Deep & Dark Web (DDW) forums and marketplaces have long served as hubs for illicit activity and, consequently, as invaluable data sources for defenders looking to combat such activity. However, threat actors continue to be drawn to the immediacy—and in many cases, the enhanced security and privacy—of encrypted chat services such as Telegram and Discord. These types of platforms have quickly emerged alongside DDW (and select open-web) communities as go-to venues for discussions, transactions, and media dissemination pertaining to cybercrime, fraud, and even drug trafficking operations, among many others.
Naturally, these platforms have since also become critical data sources for threat intelligence teams. But due to the numerous types of encrypted chat services, their decentralized yet pervasive nature, and the many different illicit—and legitimate—ways in which they are used, it can be difficult for teams to determine how to obtain and incorporate data from these platforms into their collection strategies in a meaningful way. Here are some key points to consider:
Chat services aren’t inherently malicious
These types of platforms were never intended to facilitate illicit activity. Most, if not all, were simply designed to meet the needs of those in search of greater privacy, security, and/or convenience in their communications. Indeed, the majority of chat-services users use them solely for perfectly legitimate and harmless purposes.
And because these platforms have become extremely popular in recent years—Telegram alone had 200 million monthly users as of March 2018—deciphering activity that is relevant and illicit from that which is irrelevant and benign can feel like searching for a needle in a haystack. Further complicating matters for defenders is the fact that threat actors operating on chat services often do so within private, invitation-only, or otherwise highly exclusive channels that can be extremely difficult and risky for outsiders to access.
Gleaning value from chat-services data starts with intelligence requirements
As a result, threat intelligence teams seeking visibility into illicit activity on these platforms are increasingly—and understandably—turning to third-party vendors with the expertise and tools required to identify and monitor such activity safely. A common pitfall, however, is choosing a vendor before establishing your intelligence requirements (IRs) or evaluating whether the vendor can support them.
Keep in mind that with threat actors ranging from fraudsters to violent extremists frequenting seemingly countless channels across various different chat services, these platforms can contain vast amounts of data. Source coverage can vary widely from vendor to vendor, which is one reason why IRs are so important: they can help you better understand the objectives of your intelligence operation and the types of data a vendor will need to provide in order to satisfy those objectives.
If your IRs focus primarily on credit card fraud, for example, be prepared to ask prospective vendors about the extent that their chat-services collections cover related activity. Questions could include:
• Which channels within which chat services platforms does the vendor have access to?
• What sorts of carding-related activities does the vendor monitor on these platforms, and are these activities relevant to your IRs?
• Does the vendor’s team have ample expertise and experience with the carding threat landscape?
• To what extent is the vendor’s chat-services data supporting customers with similar IRs?
• What are the most significant weakness in the vendor’s chat-services collections with respect to your IRs?
Given the variability both of vendor offerings and of chat services themselves, it’s imperative to thoroughly evaluate a vendor’s collection strategy before you decide to become a customer.
Be prepared to augment chat-services data with data from other sources
While many threat actors’ operations rely heavily on chat services, most are also active across various other illicit online communities. Some cybercriminals, for example, have been known to advertise offerings on DDW marketplaces and then finalize transactions in private channels on chat services. This type of behavior is also quite common among other groups. Not only do relatively few threat actors rely entirely on a singular platform or community, but many also relocate their operations fairly often in search of greater privacy and/or to evade law enforcement, among other reasons.
As a result, threat intelligence teams seeking comprehensive visibility into the threat landscape need to ensure their collection strategy covers an adequate breadth and depth of data sources. Chat services, although they can provide invaluable insight, should almost always be complemented with data from other relevant sources. Otherwise, teams—regardless of their IRs—risk overlooking relevant context, indicators, and related activities occurring elsewhere.