Dark web monitoring seems to be a hot buzzword in discussions about cyberthreat intelligence (CTI) and how it helps cybersecurity strategy and operations. Indeed, dark web monitoring enables a better understanding of an attacker’s perspective and following their activities on dark web forums can have a great impact on cybersecurity readiness and
Accurate and timely knowledge of attackers’ locations, tools and plans helps analysts anticipate and mitigate targeted threats, reduce risk and enhance security resilience. So why isn’t dark web monitoring enough? The answer lies in both coverage and context.
When we talk about visibility beyond the organization, one needs to make sure the different layers of the web are covered. Adversaries are everywhere, and vital information can be discovered in any layer of the web. In addition, dark web monitoring alone provides threat intelligence that is siloed and out of context. In order to make informed and accurate
decisions, a CTI plan has to be both targeted, based on an organization’s needs and comprehensive, with extensive source coverage to support diverse use cases.
Be Wherever Adversaries Are
The internet as we know it is actually the open web, or the surface web. This is the top, exposed, public layer where organizations rarely look for CTI. The other layers are the deep web and the dark web, on which some sites are accessed through the Tor browser. Monitoring the deep/dark web is the most common source of CTI. However, to ensure complete visibility beyond the organization and optimal coverage for gathering CTI, all layers of the web should be monitored. Monitoring the dark web alone leaves an organization pretty much, well, in the dark.
The Shadow Brokers is a great example of why it is important to monitor more than just the dark web. In 2016, the Shadow Brokers published several hacking tools, including many zero-day exploits, from the “Equation Group,” which is considered to be tied to the U.S. National Security Agency (NSA). The exploits and vulnerabilities mostly targeted enterprise firewalls, antivirus software and Microsoft products. The initial publication of the leak was through the group’s Twitter account on August 13, 2016, and the references and instructions for obtaining and decrypting the tools and exploits were published on GitHub and Pastebin, both publicly accessible.
The WannaCry ransomware attack in May 2017 was also first revealed on Twitter, as were different reports on the attack.
Coverage of all layers of the web is necessary, yet even with expanded monitoring of additional layers of the web, an organization’s external threat intelligence picture remains incomplete and one-dimensional. There are additional threat intelligence sources to cover in order to get a complete threat intelligence view that is optimized for the needs of an
organization. These include:
Online Data Sources
• The surface web for security bulletins, vulnerability DBs, IoC feeds, CERTs notifications, etc.
• The deep web for its hacking forums, bot markets, malware testing and black markets.
• The private web for closed circles, calls for action, technical discussions and target lists.
• The dark web for ransomware sites, exploits, zero-days, illegal trade in critical assets and sensitive data leaks.
• Social networks for scam reporting platforms and data sharing sites.
• Messaging apps for closed groups and hacktivists’ communication channels.
Existing cybersecurity intelligence repositories, alerts and threat feeds, finished intelligence and reports are all sources for contextual analysis and corroboration.
Validating findings with technology partner sources who use other tools and may have unique input, can shed more light on the validation or importance of findings.
Context is (Still) King
When defending against cyberthreats, everything is time-sensitive and broad visibility is key, yet extensive coverage can be a double-edged sword. Gathering data from a wide array of sources will most likely result in too much data to analyze, false positives, inaccuracies, missing vital information and exhausted analysts.
Raw data only becomes valuable once it is analyzed, prioritized and turned into context-based, actionable intelligence suited to the organization’s needs, assets, industry, geolocation and more.
From collection through analysis to actionable insights, a customer-centric approach ensures the entire CTI operation is designed to fit an organization’s needs. Targeted CTI is defined from the start by taking a customer-centric approach to ensure resources are used optimally and the threats to an organization are revealed in a timely and accurate manner.
To ensure that collection efforts are targeted even when coverage is wide, an organization needs to define the data inputs including critical online assets, C-level executives, organizational details, IT systems and, when relevant, operational technology (OT) systems.
The more data inputs, the less noise an organization’s data gathering will create. It is necessary to add a use case relevancy layer to ensure that data is not only gathered and analyzed based on inputs but also according to an organization’s business needs and the potential impact specific cyberthreats have on business operations.
These will include topics such as:
• Fraud detection
• Data leaks
• Breach indications
• Vulnerability prioritization
• Threat actor profiling
• External attack surface management
• Digital risk protection
• Phishing detection
• Supply chain monitoring
• Insider threat
Build Your CTI Operation Like Intelligence Experts
Security organizations focus on collecting and analyzing information to provide assessments and alerts on national and domestic threats from various malicious groups. The more accurate and targeted the intelligence, the better and faster managers can make decisions, reducing the risk to civilians and governmental personnel.
Intelligence organizations usually rely on information from a variety of sources and intelligence approaches, including:
• Open source intelligence (OSINT), which is information about the suspects gathered from public sources.
• Signals intelligence (SIGINT), which is gathered from suspects’ transmissions made through electronic systems.
• Human intelligence (HUMINT), which is intelligence gathered by and from people.
Managers can make the right decisions based on a complete intelligence outlook, due to the combination of these approaches and an analysis of the information obtained from these multiple sources within the context of the situation.
The same methodology should be applied to CTI operations. Fusing targeted data outputs from online sources, human intelligence and technology partnerships, analyzed within the context of the given situation will deliver insights that enable analysts to respond to threats in a timely manner and strengthen overall security resilience.