Monitoring traffic on the dark web is the kind of thing that IT administrators worry about, but they can't do anything about. Now IT can pinpoint who and what is accessing the dark web from corporate networks with WhatsUp Gold.
WhatsUp Gold, for those who aren't acquainted, is a network monitoring solution by Ipswitch. A new feature in WhatsUp Gold 2018 Service Pack 2 is a way to monitor traffic coming to and from the dark web. But why is it important for IT teams to track dark web traffic? Not all traffic from the dark web is necessarily malicious, although we can imagine some of it is. However, there probably isn't a place for the use of Tor and other tools that are used to access the dark web on a corporate network.
In a recent study, they found that 58% of the traffic on the dark web or through the Tor network was illicit, and just 42% was licit. Some studies in the past have even claimed illicit traffic is almost 80%. Case in point, IT teams want to keep this stuff off the business network because the majority of the traffic is not being used for good purposes. Ultimately, the dark web could really put your company in a real painful situation.
The things that are being swapped on the dark web is criminal activity, like child pornography and inducements to do drug deals. It's safe to say that most companies don't want any part of traffic that might be doing that. And yet it's very hard to monitor because the whole purpose of the dark web is to hide all this traffic. So if there's a way you can find some of it or get at least a hint on what is going on, you probably want to track that down and do something about it.
When you're monitoring dark web traffic, what would be some red flags when it comes to this type of traffic? Are there certain devices on the network that are more prone to malicious activity from the dark web?
Generally, access through PCs with the Tor web client would be enough of a red flag. The prime indicator is the Tor web client. We should add that there's a few different ways to anonymize on the internet. You could, for instance, use a VPN, but what we're talking about specifically is Tor.
WhatsUp Gold uses its Network Traffic Analysis module or what some people call Flow Monitor to monitor dark web traffic. It's using NetFlow data from routers and switches and it's looking for what are referred to as the entry or exit nodes in the Tor network. We have a database of these nodes that are built into the product that are updated on a regular basis and WhatsUp Gold basically keeps track. While it's an anonymized network, you have to enter this anonymized network someplace specific. WhatsUp Gold is looking into where are someone is entering and exiting from the Internet. If WhatsUp Gold notices traffic from those locations, you (the IT team) will get an alert.
To be clear, WhatsUp Gold is specifically a network monitoring package, network monitoring and alerting. The tool is not doing any sort of packet filtering here. Therefore, it'll be up to you and your IT team to figure out what you want to do with that information.
The messages from WhatsUp Gold come from the Alert Center, which will send out a notification via email or SMS message. What you would need to do as a network administrator at that point would be to use your own networking software, be it from Windows or Linux, to find the IP address. WhatsUp Gold can help you with that, but you would need to go through the step of finding the device. WhatsUp Gold will do a DNS name lookup and try to populate the DNS name, which should give you a pretty good clue, but you might need to use some of your Microsoft tools to actually track down the device.
In addition, with WhatsUp Gold your IT team can put together a dashboard report showing amount of traffic that's been detected going to the dark web.
Get our latest blog posts delivered in a weekly email.