Trying to Gather Threat Intelligence From the Deep & Dark Web Creates a Substantial Risk for Organizations
The Deep & Dark Web (DDW) remains the key source for invaluable data and intelligence pertaining to a wide range of cyber and physical threats, fraudulent activities, and malicious actors. Indeed, it’s a promising sign that more organizations are recognizing the critical need to incorporate intelligence derived from these online regions into their security and risk strategies. However, some organizations might be tempted either to obtain such intelligence themselves by using their own in-house teams and capabilities, or, to engage with companies who don’t have the vernacular and cultural understanding of the DDW.
Throughout my career, I’ve spent more than enough time researching and gleaning intelligence from these online regions to know that for most organizations, a do-it-yourself (DIY) approach to DDW intelligence is seldom a good idea. Not only does obtaining meaningful data and relevant insights require painstaking effort and substantial expertise, there is also no shortage of hoops to jump through for organizations looking to do so. Without the necessary expertise and technology to automate secure, persistent data-gathering within the Deep & Dark Web, trying to gather such data creates a substantial risk for organizations.
Like many things in life, DDW intelligence is best left to specialists. To that end, I’ve outlined some of the most common yet substantial challenges one must overcome before being able to access, monitor, and obtain meaningful insights from these online regions.
Linguistic & Cultural Barriers
Not all threat actors operate in English, which means that unless your team has individuals who are fluent in Russian, Arabic, Mandarin, Turkish, Farsi, Spanish, French, etc. — then you won’t be able to monitor discussions or posts that occur in such languages.
Even if certain individuals on your team are fluent in these languages, fluency isn’t always enough. Communities on the DDW have their own cultures, social norms, idioms, and slang. Developing a keen understanding of these practices and nuances takes extensive time and experience; in many cases, learning these skills can be much like learning an entirely new language.
Lacking these linguistic and cultural skills can create blind spots that restrict an organization’s visibility of potentially-relevant threats, actors, and vulnerabilities. Even worse, many individuals may opt to monitor or engage within DDW communities prematurely — before their skills are sufficiently advanced. Doing so is not only a waste of time and resources, it can be risky and even dangerous.
It’s crucial to recognize that threat actors who operate on the DDW are keenly aware that their activities and discussions are of high interest to law enforcement, threat intelligence firms, and other organizations. Many go to great lengths to protect themselves and their communities from scrutiny. In the event that an individual engaging within one of these communities missteps or raises suspicion in anyway, that individual will likely be shunned from the community and potentially from others as well. Even worse, there have been incidents where such individuals have accidentally revealed their identities, thereby placing them and their affiliated organizations at an increased risk for being targeted by malicious cyber activity.
Beyond developing the appropriate linguistic and cultural skills, penetrating many communities in the DDW requires trust. As I mentioned, most threat actors are constantly on the lookout for “moles” because they understand that their activities and discussions are of interest to many organizations. This also means that they tend to only reveal sensitive information — such as that which pertains to emerging threats, malicious campaigns, etc. — to individuals whom they trust implicitly.
How does one build trust? For starters, it requires a substantial amount of time — ranging from months to upwards of one year or longer. Many of the more elite communities within the DDW are invite-only, which means that unless a member personally invites you, you will have no way of gaining access. Certain communities are so secretive that you may not even be aware of their existence unless a member invites you to join. The vetting process for some of these communities — particularly ones that are highly elite, have been known to yield advanced and damaging threats, and have relatively few members — can be extremely intense and exhaustive. Some even require potential members to have multiple references or recommendations from existing members.
Furthermore, operations security (OpSec) can play a crucial role in earning trust, which means that individuals must take appropriate measures to anonymize their locations, intentions, and identities. If they don’t, they and their organizations may lose access to certain communities or, in some cases, become targets for malicious activity.
Distinguishing True Insights from Noise
As a whole, the DDW contains vast amounts of invaluable data and insights that can help organizations combat relevant threats and mitigate widespread risk. But, not all sources within the DDW are created equal. It’s important to remember that many actors operating within the DDW are not as dangerous or skilled as they may appear. Many communities are filled to the brim with amateur threat actors spewing empty threats and hyperbole in an attempt to establish reputations and earn the trust and respect of other members.
So how do you distinguish an empty threat from a legitimate one? In short, it requires extensive and nuanced expertise, and even then, it isn’t easy. Organizations without the skills to decipher the true threats among the vast amounts of noise on the Internet can easily waste enormous amounts of time and resources seeking to combat threats that don’t exist while remaining “blind” to those that do.
Above all else, organizations seeking to obtain actionable intelligence from the DDW should recognize that doing so requires substantial expertise, resources, and time. Attempting to access and engage within these online regions without the proper capabilities established and precautions in place could yield observations that may not be entirely factual. In some cases, it could even place an organization and its stakeholders at an increased risk of malicious cyber activity. As such, it’s best to forgo a DIY approach to DDW intelligence and instead seek the services of a trusted third-party vendor. Not only will you save time and resources, your organization will likely be much better informed and protected without taking on any additional risk.