What Data Could an MSSP Monitor on the Darknet on Behalf of their Client and Why

November 13, 2024

In the age of cybercrime, it is imperative that organizations are monitoring the dark web and dark web adjacent sites in order to identify threats and risks that may be posed to them and their organization. These risks can be reputational, financial, security related or have real world physical implications. In order to identify and combat these threats, organizations will often turn towards a Managed Service Provider to assist them. In this blog we will investigate what MSP and MSSPs should be monitoring for on behalf of their customers.  

A Managed Service Provider (MSP) is a company that manages a customer’s IT infrastructure and end user systems. They are usually responsible for monitoring sources and attributes which pose a threat to networks, infrastructure, security, communications and data storage. While some of these tasks will require monitoring network traffic and performance and ensuring compliance, they are also often responsible for cyber security services such as monitoring threats on the dark web.  

A Manages Security Service Provider (MSSP) is a type of MSP that focuses on security, particularly cyber security. They will monitor devices, systems, remote security operations centers (SOC). Their main focus is to protect their clients IT infrastructure from cyber threats. But increasingly they also need to protect their client’s data and how it is accessed and potentially shared.  

For all MSP and MSSP it is imperative that they monitor the dark web in order to mitigate any threats that may be posed to their clients. We will explore some of the information that is available that they should be monitoring for. 

Ransomware attacks continue to increase in 2024, with most groups now releasing the data of their victims on dark web shame sites when their requested ransom is not paid. The information leaked can contain huge amounts of data from all areas of an organization.  

The leak of this data can not only cause reputational damage but can also leave the organization, their employees and organizations in their supply chain open to further attacks, depending on what information is contained in the leak.  

It is important the MSSP monitor the leak pages of all ransomware groups to identify if any of their clients have fallen victim to a ransomware attacks. However, they should also be reviewing the leaked data for any organizations that are linked to their client to ensure that none of their client’s data has been exposed. DarkOwl Vision can be used to alert MSSPs when any information relating to their client appears on a ransomware site.  

Data leaks are being released at an alarming rate and can include vast amounts of data relating to individuals and organizations. Leaks predominately will contain credentials, usually email addresses and passwords but can also include information such as Social Security Numbers, IP addresses, Physical addresses and other identifying details.  

It is important that MSSPs monitor all domains linked to a client organization to identify if any of their employees’ credentials have been leaks. Leaked credentials can be used to obtain further access to a network and so steps should be taken to ensure that the leaked password is no longer in use.  

Information in leaks can also be used to conduct social engineering attacks so MSSPs should arrange for cyber security training so employees know what to be on the lookout for. In some cases, if individuals are high profile enough leaked information could also lead to real world implications.  

Stealer logs, while not the same as leaks, also provide details of individuals credentials. Stealer logs tend to have fresher information in them due to the way that they a collected by malware so immediate steps need to be taken.  

An Initial Access Broker (IAB) is an someone who specializes in gaining unauthorized access to systems or networks and then sells this access to other malicious actors.  IABs will often sell their access on the dark web through forums or marketplaces. The price for access typically varies based on the organization’s size, industry, or the level of access achieved. 

IABs will often name the sector that their victim is in but will not always advertise the true identity for fear of tipping off the victim to the vulnerability. However, they will often provide images of panels or other proof that they have access.  

It is important that MSSPs monitor all known IABs on marketplaces and forums on the dark web, as well as any other chatter around access to organizations. Particularly those in the industry of the client. DarkOwl Vision allows you to create alerts which can monitor these types of threat actors and this chatter.  

The dark web and dark web adjacent sites, particularly Telegram are increasingly being used to spread mis- and dis-information. In some cases, this rhetoric can lead to direct threats against organizations and or individuals. Although in the majority of cases those making threats are usually “trolls” who don’t intend to follow through on their threats, some individuals share this information as part of leakage, sharing their true intentions of real threats they intend to carry out. It is therefore important that MSSPs are vigilant for these types of discussions and ensure they are able to make an assessment about the threat in conjunction with other available sources. However, this can be difficult due to the anonymous nature of the dark web. 

Threat actors can also share information about individuals on the darkweb, including their location and other sensitive information about the individual. This is generally known as a Dox, although information can be shared in other ways. A Dox of an individual can include their home address, their telephone numbers other PII and details of social media accounts. This is something that MSSPs should be extra vigilant for as can have a real-world impact.  

MSSPs should ensure that they are monitoring for as many of their client’s assets in the dark web as possible, this includes but is not limited to” 

  • Email addresses 
  • Domains 
  • IP addresses 
  • Physical addresses 
  • Financial information 
  • Social Security Numbers 
  • Full names 

As well as assets MSSPs should monitor for attacks or chatter against the industry their clients are from as well as their geographical locations  

As part of an MSSPs and MSPs role in security the IT and cyber security of a company, it is important that they are monitoring for threats and risk that is being shared and talked about on the dark web. This is the only way that they can ensure that they have insights into what activities criminals are engaging in and who they are potentially targeting.  


Curious how DarkOwl can help your organization? Contact Us.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.