Connect with us

Hi, what are you looking for?


Incident Response

Chat Services: Be Diligent With This Must-Have Data Source for Intelligence Programs

Deep & Dark Web (DDW) forums and marketplaces have long served as hubs for illicit activity and, consequently, as invaluable data sources for defenders looking to combat such activity. However, threat actors continue to be drawn to the immediacy—and in many cases, the enhanced security and privacy—of encrypted chat services such as Telegram and Discord.

Deep & Dark Web (DDW) forums and marketplaces have long served as hubs for illicit activity and, consequently, as invaluable data sources for defenders looking to combat such activity. However, threat actors continue to be drawn to the immediacy—and in many cases, the enhanced security and privacy—of encrypted chat services such as Telegram and Discord. These types of platforms have quickly emerged alongside DDW (and select open-web) communities as go-to venues for discussions, transactions, and media dissemination pertaining to cybercrime, fraud, and even drug trafficking operations, among many others.

Naturally, these platforms have since also become critical data sources for threat intelligence teams. But due to the numerous types of encrypted chat services, their decentralized yet pervasive nature, and the many different illicit—and legitimate—ways in which they are used, it can be difficult for teams to determine how to obtain and incorporate data from these platforms into their collection strategies in a meaningful way. Here are some key points to consider:

Chat services aren’t inherently malicious

These types of platforms were never intended to facilitate illicit activity. Most, if not all, were simply designed to meet the needs of those in search of greater privacy, security, and/or convenience in their communications. Indeed, the majority of chat-services users use them solely for perfectly legitimate and harmless purposes. 

And because these platforms have become extremely popular in recent years—Telegram alone had 200 million monthly users as of March 2018—deciphering activity that is relevant and illicit from that which is irrelevant and benign can feel like searching for a needle in a haystack. Further complicating matters for defenders is the fact that threat actors operating on chat services often do so within private, invitation-only, or otherwise highly exclusive channels that can be extremely difficult and risky for outsiders to access.

Gleaning value from chat-services data starts with intelligence requirements

As a result, threat intelligence teams seeking visibility into illicit activity on these platforms are increasingly—and understandably—turning to third-party vendors with the expertise and tools required to identify and monitor such activity safely. A common pitfall, however, is choosing a vendor before establishing your intelligence requirements (IRs) or evaluating whether the vendor can support them. 

Keep in mind that with threat actors ranging from fraudsters to violent extremists frequenting seemingly countless channels across various different chat services, these platforms can contain vast amounts of data. Source coverage can vary widely from vendor to vendor, which is one reason why IRs are so important: they can help you better understand the objectives of your intelligence operation and the types of data a vendor will need to provide in order to satisfy those objectives.

Advertisement. Scroll to continue reading.

If your IRs focus primarily on credit card fraud, for example, be prepared to ask prospective vendors about the extent that their chat-services collections cover related activity. Questions could include:

• Which channels within which chat services platforms does the vendor have access to?

• What sorts of carding-related activities does the vendor monitor on these platforms, and are these activities relevant to your IRs?

• Does the vendor’s team have ample expertise and experience with the carding threat landscape?

• To what extent is the vendor’s chat-services data supporting customers with similar IRs?

• What are the most significant weakness in the vendor’s chat-services collections with respect to your IRs?

Given the variability both of vendor offerings and of chat services themselves, it’s imperative to thoroughly evaluate a vendor’s collection strategy before you decide to become a customer.

Be prepared to augment chat-services data with data from other sources

While many threat actors’ operations rely heavily on chat services, most are also active across various other illicit online communities. Some cybercriminals, for example, have been known to advertise offerings on DDW marketplaces and then finalize transactions in private channels on chat services. This type of behavior is also quite common among other groups. Not only do relatively few threat actors rely entirely on a singular platform or community, but many also relocate their operations fairly often in search of greater privacy and/or to evade law enforcement, among other reasons. 

As a result, threat intelligence teams seeking comprehensive visibility into the threat landscape need to ensure their collection strategy covers an adequate breadth and depth of data sources. Chat services, although they can provide invaluable insight, should almost always be complemented with data from other relevant sources. Otherwise, teams—regardless of their IRs—risk overlooking relevant context, indicators, and related activities occurring elsewhere.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.