate
employees and operations?
2) Perform a detailed inspection of the system that you suspect has been
compromised. Analyze available log files to reconstruct the attack chain and
ensure that other systems are not compromised.
3) If necessary, extend the scope of the analysis.
4) Identify the amount of data which may have been compromised. The author can
only be selling a small portion of the obtained data.
5
6
HAVE YOU ALREADY MITIGATED THE EFFECTS OF THE BREACH?
How to do it:
1) Notify company management and all concerned stakeholders, including
customers, partners and regulators. Notify law enforcement bodies in accordance
with the local legal requirements for reporting incidents, especially if the
breach exposed customer data.
2) Depending on the initial vector, eliminate the cause of the breach to prevent
similar attacks in the future:
* Fix any vulnerabilities found
* Disable accounts if the attacker gained access using actual credentials
* Ensure that all the latest patches are installed
3) If forensic analysis is required, isolate the system containing the breached
data.
HAVE YOU CARRIED OUT THE REMEDIATION AND LESSONS LEARNED STAGES?
How to do it:
1) Conduct root-cause analysis. Ensure that you apply all possible methods to
prevent the incident from happening again.
2) Analyze whether your current threat model is relevant. Review your current
procedures and policies and compliance with security controls.
3) Analyze your current prevention measures, such as intrusion detection
systems, antimalware solutions.
4) Review accesses and rights.
5) Eliminate vulnerabilities.
6) Change passwords for affected accounts and systems and enforce a strict
password policy.
7) Monitor network traffic to detect if an attacker attempts to initiate
connection again.
8) Continue monitoring the Dark Web to find re-publications of the same breaches
on different forums.
9) Implement a program to improve staff awareness in information security, and
conduct periodic training to monitor the awareness of each employee.
7
4
CAN YOU VERIFY THAT THE ACCESS ACTUALLY BELONGS TO YOUR COMPANY?
How to do it:
1) Analyze all the information available in the message. Look for matches in
geolocation, annual revenue, and types of systems mentioned; basically, try to
verify if the post is about your company.
2) Analyze the type of access on offer, look for matches in tools and
contractors.
CAN YOU IDENTIFY A COMPROMISED SYSTEM?
How to do it:
1) Analyze available log files and try to find signs of unauthorized access to
the system.
2) Ensure that there are no other systems affected by an attacker. If necessary,
expand the scope of the analysis.
3) If you can't find any evidence of unauthorized access to company resources,
but you're sure that the access is related to your company, consider the
possibility that it may be insider activity and conduct an investigation.
5
6
HAVE YOU DISABLED REMOTE ACCESS?
How to do it:
1) Notify employees responsible for the system that you suspect has been
compromised.
2) Eliminate the possibility of unauthorized access to infrastructure happening
again. Depending on the initial access vector discovered, do the following:
* Fix any vulnerabilities found
* Disable accounts if the intruder gained access using known credentials
* Ensure that all the latest patches are installed
HAVE YOU INVESTIGATED ANY ACTIONS PERFORMED THROUGH REMOTE ACCESS?
How to do it:
Analyze available log files and check the activity of the account. Did the user
successfully reach corporate resources? Did the user have the possibility to
copy/delete/download information?
7
8
HAVE YOU CARRIED OUT THE REMEDIATION AND LESSONS LEARNED STAGES?
How to do it:
1) Conduct root-cause analysis. Ensure that you apply all possible methods to
prevent the incident from happening again.
2) Analyze whether your current threat model is relevant. Review your current
procedures and policies and compliance with security controls.
3) Analyze your current prevention measures, such as intrusion detection
systems, antimalware solutions.
4) Review accesses and rights.
5) Eliminate vulnerabilities.
6) Change passwords for affected accounts and systems and enforce a strict
password policy.
7) Monitor network traffic to detect if an attacker attempts to initiate
connection again.
8) Continue monitoring the Dark Web to find re-publications of the same breaches
on different forums.
9) Implement a program to improve staff awareness in information security, and
conduct periodic training to monitor the awareness of each employee.
4
CAN YOU IDENTIFY WHICH ACCOUNT(S) WERE BREACHED AND PUT FOR SALE ON THE DARK
WEB?
How to do it:
1) Create a list of all breached email addresses and categorize them as follows:
* If the account has an email address on the corporate email domain, mark it as
"Employee account".
* If the account has an email address on a third-party email domain, mark it as
a "Corporate resource user". This can be a partner/client or contractor
account.
* If the account has a login without an email domain, check that it is not a
domain user account or an administrator or service account. If you find such
an account, mark it as "Domain or service account".
* Other accounts can be considered partner/customer accounts.
2) Check that users with such usernames really exist and have not been
bruteforced. If you have additional information, such as the URL or resource
where the user was authenticated, you can ask the owner of the resource to
verify the existence of the email address or login.
It's a good idea to optimize the checking process by categorizing the accounts
by type and priority.
CAN YOU CONFIRM THE ACCOUNT BREACH?
How to do it:
1) Check the validity of passwords for corporate/domain/service accounts. Since
the breach could have happened at any time in the past, it's important to review
not only new passwords, but old ones too.
2) As it's usually not possible to check the validity of user accounts, you
should assume that they are valid.
3) Prioritize accounts for further investigation. If you find a valid account,
take immediate actions to disable it.
5
6
IS THE ACCOUNT STILL VALID?
How to do it:
1) Change the passwords of the compromised accounts and notify the account
owners. If the compromised account belongs to an employee, ask them to change
the password or use the identity and access management system to force the
password change.
2) Consider disabling compromised accounts until the password is changed.
3) Advise account owners to change their passwords on other/third-party
resources, if they use the same passwords for different resources.
HAVE YOU INVESTIGATED THE ACCOUNT BREACH?
How to do it:
Using the information available, try to identify the source of the breach.
If it is a leaked database:
* Check these accounts for associated suspicious activity. If such activity is
detected, investigate further.
If the source of the leak is credential stealers/malware infection:
* Perform a full antivirus scan of affected personal/corporate devices and
machines using an endpoint protection product.
* Check these accounts for associated suspicious activity. If such activity is
detected, investigate further.
7
8
HAVE YOU CARRIED OUT THE REMEDIATION AND LESSONS LEARNED STAGES?
How to do it:
1) Conduct root-cause analysis. Ensure that you apply all possible methods to
prevent the incident from happening again.
2) Analyze whether your current threat model is relevant. Review your current
procedures and policies and compliance with security controls.
3) Analyze your current prevention measures, such as intrusion detection
systems, antimalware solutions.
4) Review accesses and rights.
5) Eliminate vulnerabilities.
6) Change passwords for affected accounts and systems and enforce a strict
password policy.
7) Monitor network traffic to detect if an attacker attempts to initiate
connection again.
8) Continue monitoring the Dark Web to find re-publications of the same breaches
on different forums.
9) Implement a program to improve staff awareness in information security, and
conduct periodic training to monitor the awareness of each employee.
Start again
1
Without continuous monitoring of the Dark Web, cybercriminals’ discussions
involving the company’s brand may go unnoticed. The first step in this case
would be to implement Dark Web monitoring on a constant basis.
* For a data breach: Monitor mentions of the company’s names and main domains.
Cybercriminals usually mention the official or shorter name of the company,
abbreviations, or the main domain.
* For sale of access: Monitor sales of access by the company’s geolocation and
industry.
Cybercriminals prefer not to mention the company’s name in the offer, so as not
to lose the access. There are attributes which the cybercriminals usually put in
the message such as the company’s geographic location, industry, size and annual
revenue.
* For compromised accounts: Monitor new account leakages based on mentions of
corporate email domains or corporate resources.
Sensitive accounts can be found on internal resources (such as local or internal
IP addresses). Use AD domain as keyword to increase surface of search.
INCIDENT RESPONSE PLAYBOOK: DARK WEB BREACHES
*
*
*
*
*
*
CountryAbkhaziaAfghanistanAland IslandsAlbaniaAlgeriaAmerican
SamoaAndorraAngolaAnguillaAntarcticaAntigua and
BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBonaire,
Sint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish
Indian Ocean TerritoriesBritish Virgin IslandsBrunei DarussalamBulgariaBurkina
FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African
RepublicChadChileChinaChristmas IslandCocos (Keeling)
IslandsColombiaComorosCongo (DRC)Congo (Republic of)Cook IslandsCosta RicaCote
D'IvoireCroatiaCubaCuracaoCyprusCzech RepublicDenmarkDjiboutiDominicaDominican
RepublicEcuadorEgyptEl SalvadorEquatorial
GuineaEritreaEstoniaEswatiniEthiopiaFalkland IslandsFaroe
IslandsFijiFinlandFranceFrance, MetropolitanFrench GuianaFrench PolynesiaFrench
Southern
TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard
Island And Mcdonald IslandsHondurasHong
KongHungaryIcelandIndiaIndonesiaIranIraqIrelandIsle of
ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKDPRKenyaKiribatiKoreaKosovoKuwaitKyrgyzstanLao
Peoples Democratic
RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacauMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall
IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesiaMoldovaMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNetherlands
AntillesNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth
MacedoniaNorthern Mariana IslandsNorwayOmanPakistanPalauPalestinian
AuthorityPanamaPapua New
GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto
RicoQatarReunionRomaniaRussian FederationRwandaSaint BarthelemySaint HelenaSaint
Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and
MiquelonSaint Vincent and The GrenadinesSamoaSan MarinoSao Tome and
PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten
(Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and
Sandwich IslandsSouth OssetiaSouth SudanSpainSri LankaSudanSurinameSvalbard and
Jan
MayenSwedenSwitzerlandSyriaTaiwanTajikistanTanzaniaThailandTimor-LesteTogoTokelauTongaTrinidad
and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos
IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited States Minor
Outlying IslandsUnited States of AmericaUnited States Virgin
IslandsUruguayUzbekistanVanuatuVatican City StateVenezuelaViet NamWallis And
Futuna IslandsWestern SaharaYemenZambiaZimbabwe
*
*
*
I agree to provide my contact information to Kaspersky (first name, last name,
email address, phone, country postal code) to be contacted by Kaspersky sales
representatives by phone for a personalized offer that could be based, in
particular, on geography and company size information provided; to receive
information via email about Kaspersky products and services including
promotional offers, product updates and premium assets like white papers,
webcasts, videos, events; to participate in surveys to vocalize opinion on
various aspects of Kaspersky business, in particular, about products, and
technical support. I understand that I can withdraw this consent at any time via
unsubscribe link from email or via Privacy Policy
DOWNLOAD THE REPORT
Get full procedures and playbooks adapted for the SOC. Create new playbooks or
adjust an existing playbook collection to smoothly integrate Dark Web threat
response into your SOC response portfolio. Train your team in advance to handle
such cases and be prepared. Add these exercises to your Tabletop Exercise (TTX)
or drills program.
* Threat Intelligence
* Solutions
* Industries
* Products
* Services
* Resource Center
* About Us
© 2024 AO Kaspersky. All Rights Reserved
* Privacy Policy
* Contacts