Gareth Owenson, 41, is the co-founder of Portsmouth-based Searchlight Cyber and an expert on the dark web. He set up the business with Ben Jones in 2017 to give law enforcement agencies and businesses better tools to tackle crime. American private equity firms quickly spotted the potential of the technology, with Boston-based Charlesbank Capital Partners the latest to invest, in January. Searchlight now employs 70 people across the UK, Europe and the US. Owenson says the dark web is maturing as a place where bad actors can gain access to all the information and tools they need to hack companies.

There are many dark webs but the main one has been around for about 20 years. In early years it did not get much attention as it was an anonymous network where you could do stuff on the internet, but it would be difficult to find out who it was [as the messaging app Telegram is today]. Initially it was aimed at journalists in oppressive regimes.

After 2010, a guy realised you could sell drugs on the dark web as you could host websites anonymously and accept payment kind of anonymously with bitcoin. The dark web took off and today you see many dark web marketplaces engaging in all sorts of criminal activity.

It is quite a mature place now. There is a whole supply chain there. Actors believe they can act with impunity and do what they like. That is not entirely the case as you do see many people being apprehended, but it does afford them a layer of protection.

Why should businesses prioritise the threat from the dark web?

Traditionally, cybersecurity is focused on an entirely defensive posture. You get emails, you scan them for viruses. You have a firewall that stops people attacking your network.

When those things touch your company, the actor is already probing your defences. It is often one of the last steps in the chain. Take the ransomware attacks where they encrypt all the files in a company’s network and charge a large ransom to decrypt those files. For that group, there are many steps that happen well before the group touches the corporate network.

For example, on the dark web you can buy “breach credentials” from companies [usernames and passwords]. You put in a domain name and get all the [details] that have been breached from that company. Generally, that is employees of a company that have used a username and password on a third-party website that has been hacked.

Then you get another actor who buys those credentials and they test them to see if they work. They then package up the list that works and sell it on to another actor, often a ransomware group at that point, and they now have access into a corporate network. That group will also often buy the ransomware itself and then attack the company.

By spotting these things earlier in the chain, you could prevent the attacks

It is very difficult to protect your network from someone if they know a username and password to access it. It is like having a front door and someone has the key. And most companies, if they face a skilled attacker who is persistent, they are going to get breached.

But by monitoring the dark web you can get an early warning and take pre-emptive action. You can protect against the more sophisticated actors.

You can hire an analyst who goes out there and tries to spot the threats. In our case, we are running software to detect those threats automatically. We have a research team who go out and identify the high-risk places and actors and then software that collects that information.

A customer then comes to us and says this is the network we want protected, and we will scan the information that we have collected looking for those threat indicators, classify them and flag them. If you do that in an automated way, you get those alerts in a very short period of time.

What might surprise you about the risks from the dark web?

One is that the timeframes are quite short. A typical timespan that we have seen between credentials being breached on the dark web and a company being a victim of a ransomware attack is about six to eight weeks.

Today ransomware is absolutely prolific. Its users are not particularly sophisticated actors but they are persistent. If you are a small or medium-sized company I wouldn’t say you are immune to it. The gangs are playing a numbers game and going across the spectrum [of company sizes].

One of the surprising things we see is the discussions between the ransomware gangs and the companies that have been breached. The gangs come in quite educated to that conversation. You get the companies saying “I can’t afford $40 million as a ransom” and they say “Hang on, last year your turnover was X and we know you can afford to pay it”.

Malware is also on the rise

If you get a machine infected, all the saved passwords in the browser get hoovered up in one mass and it sends them out to the gang. It is more effective than the credentials hacks. And it is pretty easy to hide malicious software from antivirus software. You can buy tools on the dark web that will obscure it.

What can companies do in response?

Ideally they are collecting a feed of breached usernames and passwords and they plug it in an automated way to their systems so those user accounts get reset immediately. It means there is no time between the passwords being breached and the actor acquiring them.

Backups are also key. Most people’s businesses depend very heavily on the electronic information that they are using, whether that is customer databases, intellectual property. Ransomware gangs are going to come at you, encrypt that stuff, and if you don’t have a good backup you are not going to have any choice but to pay the ransom.

Something as simple as having regular backups can thwart a ransomware attack. The gold standard is daily backups; after that seven days. Offsite backups, disconnected from your systems [are also best practice]. We do see ransomware groups penetrate companies and the first thing they try to do is delete the backups before they deploy the ransomware.

In addition, good password hygiene is important — don’t choose your daughter or dog’s name, try to choose three words and put them together — and two-factor authentication is important. We are dealing with criminals trading in stolen usernames and passwords and two-factor authentication is a strong defence against that.

Those three things combined will give you a good shield, a good start.

Gareth Owenson was talking to Richard Tyler, editor of Times Enterprise Network

For more information on cybersecurity prevention, visit Cyber Essentials, the government-backed scheme