Fortune 500 Reranking the Fortune 500 Using Darknet Intelligence

The Darknet Index: Fortune 500 Reranking the Fortune 500 using Darknet Intelligence

Introduction

We live in an era where cybersecurity often dominates the news. Yahoo, Sony and Target are only three of the many companies subjected in recent years to costly cyber attacks. No company or organization is immune from these types of attacks, and billions of dollars are spent annually in an attempt to protect the valuable data they hold. TABLE OF CONTENTS Measuring cybersecurity risk therefore becomes important for any company seeking to implement a comprehensive Introduction ...... 1 cybersecurity strategy and justify a return on the increasing Methodology...... 3 investments made. Several different risk measures exist— The Top 25 ...... 5 some financial, performance, or technology related, and others Observations...... 6 which attempt to measure the frequency of attacks thwarted. Conclusions...... 8 Each provides one aspect of guidance for management teams in their evaluation of overall risk. The Darknet Index...... 9 About Us ...... 22 However, to date, there has been no attempt to measure the cybersecurity risk or profile of companies by how much data is available on a company that can be misused. How does the availability of breached data affect the overall the overall cybersecurity profile of a company?

When data is hacked or stolen it often ends up for sale on an area of the internet known as the darknet. The darknet— actually a collection of numerous private networks, forums and channels—allows anyone using special browsers and tools to post data and communicate in a private online world. This facilitates the confidential and anonymous exchange of large amounts of stolen data.

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 2

Unlike the surface web — the internet most of us use every day — there is little indexing of darknet sites. In fact, until now, there has been no easy way to comprehensively measure a company’s presence on the darknet. OWL Cybersecurity has built a proprietary database of darknet content which is the most comprehensive one of its kind in the world. This database is automatically and continuously updated with between 10 to 15 million pages per day, from more than 24,000 domains on the Tor network alone, as well as other darknet networks. Our darknet content is indexed and searchable in 47 languages for organizations wishing to monitor their data on the darknet.

To demonstrate how the unprecedented scope and scale of our darknet data can strengthen a cybersecurity program, we used our OWL Vision database, together with additional sources of DARKINT™ — or darknet intelligence — to rerank all members of the Fortune 500 (as of April 2017) based on their darknet footprint. By doing this, we can provide each company with a snapshot view of its exposure on the darknet relative to peers, something we are uniquely positioned to provide.

Key Takeaways From Our Analysis

• Every Fortune 500 company is exposed. Every single company in the Fortune 500 had a positive Darknet Index score, meaning they have a presence on the darknet.

• Amazon leads the Index. The company with the largest darknet footprint is online retailer Amazon, who has a massive internet presence and possesses a significant amount of customer data.

• Technology and telecommunications companies overall are the largest target. Technology and telecommunication firms have the highest Darknet Index scores, indicating that they are the most attractive firms targeted by threat actors.

• Financial firms perform better than expected. Financial firms—frequent targets of hackers—fare better than expected, likely reflecting their focus on significant investment in cybersecurity in recent years.

• Hacked valuable data = increased risk. The highest scoring companies all had credentials and/or intellectual property exposed on the darknet which can be monetized by others.

• Vigilance pays off. Investing in cybersecurity has tangible Darknet Index score benefits. Sectors which have invested heavily have, in some cases, smaller darknet footprints and, thus, lower Index ratings.

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 3

Methodology

One of the biggest hurdles to widespread awareness of darknet activity is the lack of any reliable indices. Unlike the surface web, on which many organizations continuously capture and record internet activity in a historical archive, the darknet is designed to be difficult to trace. The use of special browsers is required, and users need to obtain the full URL of a destination darknet web page to visit. There is no “darknet Google,” and darknet sites are often put up and taken down within a matter of minutes to maintain anonymity.

As a result, the darknet has become a safe harbor for those looking to remain private online, whether their intentions are good or bad. A high volume of criminal activity has migrated to the darknet.

“According to our scale, every company on the Fortune 500 has a darknet ranking.”

OWL Cybersecurity’s proprietary OWL Vision is an expansive darknet database which can be queried via Boolean logic, proximity search, email domains, and more. Leveraging this, OWL Cybersecurity assessed each company in the 2017 Fortune 500 list, ultimately assigning every company with an overall darknet footprint. Combined with our proprietary hackishness algorithm — which rates darknet postings based on their potential for criminal use — our calculations yielded notable results.

To compile our Darknet Index, we ran each member of the 2017 Fortune 500 through the OWL Vision database. We focused on specific darknets for matches on each company’s website and email domains and then further adjusted the results based on computations of “hackishness”— our algorithmic rating system which scores based on the likelihood the data could be used for nefarious intent and/or has been recorded within a recent timeframe. Recent results, from within the last 90 days, were given the most weight, as recent breaches or data leaks containing an organization’s proprietary information often make the target company a target.

All mirror sites (which can be otherwise considered duplicate data) of both darknet and surface net results were excluded.

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 4

Algorithm

Our hackishness algorithm is the most critical input to these rankings as it eliminates uninteresting content hits. For simplicity, our algorithm weighted results from Tor Hidden Services and transitory sites most heavily. All results found in our database were given some weight as per the formula below:

H (ln RDS + ln RTS) = H (ln ATR) 90 ATR

H = Hackishness of last 90 days results 90 H = Hackishness of all time breach results ATR RDS = # results from Darknet Sites RTS = # results from Transitory Paste Sites ATR = # results from all time breach results

Key Methodological Points

• The Index is simple and objective. It is not biased toward company nicknames, press mentions, company size, CEO names or other subjective measures.

• The Index scale is logarithmic, meaning every point in the index reflects almost triple the profile of a single point less.

• The Index ranking reflects the attractiveness of the target. It is not a “risk of breach”. It is more closely aligned to the attractiveness of the target to a hacker while taking into account the effectiveness of their cyber defenses.

• The size of a single breach is less of a factor than the frequency of breaches over the study period.

• A company’s ranking as compared with direct competitors is very important. In future reports, we will take a closer look at more specific industry data to see the extent to which industry relates to a company’s DARKINT footprint.

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 5

The OWL Cybersecurity Darknet Index: Top 25

The results of our analysis are presented below for the top 25 companies in our Index as follows. The full ranking of the Fortune 500 companies by their darknet footprint can be found in the Darknet Index section (Page 9). We categorize all companies using the following metrics:

• DARKINT Rank - The rank of each company based on their darknet footprint score.

• Fortune 500 Rank - The rank each company is given on the annual list.

• Darknet Index Score - The darknet footprint score on which the rankings are based.

• Company Sector - The market segment as defined by the Fortune 500 list.

DARKINT Fortune Darknet Rank 500 Rank Company Name Index Score Company Sector

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 6

Observations

Every company on the Fortune 500 has a darknet ranking. This fact alone offers a glimpse into the sheer volume of information available on the darknet and confirms that no company or organization is without risk on the darknet.

The importance of the hackishness rating is seen in the case of eBay. Without such a weighting, eBay would have been by far the most highly ranked DARKINT company, with more than four times the results to its next closest entrant. Yet, when weighted for hackishness, eBay dropped to #5 (reducing its darknet footprint by more than 500 percent). Put simply, eBay has a great deal of data on the darknet, but much of the data’s potential criminal value was low.

The company with the largest hackishness-rated darknet footprint, Amazon, is not a surprise given their massive internet presence and the fraud potential of the data they maintain. In fact, the Top 5 DARKINT Index firms, Amazon, Google, Apple, Facebook and eBay, are all in the Technology sector and all use credentials extensively. Perhaps surprisingly, however, no bank registered in the top 10.

Key Takeaways

• Highest industry scores go to Technology and Telecommunications, which have both broad credentials coupled with typically smaller cybersecurity defense budgets.

• Finance and Healthcare, which receive much compliance and media focus, have industry index results within the expected range which implies their cybersecurity spending is in line with their needs.

• 6 of the top 10 ranked companies are ones that most people interact with on a regular, if not daily, basis.

• What matters most is a firm’s ranking as compared with its direct competitors. Simple statistical analysis tools become useful in evaluating each Sector.

• These rankings will change markedly over time based on multiple factors both within a company’s control and beyond.

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 7

Index Profile Analysis by Company Sector

We included an Index Profile +/-10% analysis to denote a company’s relative darknet footprint rank out of 500, as compared to their Fortune 500 rank. If the resulting percentage is above 10 percent, it indicates a statistically significant differential in DARKINT ranking versus Fortune 500 ranking. We included this analysis to demonstrate that companies of various sectors, size and revenue may have disproportionate darknet footprints, and that the vulnerability of the darknet does not necessarily correlate with what many may assume in a rankable, correlated risk.

Number Average Average Difference of Fortune 500 DARKINT (Fortune 500 Index Profile Company Sector Entries Rank Rank – DARKINT) +/- 10%

Technology 39 235 157 78 higher Retail 46 242 314 (72) lower Energy 62 255 272 (17) same Financials 79 243 233 10 same Healthcare 45 206 229 (24) same Telecommunications 12 246 187 58 higher Wholesale 27 273 331 (58) lower Media 10 243 235 8 same Food, Beverages & Tobacco 25 240 318 (77) lower Aerospace & Defense 12 204 243 (39) lower Transportation 18 254 224 30 higher Industrials 15 210 214 (4) same Food and Drug Stores 7 83 307 (224) much lower Chemicals 13 258 206 52 higher Business Services 19 334 250 84 higher Apparel 5 293 312 (19) same Household Products 13 311 255 56 higher Motor Vehicles 13 242 211 31 higher Hotels, Restaurants & Leisure 10 275 232 44 higher Engineering Construction 11 324 212 112 much higher Materials 19 341 297 44 higher

Overall, we found most Index Profiles make intuitive sense. Food and Drug Stores, for example, are not obvious targets of malicious actors while the intellectual property at organizations like large Engineering Construction firms make them candidates for hackers. Neither of these sectors is known for spending excessively in cybersecurity. The fact that companies in the Financial sector tend to score well in our survey attests to the success of their cybersecurity efforts as an industry, although results vary across firms. Anomalies such as Frontier Communication’s unexpectedly high ranking as well as Berkshire Hathaway’s low ranking may not be conclusive, but they are statistical outliers worth noting.

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 8

Conclusions

This reranking of the Fortune 500 presents a mere sliver of OWL Cybersecurity’s darknet database which includes information on tens of thousands of additional organizations and individuals. In some cases, private data for sale may have come from a breach at a Fortune 500 company, but it may not be identified as such. For example, a group of credit card credentials for sale could have been illegally obtained from either a bank or a retailer, but that information isn’t always provided or available.

What is important is not only any company’s score but also Client // DARKINT FOOTPRINT comparing this score against their MAR 2017 REPORT competitors and watching it over Prepared by: [email protected] time. That is, for any firm to have ...... a truly accurate snapshot of their DARKINT FOOTPRINT DARKINT footprint is important A darknet footprint is a measure of your presence intelligence, to determine a darknet footprint. on the darknet. It looks at the volume of an orga- DARKINT encompasses actionable data from the and requires customization. OWL nization’s digital data that could be used for nefa- darknet and other interconnected sources, inclu- rious purposes, exposed on the darknet as a ding TOR, IRC channels, hacker forums, FTP Servers, Cybersecurity does these routinely, result of hacks, breaches, or other leak(s). OWL paste sites, high-risk surface internet, and more. Cybersecurity leverages DARKINT, darknet as can be seen in the sample ...... DARKINT footprint report (pictured). DARKINT THREATS DETECTED

By monitoring one’s customized 4 6 DARKINT footprint score over time, DEEPWEB DATA DUMPS the efficacy of an organization’s 9 0 1 2 CREDENTIALS EXECUTIVES TOR *PLAIN TEXT DETECTED PASSWORDS cybersecurity efforts can be DETECTED

7 reasonably measured. As shown OCCURANCES OF CREDENTIALS 6 OVER TIME by the fact that the entirety of 5 4 the Fortune 500 is present in our 3 2 DARKINT Index, DARKINT is a key 1 NOV 2016 DEC 2016 JAN 2017 FEB 2017 MAR 2017 to a complete information security // Domain Threats: 60 Domains Queried EXECUTIVE SUMMARY: approach. We found 1114 credentials within our database, 3 belong to executives. Of those 1114 occurances, 10 19 30 1109 were from data dumps. A 46 majority (994) of those credentials TOR DEEP WEB SURFACE WEB Today, in an age where data loss DETECTED were part of a social media leak in June 2016 and the remainder in is virtually inevitable, it is critical to // IP Address Threats: 74.116.5.0 February 2017. Between July 2016 and January 2017, there was a few instances of leaked email addres- look at the darknet as a key part of ses. Addtionally, we also searched the database for instances of your a complete cybersecurity program, 3 2 1 0 594 domains and 1 of your 0/20 DETECTED TOR DEEP WEB SURFACE WEB networks - of those we found a total of 12 mentions in the databa- enabling organizations to swiftly se. detect security gaps and mitigate damage prior to the misuse of data. OWL Cybersecurity | 216 16th St. Suite 700 Denver, CO 80202 | www.owlcyber.com

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 9

The Darknet Index Ranking of the Fortune 500 Fortune Darknet DARKINT 500 Index Rank Rank Company Name Score Company Sector

1 18 Amazon.com 19.16 Technology 2 36 Alphabet (Google) 17.21 Technology 3 3 Apple 15.98 Technology 4 157 Facebook 14.99 Technology 5 300 eBay 14.55 Technology 6 85 American Express 13.33 Financials 7 461 Frontier Communications 13.29 Telecommunications 8 379 Netflix 13.19 Retail 9 219 Texas Instruments 12.99 Technology 10 58 FedEx 12.58 Transportation 11 27 Wells Fargo 12.31 Financials 12 25 Microsoft 12.23 Technology 13 67 American Airlines Group 12.06 Transportation 14 10 AT&T 12.01 Telecommunications 15 37 Comcast 12.01 Telecommunications 16 11 General Electric 12.00 Industrials 17 77 Oracle 11.95 Technology 18 78 Morgan Stanley 11.57 Financials 19 20 HP 11.54 Technology 20 51 Intel 11.31 Technology 21 60 Lockheed Martin 11.30 Aerospace & Defense 22 53 Disney 10.88 Media 23 35 State Farm Insurance Cos. 10.77 Financials 24 71 Best Buy 10.72 Retail 25 75 Honeywell International 10.63 Industrials 26 307 PayPal Holdings 10.56 Business Services 27 26 Bank of America Corp. 10.52 Financials 28 74 Goldman Sachs Group 10.51 Financials 29 9 Ford Motor 10.50 Motor Vehicles 30 451 Motorola Solutions 10.49 Technology 31 179 Bank of New York Mellon Corp. 10.42 Financials 32 54 Cisco Systems 10.41 Technology 33 55 Pfizer 10.40 Health Care 34 120 Raytheon 10.34 Aerospace & Defense 35 13 Verizon 10.32 Telecommunications 36 91 Nike 10.26 Apparel

OWL CYBERSECURITY OWLCYBER.COM 303-234-1231 OWL CYBERSECURITY DARKNET INDEX: FORTUNE 500 PAGE 10