Information Security Blog

Does your Incident Response Plan include “The Dark Side of the Internet”?

Does your Incident Response Plan include “The Dark Side of the Internet”?

It’s been a tough couple of weeks. We’ve been spending way more time than I would prefer helping new/existing clients recover from security incidents. Integral to this effort is the process of each client learning from the incident and updating their security incident response plans accordingly.

One thing that you generally don’t yet find in most such plans is crossing over to the “dark” side of the internet – but moving forward I think it’s likely you may. Let me explain what I mean and why…

One of our clients referred another company to us that unfortunately had been hacked. Several weeks prior their client-facing website/application had been “hijacked” and was redirecting clients from certain geographic regions to an overseas site. The client focused on recovery rather than investigation – so they never tried to determine what the purpose of the redirects was. Best guess would be a drive-by malware site, although the geographic discrimination is an unusual twist that would have been interesting to understand. In order to ensure that any traces of the compromise were eradicated, the client rebuilt the site at a different hoisting provider on a fresh Content Management System (CMS) install with updated modules/templates.

The client called us because the site had been hacked again. This time the site had been defaced by a hacker. By the time they called us they had taken the site offline. They wanted to get the site back up as soon as possible. But before doing so they wanted to know how the site was hacked, so that it wouldn’t just recur again. Because the site is hosted, the quality and quantity of the logs that were available were limited. That being said, we had several good data points: an overseas IP address attempting to hit the admin page of the app and the fact that the hacker had signed his website defacement.

It was relatively straightforward to determine that the IP address was a cloud server provider – often used by the hacking community. However, conventional searches did not find anything on the hacker tag that had signed the defacement. Time for a trip to the dark side.

Most people are familiar with TOR (The Onion Router). It’s a mechanism that you can use to surf the web in an “anonymous fashion.” The TOR client (installed on your computer) directs internet traffic through a network of servers to conceal your location/usage. TOR makes it very difficult to trace Internet activity. Of course, it is widely used for nefarious purposes.

One thing many people don’t know about TOR is that it can also be used to connect to “hidden services” on the internet – sometimes referred to as the “darknet”. The .onion domain is the most well-known of these. It’s the hidden part of the internet where virtually anything can be bought or sold (e.g., drugs, guns, credit cards, botnets, and assassins). It’s not for the faint of heart – and despite the “anonymity” that is provided by TOR, you still find yourself looking over your shoulder when you’re on it. In short order, we were able to determine the date/time of the compromise and the mechanism on hacker message boards. (I’m intentionally keeping the details sparse in deference to our client).

Part of our client’s continuous improvement process is adding TOR/darknet knowledge to their Computer Security Incident Response Team (CSIRT). Hopefully, they won’t have to exercise the plan anytime soon – but if they have a security incident to respond to their Incident Response Plan now includes a trip to the dark side.


Best Practices for Firing A Network Security Administrator

Firing A Network Security AdministratorWant to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Whitepaper: Stop Wasting Money on Penetration Testing


Penetration Testing is most frequently performed to:

  • Substantiate the net effectiveness of a mature control environment
  • Prove to a third party that an environment is secure/trustworthy
  • Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
  • To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

Information Security GuideA Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Is ISO 27001 Right for (Y)our Organization?


Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

  • How to deal with increasing threats
  • How to manage multiple regulatory requirements
  • How to handle client requests for attestation
  • To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

ISO 27001 RoadmapHave no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: A Best Practices Guide to Database Security

database security roadmap

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Vendor Selection Toolkit

“ISOOur ISO 27001 Toolkit will help you to select an ISO 27001 consulting firm.
  • Review the Issues Critical to Your Environment
  • "Vet" Vendor Qualifications
  • Compare the Top 3 Vendors
  • Sample RFP Included

Free Whitepaper: Five Best Practices for SIEM


The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

About the Author:

John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.

Add a Comment

Share This