It might seem obvious that being mentioned on the dark web increases the risk of a cyberattack, but a new study by Searchlight Cyber, conducted with Marsh McLennan Cyber Risk Intelligence Center, reveals just how strong that correlation is—and the detailed findings offer valuable insights for businesses. The report, The Correlation Between Dark Web Exposure and Cybersecurity Risk, shows that the presence of an organization’s data on the dark web significantly raises the likelihood of a cyber insurance claim. As cybercriminals increasingly rely on dark web marketplaces, forums, and communication channels to plan attacks, the study’s insights provide a crucial roadmap for mitigating cyber risks.
The analysis covers a sample of 9,410 organizations, assessing dark web data alongside breach incidents from 2020 to 2023. The breach rate of these organizations averaged 3.7%, but the likelihood of a breach spiked dramatically when dark web indicators were present. The results show that factors like dark web market listings, forum posts, and incoming dark web traffic correlate strongly with an increased risk of cyberattacks.
Our takeaways are as follows. You can get the full report here.
The Dark Web: A Hotbed for Pre-Attack Activity
Cybercriminals use the dark web to communicate, share tools, and trade stolen data. It is the pre-attack environment where much of the planning for cyber incidents happens. The study demonstrates a clear connection between pre-attack intelligence found on the dark web and the likelihood of future cybersecurity incidents. Companies with any presence on the dark web are much more likely to suffer a breach than those without such exposure.
The findings emphasize that companies can gain critical, actionable insights by detecting dark web intelligence sources, allowing them to strengthen defenses before an attack occurs. According to Ben Jones, Co-Founder and CEO of Searchlight Cyber, visibility into dark web activity is the first and most vital step toward preventing cyber incidents. He states, “If security teams can identify their exposure on the dark web, they have a huge opportunity to proactively adjust their defenses and stop attacks before they occur.”
Key Findings from the Study
The report identifies nine distinct dark web intelligence sources and highlights their individual impacts on cyber risk. Here are some of the most striking findings:
- Compromised Users: The presence of compromised user accounts related to an organization increases the likelihood of a cyber incident by 2.56 times. These credentials are often sold or exchanged on dark web forums, offering a direct path for cybercriminals to infiltrate networks.
- Dark Web Market Listings: When dark web marketplaces mention an organization or its data, the likelihood of a cyberattack increases by 2.41 times. These markets function similarly to legitimate e-commerce platforms but are used to illegally sell stolen data and access credentials.
- Outgoing Dark Web Traffic: Traffic originating from an organization’s network to the dark web is a strong indicator of a forthcoming cyber incident, increasing risk by 2.11 times. This traffic could indicate malware beaconing back to a command-and-control server or a malicious insider accessing dark web resources.
- Open Source Intelligence (OSINT) Results: Assets associated with an organization, such as IP addresses or domain names, found on the dark web increase the risk of a cyberattack by 2.05 times. Cybercriminals often use this information to identify weaknesses in a company’s network infrastructure.
The study also examined other intelligence sources, including paste results (1.88 times increased risk), Telegram chats (1.75 times), incoming dark web traffic (1.63 times), forum posts (1.58 times), and dark web pages (1.29 times). While each factor raises the risk of a cyberattack, the study found that when multiple dark web sources are present, the risk compounds further.
The Power of Multi-Variable Analysis
A key aspect of the report is its multi-variable analysis, which looks at how the combination of different dark web sources impacts cyber risk. Paste results, OSINT findings, and dark web market listings were identified as having the most significant correlation with increased cyber insurance loss frequency when combined with other factors.
For instance, an organization with compromised users and dark web market listings is 21% more likely to suffer a cyber incident compared to those without such findings if an organization shows results in all five of the major intelligence categories, its risk of experiencing a breach skyrockets by 77%.
These insights provide organizations with a powerful tool for prioritizing their cybersecurity resources. Understanding which dark web signals to monitor and which are most correlated with risk allows companies to focus on the most pressing threats.
The Importance of Continuous Monitoring
One of the report’s central recommendations is the need for ongoing dark web monitoring. The dark web is not static; new sites, forums, and listings emerge daily, and the threat landscape continually evolves. Searchlight Cyber advises companies to establish continuous monitoring systems to detect new threats as they arise, offering the earliest possible warning of an impending cyberattack.
Scott Stransky, Managing Director of the Marsh McLennan Cyber Risk Intelligence Center, highlights the significance of dark web intelligence in addressing this evolving threat: “Historically, the insurance industry has focused on data from within an organization, leaving a blind spot when it comes to external threats. By tapping into dark web intelligence, insurers and businesses alike can identify who might be targeting them and take proactive steps to prevent attacks.”
Taking Action on Dark Web Intelligence
The findings in the report stress the importance of gathering dark web intelligence and acting on it. Cybersecurity teams need detailed, actionable intelligence that goes beyond high-level findings. For example, knowing that a dark web forum mentions an organization is not enough. Teams must identify who is discussing the organization, what specific vulnerabilities or data they are targeting, and how they plan to exploit them.
Organizations are encouraged to integrate dark web intelligence into their broader cybersecurity strategies. Doing so allows them to prioritize resources effectively, focus on the most critical threats, and use pre-attack intelligence to inform their defensive actions.
Conclusion
The Correlation Between Dark Web Exposure and Cybersecurity Risk study provides compelling evidence that dark web exposure is critical in assessing an organization’s cybersecurity risk. With the ability to quantify how dark web findings correlate with cyber insurance claims, the report underscores the importance of proactive monitoring and defense strategies. By gaining visibility into their dark web exposure and continuously tracking new threats, organizations can significantly reduce the risk of a cyberattack and minimize the financial and reputational damage that often follows.
Other News: Cyber Insurance Costs Crushing Your Business?(Opens in a new browser tab)
Other News: These 5 Cyber Steps Can Make America Secure Again.