To effectively anticipate and mitigate threats, defenders must be able to monitor the illicit online communities where threat actors discuss tactics, techniques, and procedures (TTPs), exchange resources, and coordinate malicious activity. But gaining meaningful visibility into any one threat-actor community is challenging for a number of reasons—from bypassing encryption and/or password protection to establishing scalable collections.
Insight into some individual threat-actor communities may be difficult to attain, but it’s far from a be-all and end-all for comprehensive intelligence collections. To amass a big-picture understanding of the threats their organization faces, teams must be able to track adversaries’ interrelated activities across multiple communities and platforms.
Flashpoint recognizes this need, so we’ve designed our communities datasets within the Flashpoint Intelligence Platform to help our customers identify relevant threats across a range of sources. Here’s how:
Deep and Dark-Web Forums
Even as threat actors increasingly move toward less centralized chat platforms, deep and dark-web (DDW) forums remain essential sources for gleaning insight into emerging cyber and physical threats, fraud, and other forms of malicious activity. The dark web refers to the portion of the internet that is intentionally unindexed by—and thus hidden from—traditional search engines and is accessible only via special web browsers, such as Tor. Since individual forums exist in relative isolation, gaining widespread visibility across dark-web forums isn’t a one-and-done endeavor. Moreover, the dark web is merely a subcomponent of the deep web, the portion of the Internet that is hidden from conventional search engines. Ergo, the deep web and the dark web are both hidden from search engines, but the dark web also has the added protections of masking IP addresses and requiring a specialized web browser, such as Tor.
Encrypted Chat Services
Encrypted chat services have quickly emerged as a popular alternative to DDW forums for many threat actors, making access to conversations from these forums a new essential for intelligence teams. While isolated from DDW forums from a technical standpoint, encrypted chat services still function within the same underground ecosystem. For example, if a DDW site faces downtime or is shut down, threat actors may use encrypted chat services to securely share mirrors—nearly identical sites hosted on different URLs.
Much of the sensitive threat-actor communications we observe are concealed within the DDW and encrypted chat services. But open-web sources can also serve as a useful reference for gleaning insights about relevant threats, such as security researchers discussing CVEs on public blogs, ideological extremists spreading their views on message boards, and hackers dumping compromised data on paste sites.
Gleaning relevant insights from blogs, paste sites, message boards, and social news sites is often easier said than done—these sources can be highly decentralized, often time-consuming to find and search through. Moreover, given the overwhelming abundance of noise, hyperbole, and false claims on open-web sites, it can be challenging to evaluate which statements are accurate and pose a valid threat.
To help address these challenges, Flashpoint collects data from a curated, relevant set of open-web communities of interest to our customers and makes it readily accessible on the Flashpoint Intelligence Platform.
To learn more about how Flashpoint’s communities datasets and other Business Risk Intelligence offerings can help address your team’s needs and challenges, contact us here.