Dark web threat actors are evolving their techniques, shifting from attacks on large organizations directly toward targeted attacks on individuals.
“Dark web monitoring is critical,” to stopping these threats says Vakaris Noreika, Head of Product at NordStellar, a threat exposure management platform developed by Nord Security. “It’s often the only way to detect individual-focused attacks. These incidents frequently occr on employee home computers or bypass corporate endpoint detection and response (EDR) systems”
With years of experience in developing cutting-edge cybersecurity solutions, Noreika brings a deep understanding of the complexities and nuances involved in protecting corporate data. He observes a surge in info-stealer malware and highlights the critical need for seamless integration of dark web intelligence into existing security systems.
In this Q&A, Noreika explores how NordStellar addresses these challenges, trends shaping the dark web monitoring space, and strategic priorities for organizations to strengthen their security posture against dark web threats.
Q. How are dark web threats evolving, and how important is it for organizations to implement a dark web monitoring strategy?
We’ve been observing a significant shift in dark web threat actors’ focus over the past couple of years. While the primary motivation remains monetary gain, their techniques are evolving, and their targets are changing. Historically, threat actors focused on large corporations, stealing user databases and selling the data. Now, we’re witnessing a shift towards targeting individuals.
Interestingly, we’ve seen a downturn in the number and size of large corporate breaches. This is likely due to increased regulations like GDPR, which have forced companies to improve security. However, the overall number of data breaches and hacked companies is still increasing, but the impact per breach is smaller. We’re seeing fewer “mega-breaches” affecting hundreds of millions of customers.
To target individuals, cybercriminals often employ infostealer malware. This malware, usually spread through phishing or malicious downloads, steals credentials, cookies, and other sensitive data directly from personal computers, often bypassing traditional corporate defenses. The volume of infostealer-related data on the dark web has exploded since 2020.
This is why dark web monitoring is critical. It’s often the only way to detect individual-focused attacks. These incidents frequently occur on employee home computers or bypass corporate endpoint detection and response (EDR) systems. Without dark web monitoring, organizations remain blind to these compromises, which can potentially lead to account takeovers, data breaches, and reputational damage. Training and awareness are helpful, but they are not a complete solution. Dark web monitoring provides a fundamental layer of intelligence.
Q. What are the biggest challenges facing organizations executing a successful dark web monitoring strategy today?
I believe the most significant challenges lie in three key areas: integration, actionability, and business alignment. Integration is a major hurdle because dark web monitoring data must be effectively incorporated into existing security systems like SIEM or SOAR platforms. Without proper integration, security teams struggle to consolidate alerts, correlate them with other security data, and gain a unified view of their threat landscape.
Actionability is another challenge, as organizations must go beyond simply receiving alerts and focus on generating actionable insights. It’s not enough to know that a credential has been leaked; security teams must determine which employee is affected, which system is at risk, and what the potential impact is. Organizations need automated playbooks and workflows to improve response time and mitigate threats effectively.
Lastly, business alignment can be difficult, especially when trying to secure buy-in from different teams across the organization. Implementing security measures based on dark web intelligence often requires changes in user experience and even development roadmaps. Convincing stakeholders of the business value of dark web monitoring and aligning security with business goals, while managing the manual analysis, can be particularly challenging without a dedicated, specialized team.
Q. How does the NordStellar threat exposure management platform help teams address these challenges, and how do you differentiate the platform in this competitive space?
NordStellar addresses these challenges by focusing on simplicity, actionability, and external perspective. Unlike traditional threat intelligence platforms that provide a flood of raw data, we focus on presenting clear and understandable threats specific to each organization. We cut through the noise and highlight what matters most.
Our platform allows to look at direct threats, not just data points. This means we identify compromised credentials, leaked data, and exposed infrastructure, making it easier for security teams to take immediate action. We also support integrations with existing security systems, enabling automated response workflows.
Furthermore, NordStellar was built from the “hacker’s perspective.” We’ve used this technology internally at Nord Security for over six years to protect NordVPN’s customers and employees. This gives us a unique understanding of how threat actors operate and what they’re looking for. We focus on the new age of threats, not just the traditional threat intelligence feeds.
What makes NordStellar different is its focus on individual employees as we prioritize the detection of threats targeting employees and customers. Unlike solutions built exclusively for large enterprises, NordStellar is easy to use and accessible to companies of all sizes, even those without dedicated threat intelligence teams. Built on real-world experience, our platform leverages years of expertise in protecting the world-known VPN provider, ensuring proven effectiveness. Additionally, we deliver clear value without requiring deep integration—our customers strengthen their security posture without the complexity of integrating with existing systems.
Question 4: What are your top recommendations for CISOs in the process of looking for a dark web monitoring / threat exposure management solution?
My top recommendations would be the following:
- Define your use cases: Before you even look at solutions, clearly define how you will use dark web intelligence. What playbooks will you create? How will you integrate the data with your existing processes?
- Assess your current coverage: Understand your existing security posture and identify gaps. Where are you vulnerable? What threats you are currently unable to detect?
- Focus on actionability: Look for solutions that provide clear, actionable insights, not just raw data. Can you easily understand the threat and take steps to mitigate it?
- Evaluate data depth: Consider the breadth and depth of the data provided. Does the solution cover the relevant dark web sources and forums? Does it provide context around the leaked data?
- Consider integration capabilities: How easily will the solution integrate with your existing SIEM/SOAR, ticketing systems, and other security tools?
- Business alignment: Protecting customer accounts introduces complexity and requires business buy-in, often involving development hours and impacting product people.
Q. What trends do you expect to see in the dark web monitoring space over the next few months?
I expect to see a continuation of existing trends in the dark web monitoring space. Info-stealer malware will remain a dominant threat vector on dark web forums and marketplaces, continuing to drive organizations’ need for comprehensive monitoring solutions. Within these underground communities, we observe AI being gradually incorporated by threat actors to develop more convincing phishing campaigns and potentially for voice cloning attacks that bypass traditional security measures.
Despite these technological advancements, the fundamental vulnerability will continue to be the human element, with dark web actors exploiting basic security oversights. The core techniques used by threat actors on the dark web aren’t changing dramatically, but rather becoming more refined and targeted, making visibility into these hidden spaces increasingly critical for organizations’ security postures.
Q. In your view, what should organizations’ top dark web monitoring planning priorities be?
I would like to highlight the following areas and questions that every organization needs to answer first.
- Identify your biggest security risks. Are you concerned about employee credential compromise? What about customer account takeovers or vendor breaches?
- Don’t overlook the fundamentals. Strong passwords, multi-factor authentication, and phishing awareness are still crucial defenses.
- Develop response playbooks. Plan how you will respond to different types of dark web alerts. Who will be responsible? What actions will they take?
- Integration. Integrate dark web monitoring with your existing security infrastructure to streamline workflows and improve response times.
- Prioritize actionable intelligence. Choose a solution that provides clear, actionable insights that you can use to improve your security posture directly.
Ultimately, every organization is unique. The best approach is to assess your specific needs, understand your vulnerabilities, and choose a dark web monitoring solution that helps you address your most pressing security challenges.
Learn more:
