Respond to Illicit Networks Events

15min

When you receive an alert pointing to a Dark Web source, the first step will be to look at the result on the platform using the link provided in the alert. If there is a specific result that is of interest to you and you are unsure about how, or whether it's safe to access, feel free to reach out to us, we'll be happy to share screen captures or html documents and give you more context.
Market Listing
A Market Listing alert means an actor has mentioned one of your Identifiers on Illicit Networks.
What's the risk?
In this category, actors are usually malicious. They can be inexperienced cybercriminals or more advanced threat actors.
If the item for sale is an account of some type, consider whether it may be an employee or a customer account, and the potential impact if the account was taken over and accessed by a malicious actor. Once connected to the account, remember that the actor can do lateral movements and potentially access more information or accounts.
What should I do?
Analyze the content of the listing to understand the risk.
Click on the actor to browse to his profile and evaluate his credibility.
If an employee account is identified, advise that the employee rotate the credentials immediately.
Forum Post and Chat Messages
A Forum Post alert means that an actor has mentioned one of your Identifiers on an Illicit Networks.
What's the risk?
In this category, actors are usually malicious. They can be inexperienced cybercriminals or more advanced threat actors.
If actors are discussing an attack or a fraud method, read the whole context of the thread to better understand if the use of this method can pose a legitimate threat to your organization.
What should I do?
Analyze the context of the mention to understand the risk.
Click on the actor to browse to his profile and evaluate his credibility.
Ransom Leaks
A Ransom Leak alert means that an Identifier of yours has been mentioned on the Illicit Networks.
What's the risk?
The content of ransomware websites is curated and published by the ransomware groups themselves.
If you are a victim of ransomware, you are normally already aware before Flare alerts you. In this case, the risk is that the group has started publishing confidential information as a proof that their attack is successful.
In the case where the alert is generated by an Identifier related to a third-party of yours, this is a highly-credible confirmation that the organization is in fact victim of ransomware.
What should I do if I'm under ransomware?
If not already done, contact a trusted security partner to help remediate the incident.
Monitor Flare alerts to know in a few minutes when the group publishes any information - announcement or data - regarding your company.
If sensitive data is published, follow appropriate procedures.
What should I do if I get an alert for a third-party?
Contact the third-party, and ensure that he is aware and handling the incident.
Evaluate the potential impact on your organization if the third-party's data was to be lost, or publicized.
How is the severity of a Ransom Leak evaluated?
There are a number of rules and factors that are used to evaluate the risk of a ransomware event, which apply in the following way:
If..
the event is..
Flare believes that you are the victim in the ransomware event
﻿⬤ CRITICAL
Flare believes that some of your sensitive files are present in the ransom leak, which is the case when an important supplier or third-party is breached
﻿⬤ CRITICAL
Your organization is mentioned in the breach or blog post, but there is no clear indication of increased risk
﻿⬤ HIGH
The event, although critical for the victim, does not seem to relate to your organization in any way
﻿⬤ MEDIUM 
Infected Devices
An Infected Devices alert originate from Illicit Networks
on infected devices. Two of the major players in this sphere are Genesis Market and Russian Market.
What's the risk?
Across all alerts, Infected Devices can be one of the most time sensitive alerts you will receive. They can indicate that an employee's account is available for sale, and that a malicious actor could take over that account.
Note that some Botnets will be scored High Risk (4/5) if some sensitive subdomains are found (adfs, webmail, vpn, etc.) or other sensitive keywords (outlook, exchange, employee, etc.).
What should I do?
Check the full alert in Flare and identify which domain you monitor has matched the listing. With this information, you need to assess how critical it would be for a malicious actor to log into this portal.
For critical access (admin, VIP) to a login portal, consider shutting down the website to minimize any risk right away.
Use any additional information in the listing (partial IP address if available, other logins available on the same botnet) to filter a subset of users who might be the potential owner of the infected device. Use your logging and network information to try to identify the user in question.
Reset the passwords of the user, if found. If you were only able to identify a subset of users, consider a password reset for all these users and send an email explaining the situation.
Here is a sample workflow to help you gauge the level of criticality of an alert about an infected device (Keep in mind this is only meant as a guide and does not represent a solution necessarily designed for your organization)
﻿
Related Articles
Click To Edit Button Label
﻿
Click To Edit Button Label
﻿
Click To Edit Button Label
﻿
﻿

If..	the event is..
Flare believes that you are the victim in the ransomware event	⬤ CRITICAL
Flare believes that some of your sensitive files are present in the ransom leak, which is the case when an important supplier or third-party is breached	⬤ CRITICAL
Your organization is mentioned in the breach or blog post, but there is no clear indication of increased risk	⬤ HIGH
The event, although critical for the victim, does not seem to relate to your organization in any way	⬤ MEDIUM

Did this page help you?

Respond to Look-alike Domains Events

Beta: New Dashboard and Reporting