NEW TECH: Human operatives maintain personas, prowl the Dark Net for intel to help companies

It seems like any discussion of cybersecurity these days invariably circles back to automation.

Our growing fixation with leveraging artificial intelligence to extract profits from Big Data – for both constructive and criminal ends—is the order of the day.

Related: Why Cyber Pearl Harbor is upon us

Vigilante is a cybersecurity startup that cuts against that grain. With an operational launch in October, Vigilante is the spin-off of an elite intelligence unit of InfoArmor, the identity monitoring technology supplier that was acquired by Allstate late last year.

At its core, Vigilante is comprised of operative teams who’ve spent years deeply-embedded in the virtual threat space, nurturing their dark net personas and proactively gathering intelligence on behalf of specific clients.

“We go out into the criminal space, on our clients’ behalf, to gather threat intelligence and put it into useful context,” Adam Darrah, Vigilante’s director of intelligence, told me. “This gives our clients an advantage in their security decision making.”

I met with Darrah at Black Hat 2019. We had a fascinating discussion about the distinctive services Vigilante will now seek to make more widely available on a commercial basis. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

Fresh feeds

Threat intelligence feeds gathered from automated defenses, such as next-gen firewalls and SIEMs, make up the vast majority of information companies have in hand depicting the activity of threat actors. In order to better defend their networks, companies struggle on a daily basis with the massive challenge of ingesting and extracting actionable insights from a fire hose.

Vigilante directs a team of operatives who serve, in effect, as intelligence gathering agents on patrol on the ground floor of the cyber underground. “We operate exclusively outside of our clients’ networks,” Darrah told me. “We don’t touch their networks.


“Instead, we have operatives, throughout the world, who have been nurturing online personas, in some cases for 10 years, blending into the criminal environment, gaining the trust of criminal actors and gaining legitimacy,” he continues. “Our operatives maintain their legitimacy in that world so that our clients can have interesting and fresh access to the latest threat information streams — coming from the criminal world.”

This human-gathered intel and human-derived analysis gives Vigilante’s clients a more cogent grasp of any stolen data or intellectual property that might be exposed or in actual circulation on the dark net, Darrah argues. It can help companies get in a much better position to defend against, or recover from, targeted exploits, such as APT probes, DDoS attacks or ransomware, he says.

Vigilante aims, Darrah says, to derive value from combining machine automation and human investigations. Both large enterprises and SMBs can gain from a highly contextualized, highly targeted approach to gathering, interpreting and delivering actionable threat intel, Darrah says.

Triaging cyber risks

It struck me that a service like this is needed because companies are increasingly replacing legacy on-prem systems with third party services, ranging from cloud hosting and cloud storage to the modularized software development movement known as DevOps.

Yes, high-velocity, low-cost software innovation has given us cool digital services. But it has also, rather predictably, given rise to several new tiers of cybersecurity exposures. One representative example is Amazon Web Services’ S3 buckets, the cloud storage service popular with everyone from boot-strapped startups to Fortune 100 enterprises.

It turns out that making sure data stored in S3 buckets is locked down ain’t so easy. Just ask the two companies that exposed records of 540 million Facebook users left unprotected in S3 buckets. Or ask Capital One, which failed to lock down an S3 bucket from which a former Amazon staffer allegedly light-fingered records for 100 million bank patrons.

Darrah told me Vigilante’s operatives can help companies identify specific threats tied to specific threat actors known to be active at the moment. What’s more, the agents are adept at engaging threat actor groups and helping to compile dossiers on key actors. This can help companies more readily recover their stolen assets and/or discern whether they are on the verge of becoming a target. The end game is to insert a human element much more prominently into triaging cyber risks.

“Threat actors crave an audience; they love money and they love notoriety,”  Darrah told me. “At the end of the day, there is somebody behind a keyboard, behind a screen, operating, talking, building tools, promoting tools, and selling tools within these closed circles.

“There’s a big advantage to having a human being who’s involved in gaining their trust, and just being there to talk to along the way,” he continues. “It goes a long way; it goes beyond just what a computer can see. It’s a human-to-human relationship that is our advantage.”

As a human being, I’m biased. I’d like to think that insights gathered and culled by my fellow carbon-based life forms can infuse intuition at a level that machines cannot match – not just yet, anyway. Kudos to Vigilante for pursuing a business model built around that notion. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: