In honor of the launch of our newest product, DarkSonar API, our marketing team sat down with DarkOwl’s Director of Product, Sarah Prime and Product Manager, Josh Berman to learn more.
Leah: Hi! Thanks for taking the time to chat with me today. Let’s start out with the basics: what is DarkSonar and what it does it do?
Josh: DarkSonar is a relative risk rating based on exposed credentials in the darknet. So, basically, it looks at not only the volume of a company’s exposure, but also the severity of it. For example, a leaked email address that was posted with an associated plain text password would be considered a greater indicator of risk than just a standalone email address. DarkSonar takes that into account and generates a signal that is specific to that company based on its historical exposure, which means companies can monitor for their specific level of risk. Basically, you can think of DarkSonar as an indicator of current cyber risk.
Sarah: Yeah – really the most defining characteristic of DarkSonar is that it tells you something. It gives you a signal, versus just giving you a score. Is your risk elevated today compared to what it was last week? This is really valuable information for threat intelligence teams or anyone in charge of assessing cyber risk levels.
Leah: Why did you decide to focus on credentials as the basis for DarkSonar risk signals?
Josh: Exposed or compromised credentials are something that have been definitively proven to be a direct predictor of cyberattacks, which is leaked credentials. Basically, that means that DarkSonar takes into account not just the presence of the emails, but also the context in which it appears. DarkSonar asks questions like, is it just an email by itself? Or, is there a plaintext password with it? Those are two very different things that a threat actor is going to do two very different things with.
For example, if we detect a domain that has a bunch of emails and plaintext passwords that were put on the darknet yesterday, there’s a very good chance somebody out there is going to try to use those plaintext passwords. I say that because, from the perspective of the threat actor, there’s almost no work they have to do on their end to exploit that information. It’s like it’s an invitation to use this for an attack. Whereas, if there’s no passwords – or even if there’s a hashed password – there’s an extra step there that a threat actor would have to take to compromise that account. And so that’s why that’s weighted heavier in our new calculation. Because of the weighting we have, which accounts for the recency and the severity, we’re able to make an assessment about the relative likelihood of an attack.
Sarah: As we were thinking about the DarkSonar model, we thought about how we incorporate the actual risk of an exposed entity more meaningfully. You know, instead of just looking at the overall hackishness of the page where an entity is mentioned, how could we assess the hackishness of the mention? We set out to develop a tool that evaluates exposure in a qualitative way, rather than just quantitative.
Leah: What does “relative risk” mean in the context of DarkSonar?
Josh: I think it’s important to point out that by incorporating standardization into the algorithm, DarkSonar signals are relative to the company itself. It has nothing to do with other companies, which means it’s a lot more indicative of actual risk.
Sarah: Yeah, another way to think about is that DarkSonar gives you a personalized risk indicator.
Leah: Do you envision companies using DarkSonar for monitoring?
Sarah: Absolutely. We believe that darknet data is a really important source of insight into criminal activity and potential threats to your attack surface. We know that breaches and ransomware are a huge problem for businesses of all sizes. At a conference I attended recently, one of the presenters cited a survey where 80% of CISOs felt that they were going to be hit by a ransomware attack in the next year. So, with things like that being very top of mind, we’ve continued to innovate new ways to help companies monitor for and potentially even predict cyberattacks.
Josh: That’s a good point, Sarah. Essentially, we want to help companies use darknet data in a way that means something to them.
Leah: So lets say I’m a company monitoring my DarkSonar signal and it suddenly is elevated. Does that mean a cyberattack is imminent?
Josh: It does not mean an attack is imminent, but it does mean that there is a greater likelihood of such an attack occurring. We know this based off of our internal research, combined with validation by external companies that we’ve partnered with. The results of that analysis showed that there’s a pretty strong indicator that an elevated DarkSonar signal correlates with cyber risk.
Sarah: In developing DarkSonar, we looked at 250 companies with known cyberattacks, and found that their signal was elevated nearly 75% of the time in the months leading up to the attack. For those companies, the DarkSonar signal would have been an early indicator of a future cyberattack. And, to our knowledge, there is no other cyber risk monitoring tool out there that could do that.
Leah: Are DarkSonar signals something that would benefit small businesses? Or are they more geared towards enterprise companies?
Josh: DarkSonar is absolutely valuable for small companies as well. That’s because, as we’ve been saying, signals are relative to the company. It’s relative to how they’ve been doing the last two years. So it was not built for just big businesses or just small businesses… it adds the same value to any company with a domain that has email addresses. That’s who it applies to.
Leah: Are there any other use cases for DarkSonar other than monitoring your own company’s signal?
Sarah: Oh my gosh, yes. Many. DarkSonar can be used to assess risk for anything that is a part of your attack surface, including third party vendors for example.
Josh: Monitoring for your own company is definitely important, but, it definitely shouldn’t end there. Your full attack surface includes your supply chain, your clients, your clients’ clients, and so on. This is a tool for monitoring risk across your entire portfolio.
Leah: Any other closing thoughts?
Josh: Yeah, I think just generally, we’re proud of the evolution of our darknet exposure monitoring tools. We think it’s super important that we listen to our customers, conduct regular product evaluations based on feedback, etc – and that is what we do every day.
Sarah: For me, particularly given the environment that we’re in with ransomware attacks that you can see in the headlines on a daily basis, we’ll be thrilled if we can help even one company be aware of a potential risk by using DarkSonar.