Communities Datasets Deliver Far-Reaching Visibility into Cybercrime Underground
By Steven Weinstein
To effectively anticipate and mitigate threats, defenders must be able to monitor the illicit online communities where threat actors discuss tactics, techniques, and procedures (TTPs), exchange resources, and coordinate malicious activity. But gaining meaningful visibility into any one threat-actor community is challenging for a number of reasons—from bypassing encryption and/or password protection to establishing scalable collections.
Insight into some individual threat-actor communities may be difficult to attain, but it’s far from a be-all and end-all for comprehensive intelligence collections. To amass a big-picture understanding of the threats their organization faces, teams must be able to track adversaries’ interrelated activities across multiple communities and platforms.
Flashpoint recognizes this need, so we’ve designed our communities datasets within the Flashpoint Intelligence Platform to help our customers identify relevant threats across a range of sources. Here’s how:
Deep and Dark-Web Forums
Even as threat actors increasingly move toward less centralized chat platforms, deep and dark-web (DDW) forums remain essential sources for gleaning insight into emerging cyber and physical threats, fraud, and other forms of malicious activity. The dark web refers to the portion of the internet that is intentionally unindexed by—and thus hidden from—traditional search engines and is accessible only via special web browsers, such as Tor. Since individual forums exist in relative isolation, gaining widespread visibility across dark-web forums isn’t a one-and-done endeavor. Moreover, the dark web is merely a subcomponent of the deep web, the portion of the Internet that is hidden from conventional search engines. Ergo, the deep web and the dark web are both hidden from search engines, but the dark web also has the added protections of masking IP addresses and requiring a specialized web browser, such as Tor.
Within the Flashpoint Intelligence Platforms’s DDW forum datasets, users have far-reaching access to the closed-source information needed to anticipate relevant threats before adversaries bring them to fruition. To cut through the noise and find forum activity relevant to their organization, users can filter forum posts using numerous criteria, including date range, keyword, topic, poster username, subject matter, forum tier, and language (built-in features let users translate forum posts with a single click). To support risk-based vulnerability management, users are also able to filter our forums dataset—and all other community datasets—for posts containing CVEs, or they can search for posts containing specific CVEs.
Encrypted Chat Services
Encrypted chat services have quickly emerged as a popular alternative to DDW forums for many threat actors, making access to conversations from these forums a new essential for intelligence teams. While isolated from DDW forums from a technical standpoint, encrypted chat services still function within the same underground ecosystem. For example, if a DDW site faces downtime or is shut down, threat actors may use encrypted chat services to securely share mirrors—nearly identical sites hosted on different URLs.
The ongoing shift toward encrypted chat platforms is being driven by numerous factors, including law-enforcement takedowns of prominent DDW forums and marketplaces, as well as the convenience and level of security offered by these platforms. The extent of criminals’ use of chat services varies by region—notably, Latin American threat actors have been early and rapid adopters—but across the board, it’s clear that an unprecedented amount of illicit activity is being conducted on these platforms. To deliver much-needed visibility into this new frontier of cybercrime, Flashpoint’s engineers and analysts have worked in tandem to establish expansive, scalable collections processes that enable customers to monitor the highly decentralized threat-actor activity occurring within these platforms in nearly real time.
Much of the sensitive threat-actor communications we observe are concealed within the DDW and encrypted chat services. But open-web sources can also serve as a useful reference for gleaning insights about relevant threats, such as security researchers discussing CVEs on public blogs, ideological extremists spreading their views on message boards, and hackers dumping compromised data on paste sites.
Gleaning relevant insights from blogs, paste sites, message boards, and social news sites is often easier said than done—these sources can be highly decentralized, often time-consuming to find and search through. Moreover, given the overwhelming abundance of noise, hyperbole, and false claims on open-web sites, it can be challenging to evaluate which statements are accurate and pose a valid threat.
To help address these challenges, Flashpoint collects data from a curated, relevant set of open-web communities of interest to our customers and makes it readily accessible on the Flashpoint Intelligence Platform.
The extensive, searchable coverage provided by Flashpoint’s community datasets across DDW forums, encrypted chat services, and open-web sources functions as an integrated component of our Business Risk Intelligence (BRI) offerings, alongside our finished intelligence reports, CVE dashboards, card-shop datasets, and other resources. If your team needs support investigating a potential area of concern, our analysts can conduct rapid and thorough inquiries as part of our request for information (RFI) services.
To learn more about how Flashpoint’s communities datasets and other Business Risk Intelligence offerings can help address your team’s needs and challenges, contact us here.
Senior Director, Intelligence – Tactical Threat Monitoring