It’s not hard to see why the dark web is such a valuable source of cyberthreat intelligence. Simply put, it’s where hackers and other threat actors go to communicate anonymously. That makes it a useful tool for cybercriminals to buy and sell stolen information, to discuss methods of committing crimes, and to launch plans for future attacks. At the same time, that reality also makes the dark web a treasure trove of intelligence you can use to protect your company or organization.
One proven way to use the dark web as an intel source is threat hunting – an approach to threat intelligence that focuses on looking for specified types of evidence of a crime or attack, before you have any indications that the crime or attack has in fact begun. But to take full advantage of the dark web’s threat-intel potential, sometimes it’s important to step back from specific threats and take a broader look at the individuals behind them.
By letting you research threat actors and not only specific threats, Sixgill’s Investigative Portal empowers you to make your cyberdefenses far more robust. This way, if you find an indicator of compromise (IOC) showing that a specific cyberthreat could put your company at risk, you can investigate the actor(s) behind the threat to find out whether it is part of a larger campaign targeting you. Not only does this help you determine whether this IOC is just the tip of the iceberg, but it could also help you stay safe from future attacks.
How exactly can you use the Investigative Portal to keep tabs on threat actors and predict where they might strike in the future? We recently gave a demo showing the portal’s capabilities and how you can utilize them. You can watch the video below:
Searching and finding
At the heart of the Investigative Portal’s usefulness is its user-friendly search capability, which gives you quick and easy access to today’s most thorough (by far) collection of posts from the dark web’s underground forums. If you identify a specific threat that could target your company, you can use the portal to search for references to that threat on the dark web. By entering a term (such as a suspicious hash that your team has identified) into the portal’s search bar and designating other parameters for your search, you can find a list of posts meeting your specific criteria. Then, you can see contextual information for every identified post, including the username of the individual who published the post.
When you search for the username of the individual associated with a suspicious post in an underground forum, the Investigative Portal also lets you view their other posts – giving you a sense of what this individual is all about. Using this information, you can build a profile of this person, helping to answer questions such as:
How active is this individual in this forum?
What seems to motivate this individual – money, adventure, ideology, etc.?
What can you tell about this individual’s capabilities that should concern you?
Who else is this individual in contact with, and how frequently?
What patterns can you see in the times of day (or week, month, or year) when this individual tends to post on underground forums?
What specific threads on underground forums has this individual participated in?
Using alerts to keep your ear to the ground
Once you start to see patterns in this individual’s posts on the dark web, it becomes easier to understand what kind of threat they could pose to your company or organization.
At the same time, you can use these details to predict what this person might do if they indeed pose a threat to you. For example, if they wanted to carry out a cyberattack (or had already begun to do so), which other users might they contact? When might they reach out to these users, and what might they say? And are there already specific conversation threads that this individual would likely use if they wanted to communicate about their attack plans?
Then, you can use these predictions and insights to set up customized alerts within Sixgill’s Investigative Portal, setting parameters to bring particularly concerning posts on the dark web to your attention. You may want to receive an alert whenever a new post by a certain individual appears in an underground forum, when they contact specific users, or when they reply to a certain conversation thread. You should also consider whether there are specific words that would likely appear in any post that should concern you, as well as what other signs could suggest that a particular post in an underground forum is an IOC for your company or organization.
The impact of alerts and insights into threat actors
How significantly can the automatic alerts you set up within Sixgill’s Investigative Portal improve your cybersecurity? It’s important to remember that the dark web is often the first place where evidence of a cybercrime or cyberattack appears. Keeping an eye on the dark web can often help you to detect a cyberthreat significantly earlier than you could using a conventional, telemetry-based threat-intel tool – giving you a better chance to mitigate that threat or even to prevent a cyberattack entirely.
By using the dark web as a source of intelligence on both threats and threat actors, you can get a clearer sense of where to look for additional evidence of potential cyberthreats going forward. And by setting up automatic alerts based on this information, you can even further bolster your cyberdefenses, helping you to quickly detect future cyberthreats.
Ultimately, the alerts you set up based on an adversary-focused approach to cyberthreat intel should give you the same benefit as all cybersecurity: the peace of mind that comes with taking strong steps to protect your company or organization from hackers and other threat actors. By fully leveraging the early-warning capabilities of Sixgill’s approach to cyberdefense, you can rest easy, knowing that your team is well prepared to detect and counteract threats before it’s too late.
To see for yourself how Sixgill’s Investigative Portal helps you bolster your cybersecurity by researching threat actors, watch the video above