Contextual Intelligence Derived from Deep & Dark Web Data Can Deliver Truly Invaluable Insights
Prior to co-founding Flashpoint, I spent the majority of my career focused on applying intelligence to support counterterrorism. I have seen firsthand what works in both private and public sectors, and how confusion around the topic of cyber threat intelligence (CTI) can create unnecessary hurdles for organizations trying to move quickly to thwart would-be or current attackers.
Since we founded the company almost seven years ago, the definition and value of CTI has become even more convoluted and opaque, which challenges me personally as an intelligence professional at my core. While markets must be dynamic with different offerings for organizations to determine their best protection and mitigation strategies, the increasing number of newcomers offering what they consider to be a variation of CTI has only increased this confusion. Because the definition of CTI has become so vague, attempts to differentiate can misshape market conversations and make it even more difficult for buyers of CTI to determine exactly what intelligence — if any — they are actually getting.
As we are often asked to define what is or is not intelligence, I want to dig into the different types of “intelligence” available on the market and review how that intelligence may or may not help organizations with their CTI strategies.
Open Web Intelligence
Most organizations track online mentions of their brand and stakeholders via search engines, social media, paste sites, and other open web sources. However, by the time such information reaches the open web, it is likely outdated, has already been exploited by threat actors operating within the Deep & Dark Web, and is ultimately insufficient for helping organizations proactively address critical threats and mitigate risk.
Despite widespread agreement regarding the relatively low value of open web data, the term “open web intelligence” appears to be gaining traction throughout the CTI industry. The problem is, open web “intelligence” is not intelligence. It is data.
Data is an integral component of intelligence, but failing to distinguish between the two can be problematic. Finished intelligence requires both data and context, and context requires a comprehensive understanding of the specific problem the data will address. It is nearly impossible to form relevant context without first considering how the data relates to the entire threat landscape. In the case of cyber intelligence, the threat landscape’s primary facets can be largely observed within the Deep & Dark Web, not the open web. Observing only the open web is not enough to develop context and thus cannot enable organizations to apply and operationalize the data to address their challenges effectively.
Above all else, the danger with open web “intelligence” practices is that they can mislead organizations into believing they have full visibility into the cyber threat landscape when the opposite is true. While open web data can certainly be useful, the most successful intelligence programs recognize that open web occurrences do not tell the whole story and simply indicate what may be happening within the Deep & Dark Web. Even further, the widespread content and behavioral moderation occurring throughout many open web sites is making it even more difficult to gain material visibility from such sources.
Unfortunately, the unicorn of “full coverage” of the Deep & Dark Web continues to plague the industry. The Deep & Dark Web is immeasurably vast, contains dangerous regions, and is extremely difficult to access. The requisite highly-advanced cultural and language skills alone serve as substantial barriers for most organizations. Establishing trust with threat actors is absolutely critical and can only be achieved with the proper language and cultural skills. Without fluency in Arabic, Russian, Mandarin, and many other languages, it is impossible to accurately monitor threat actor activities and glean actionable insights — much less attain “full coverage” of the Deep & Dark Web. And while language skills are integral, fluency alone is insufficient; individuals seeking access to the Deep & Dark Web must have an intimate familiarity with certain communities’ social and cultural norms, vernacular, and idioms.
Second, entering the Deep & Dark Web also requires highly-advanced operations security and technical skills. Not only is gaining access to these online communities extremely difficult, it is risky. Without proper skills and precautions, an individual’s identity (and affiliated organization) can easily become exposed, rendering them vulnerable to vicious exploitation, retaliation, and substantial reputational damage.
Building these teams is also incredibly complex. The advanced talent described above is very unique, competitive to recruit, and takes time to train. Companies that are starting to focus more on the Deep & Dark Web and building teams now could take months or years to get to the level of research and analysis that will immediately help their customers.
As such, it is virtually impossible for anyone to have the highly-advanced skill sets and enormous amount of manpower necessary to gain “full coverage” of the Deep & Dark Web.
While analyzing past trends in intelligence and security can certainly serve as a valuable guide for organizations — no one wants a repeat of the same issue — intelligence cannot be predicted by analyzing history. Past activity is not an indicator or predictor of future events, although numerous statements circulating throughout the CTI industry may be misleading organizations to believe otherwise. The cyber threat landscape is far too complex and multifaceted — and malicious actors are entirely too crafty — to provide accurate visibility into the future. Therefore, predictive intelligence and security practices can diminish the bandwidth of already scarce CTI teams within most organizations.
Cyber threat intelligence will most likely always present unique challenges for all parties involved — it is, by its nature, complex. Decision-makers should take time to identify and analyze their organizations’ intelligence needs before pursuing thorough due-diligence on any potential vendor. More data does not equal better intelligence. However, contextual intelligence derived from Deep & Dark Web data can deliver truly invaluable insights for better decision-making when gathered and processed correctly, securely, and by individuals with ample skills.