The Value of Dark Web Data to Cyber Threat Intelligence Teams

Addressing blind spots in cybersecurity defenses

In 2023 we conducted a survey of over 500 senior cybersecurity leaders in the US and UK and discovered that two out of three respondents use the dark web to address blind spots in their defenses. So, how can you identify whether you have gaps in your threat intelligence collection that requires data collected from the dark web?

Establishing your threat intelligence requirements

Before you determine what threat intelligence sources you need, first you have to understand your requirement – i.e. what question are you looking to answer with intelligence? Without a requirement, threat intelligence is just data – noise that will be distracting to your cybersecurity team. Only once you have your requirement can you then start to think about the collection your need to fulfill it.

For the purposes of this blog, we are going to use a hypothetical intelligence requirement that many organizations will be looking to satisfy, the question of: “Has our organization been compromised?”

Meeting this requirement would require you to gather information from various sources – logs from endpoints and network devices, as well as third-party sources that list indicators and groups of TTPs for known bad actors. Additionally, you will need to search dark web data for Initial Access Broker posts that are explicitly or potentially related to your organization.

Checklist for this hypothetical requirement:

• Define your intelligence requirements.
• Create a collection plan.
• Review what collection/processing assets you have access to.
• Review what data/information they can provide.
• Assess whether the data/information fulfills your requirement.
• If not, consider what collection is required to plug the information gap.

The results of the assessment will inform an action within the organization – and importantly identify any collection gaps that may exist.

Filling intelligence gaps with a dark web collection

If you have identified gaps in your intelligence you then need to establish whether these could be fulfilled with a dark web data collection. The value of dark web data – gathered from the place where criminals plan and launch their operations – is that it provides first-hand intelligence on how criminals operate. Monitoring dark web forums can help organizations to identify the tactics criminals use, the technologies they deploy, and who they are targeting. Below are examples of some of the intelligence that can be gathered from different areas of the dark web:

Covert communication

Criminals use dark web forums and encrypted chats like Telegram to plan cybercriminal attacks, trade exploits and share techniques. There are also dedicated sites for discussions around crime including, human trafficking, drug trafficking, and child sexual exploitation.

Dark web marketplaces

A place where illegal goods and services are bought and sold, including drugs, weapons, stolen personal information, and hacking tools and services. Notable dark web markets include Archetyp, DarkMatter, and Cypher.

Cybercrime

The use of Tor in the execution of cybercrime, including hosting leak sites, relaying command and control communications, launching DDoS attacks, performing network intrusion, and exfiltrating data anonymously. You can also find actors distributing malware- and ransomware-as-a-service (MaaS/RaaS) as part of the dark web economy.

Sharing illegal content

This could include stolen databases or intellectual property but also includes extreme content shared on the dark web. For example, some law enforcement agencies will have the requirement to identify the producers and distributors of Child Sexual Exploitation and Abuse (CSEA) material, who operate on the dark web.

For regular updates on how the dark web is used by criminals, subscribe to our dark web and cybersecurity newsletter, Beacon.

Use cases for dark web data by cyber threat intelligence teams

The prevalence of criminal activity on the dark web is what makes it a rich source of information for cybersecurity professionals. If you know where to look (and have the right tools in your tech stack) you can identify threat actors on the dark web before they strike. These are the three most common use cases for dark web data by cyber threat intelligence teams:

Specialized information

The dark web is a security blind spot for many organizations, despite it being widely known that it contains hidden forums, marketplaces, and communities where cybercriminals operate. The dark web can provide valuable data that can assist with threat hunting prior to an attack, and incident response following a cyber attack.

Focus on cybercriminal activities

The underground of the dark web can be a useful source of information for identifying potential threats to your organization and unmasking high-risk actors involved in criminal activity. Using our tools you can develop an understanding of threat actors’ TTPs, motivations, intentions, and capability. 

Early indications of threat actors and compromise

Cybercriminals use the dark web to undertake reconnaissance and gather the resources they need to conduct an attack, which means that dark web intelligence can provide early warnings of potential threats before they hit an organization’s network. 

Keeping up with growing cybersecurity threats

As cyber threats grow, so does the need for intelligence to help you keep pace with the latest tactics and techniques, along with identifying the existing and emerging threats to your organization. Dark web data will give your cyber threat intelligence teams the information they need to make informed decisions on how best to adjust and align their cybersecurity posture with emerging threats.