Dark web monitoring seems to be a hot buzzword in discussions about cyberthreat intelligence (CTI) and how it helps cybersecurity strategy and operations. Indeed, dark web monitoring enables a better understanding of an attacker’s perspective and following their activities on dark web forums can have a great impact on cybersecurity readiness and posture.
Accurate and timely knowledge of attackers’ locations, tools and plans helps analysts anticipate and mitigate targeted threats, reduce risk and enhance security resilience. So why isn’t dark web monitoring enough? The answer lies in both coverage and context.
When we talk about visibility beyond the organization, one needs to make sure the different layers of the web are covered. Adversaries are everywhere, and vital information can be discovered in any layer of the web. In addition, dark web monitoring alone provides threat intelligence that is siloed and out of context. In order to make informed and accurate decisions, a CTI plan has to be both targeted, based on an organization’s needs and comprehensive, with extensive source coverage to support diverse use cases.
The internet as we know it is actually the open web, or the surface web. This is the top, exposed, public layer where organizations rarely look for CTI. The other layers are the deep web and the dark web, on which some sites are accessed through the Tor browser. Monitoring the deep/dark web is the most common source of CTI. However, to ensure complete visibility beyond the organization and optimal coverage for gathering CTI, all layers of the web should be monitored. Monitoring the dark web alone leaves an organization pretty much, well, in the dark.
Coverage of all layers of the web is necessary, yet even with expanded monitoring of additional layers of the web, an organization’s external threat intelligence picture remains incomplete and one-dimensional. There are additional threat intelligence sources to cover in order to get a complete threat intelligence view that is optimized for the needs of an
• The surface web for security bulletins, vulnerability DBs, IoC feeds, CERTs notifications, etc.
• The deep web for its hacking forums, bot markets, malware testing and black markets.
• The private web for closed circles, calls for action, technical discussions and target lists.
• The dark web for ransomware sites, exploits, zero-days, illegal trade in critical assets and sensitive data leaks.
• Social networks for scam reporting platforms and data sharing sites.
• Messaging apps for closed groups and hacktivists’ communication channels.
Security organizations focus on collecting and analyzing information to provide assessments and alerts on national and domestic threats from various malicious groups. The more accurate and targeted the intelligence, the better and faster managers can make decisions, reducing the risk to civilians and governmental personnel.
Intelligence organizations usually rely on information from a variety of sources and intelligence approaches, including:
• Open source intelligence (OSINT), which is information about the suspects gathered from public sources.
• Signals intelligence (SIGINT), which is gathered from suspects’ transmissions made through electronic systems.
• Human intelligence (HUMINT), which is intelligence gathered by and from people.
Decision makers can make the right decisions based on a complete intelligence outlook, due to the combination of these approaches and an analysis of the information obtained from these multiple sources within the context of the situation.
From the Shadows Comes Knowledge