How to Gather External Intelligence to Defend Your Organization via Threat Hunting

The dark web is a sprawling underground network of secrecy where cybercriminals plan and coordinate cyberattacks against organizations in various industries around the world. Cybersecurity teams know they must monitor dark web forums and hacker hangouts to identify and validate potential threats against their organizations. But this is no simple task – threat hunters are often sniffed out by hackers and can inadvertently make their organization a target if their cover is blown. Therefore, gathering intelligence via threat hunting is a task that must be carried out with precision.

Our new ebook, Dark Web 201: How to Leverage External Threat Hunting to Prevent Cyberattacks, provides a glimpse into the life of professional threat hunters: Where they monitor cybercriminal activity, what they look for, and how they gain entry into exclusive hacker communities while avoiding detection. Successful threat hunting and intelligence gathering are vital components to bolstering security operations and enabling organizations to Defend Forward.

Here are some of the steps to performing effective threat hunting that we elaborate on in the ebook:

Finding the Right Dark Web Sources

Good intelligence starts with good sources. Threat hunters have a variety of sources they follow across the clear, deep, and dark web, and the list is constantly expanding as they find new leads. Mapping the threats, attack vectors, and source types that most significantly impact your organization is crucial to gain an understanding of where to look for sources. Some examples of sources for gathering intelligence include black markets, hacker forums, and instant messaging apps. Threat hunters can find critical intelligence in each of these cybercriminal hangouts – but in many cases, entry into the community can be challenging.

Entering the Cybercriminal Community

It goes without saying that cybercriminals want to avoid being identified at all costs. This can make searching for sources difficult – particularly in on the anonymized dark web, which isn’t exactly designed for search functionality. To make things even more complicated, law enforcement agencies around the world are constantly working to find and shut down the administrators of cybercriminal hubs. As a result, threat hunters have to adapt on the fly to find where users of defunct forums and black markets are headed to continue their activity.

In addition, many communities are exclusive and have significant barriers to entry. Expert-level hacking forums will often require new applicants to demonstrate their technical prowess and familiarity with hacker culture to prove they can provide value to the community – and also to ensure they are not working with law enforcement or for a cybersecurity team. Threat hunters must be wary of exposing themselves as outsiders, at the risk of making themselves – and their organizations – targets for retribution.

Identifying – and Validating – Threats Against Your Organization

Ultimately, intelligence is only useful if you can act on it, so it’s critical to find and validate threats that specifically relate to your organization. Threat hunters must take pieces of information they find from separate sources and connect the dots to identify, validate, and understand the severity of any given threat. It’s also important to track and record activity over time, as threats often evolve over the course of weeks or months. It’s a tricky needle to thread, as an unseasoned threat hunter may stumble upon thousands of potential threats and be overwhelmed by the prospect of having to fend each one off. The key is to monitor suspicious activity while focusing on preventing it from turning into a malicious campaign.

To gain a full understanding of how to perform expert threat hunting, download Dark Web 201: How to Leverage External Threat Hunting to Prevent Cyberattacks.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.