Good guys and bad are constantly testing each other. One zigs, and the other zags. It’s the essence of the chase for the white hat and the instinct to survive for the black hat.
This scenario plays out with hackers all the time. Exploitable vulnerabilities get patched. Ransomware gets decrypted. In turn, new hacks are developed. Variants of malware pop up all the time.
This also plays out within illicit communities on the deep and dark web (DDW), as well as the open web. Hosting providers may close down a particular forum, only to see two more just like it pop up elsewhere. The same is true with law enforcement takedowns of botnets or illicit marketplaces: shutting one down unfortunately only puts a temporary dent in the underground economy before the bad guys surface elsewhere.
One of the latest arenas where this is playing out is with encrypted chat services. As the reach of law enforcement and researchers within markets and forums expands, threat actors are finding somewhat of a safe haven within the encrypted channels of modern chat services platforms. This is especially true in certain regions, such as Latin America, where some markets operating in Spanish or Portuguese have been shutting down due to poor sales and/or management. Buyers and sellers who bypassed markets and used underground forums to meet, now choose to finalize negotiations or communicate directly instead over encrypted platforms.
Often, it’s the convenience and higher levels of baseline security offered by some platforms that’s attractive to threat actors. In other cases, there are socio-economic factors at play. In Latin America, for example, mobile networking has a high adoption rate, largely because of relatively low costs compared to computers, for example. Regional adoption of mobile apps for daily communication is also relatively high in the region, as is the availability and uptime of the major applications.
The migration to chat services varies by region, and the sophistication of the actor and law enforcement, but it’s indisputable that more illicit activity is taking place on these platforms than ever before. Threat actors are becoming proficient sharing information and reaching larger audiences on these platforms to carry our fraud, funding of hacktivism or terrorist activity, or finalizing transactions for illicit goods. Therefore, the need for access to and monitoring of these platforms becomes an imperative for mitigating risk.
Flashpoint provides access to around-the-clock conversations within threat-actor channels to monitor and gain insights across threat-actor communities. This is especially important since multiple threat actors choose to have channels or chats within these platforms that serve a similar function of a room or thread, within a forum. Some actors will additionally choose to progressively share advertisements within a chat channel, similar to how one would advertise on a forum or marketplace.
Having a trusted provider with access to such a crucial data set offsets a serious challenge for enterprise security and risk teams aiming for visibility into these decentralized systems. Flashpoint’s chat services datasets provide a wealth of visibility into active discussions, supporting not only proactive defense, but also historical research in ways that a manual curation of such data cannot match.
Enterprises attempting manual collections of chat data will instantly recognize gaps in this approach, and will understand the value of a full-spectrum collection in order to meet intelligence requirements.
Key features of Flashpoint’s chat services collections include access to relevant channels and the targeted data shared therein, near real-time data within the platform, an expansive historical data archive providing users with secure access to threat actor conversations, and universal searching capabilities allowing users to efficiently view historical results across channels.
Flashpoint’s expertise in collecting chat services data and turning it into finished intelligence also demonstrates analysts’ ability to track the movements of threat actors across platforms and stay timely any shifts in actors’ tactics, techniques, and procedures (TTPs).
Chat services are just the latest zig-zag on the part of threat actors, many of whom continue to migrate to chat platforms that could someday be on par with DDW for criminals wishing to finalize transactions.