The Dark Web Is Not An Attack Vector

But what about the dark web? If you’re in the business of keeping your organization secure, you probably hear that question pretty often. And whether you’re a CISO being asked by your CEO, or a CIO getting grilled by the board, not only do you have to protect your company from the vastness of the internet, now you have to guard it against the endless ether of the dark web.

What is important to understand is that the “dark web” is self-contained, and consequently, it is not an attack vector.

Most people would be excused for thinking our cybersecurity challenges come from this “dark web,” since it is brought up in every reference to hacking in popular culture. But the “dark web” as most people talk about it doesn’t exist. Yes, there are systems of anonymized websites that require specific access, or browsers like The Onion Router (TOR). An estimated 96% of the internet is not indexed by search engines such as Google or Bing, but for almost entirely benign reasons, like pages having paywall or pages being private company intranets or databases.

And while there are parts of the internet that are “hidden” or “dark,” let’s explore why it is virtually impossible to launch attacks from this “dark web.” TOR exit nodes, the places that connect you to the larger web after your identity has been masked, are useless as attack launch points since that list is public and they are easily blocked. The websites that actually use TOR are mostly forums, and it is true that they can be used to buy, sell, and swap hacked information. There is a whole suite of companies that spend their time infiltrating these forums and some of that information can be useful. Our security team monitors these as one of many inputs to understand actor behavior, but in terms of actually launching attacks, the “dark web” is completely sealed off.

For someone to talk to you, visit you, or hack you, they have to have an IP address, a web domain, a URL, or an email domain. Nothing happens without those primitives being in place. If any of those exist, the word “dark” no longer applies. Your attacker is on the open web, the surface web. And all of our phishing detections apply.

For something to be truly “dark,” it needs to have a non-routable public IP or be a Bogon IP, which are reserved IP spaces that are not allocated or in use. It’s not that these attacks are impossible to imagine, but they would have to exist with the very people who run the web, like IANA, Regional Internet Authorities, or the U.S. Government. If those entities start attacking us, we have much bigger problems…

Dark vs. Long

Area 1 Security identifies and stops phishing across the entire web, including the “long web,” the statistical long-tail of the surface web, and where more than 95% of all cyberattacks live. These accessible, but unindexed pages include newly observed domains (NODs), newly registered domains (NRDs), and proximity domains — all of which have little to no traffic. They are not pages you could easily find with Google, which causes people to mistake them as “dark.” But they are not dark, they are simply new or unknown and thus the perfect staging grounds for actors to launch their phishing campaigns.

The long web is where attacks begin. And lucky for you, it’s a place we crawl. Attacks coming from the long web are discoverable, and better yet, stoppable. Area 1 has a unique and powerful combination of web crawling infrastructure, early attack discovery algorithms, and enough computing horsepower to process it all and take action before phishing campaigns even launch.

Every week, day, even hour, we discover new and emerging campaigns in their earliest stages. With this visibility, we can protect our customers from the #1 cybersecurity threat to organizations large and small — phishing. The web is big, but it’s also finite. It doesn’t matter where a campaign is hidden, whether it’s right on the surface web you are familiar with, or hidden far into the long web — it still exists, and as a result, it’s still findable.

“If it bleeds, we can kill it,” Arnold Schwarzenegger observed. For us, it’s more like: “If it has an IP, URL, domain, or email address we can find it.”

And we do.

The World Wide Web. Phishing attacks can only come from the surface / long web, which makes up less than 5% of the web. If you can’t get to it, it can’t get to you.

Learn more about how our high-speed crawlers discover pre-attack phishing activity on the long web — before attacks are launched and in time to change outcomes for organizations.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!



Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.