Winning Starts by Asking the Right Questions

"Computers are useless. They can only give you answers." - Pablo Picasso

Today’s great cyber threats are no longer malware or trojans, but humans. As the adversary changes, so too must defenders - but too many firms are still stuck in the past. The biggest problem - many are simply asking the wrong security questions and even more are putting their faith in computer to save them.

Technologically driven solutions, while great at detecting malware, offer little to no protection against a determined human adversary. Instead, you need to focus on the motivations, thought processes, and goals of the person on the other side. Doing this starts by making sure you’re asking the right questions.

Armed with the right questions, it’s possible for even the smallest teams to uncover tips on a potential attack weeks or months before technical indicators of an attack begin to appear. Answering the right questions will enable you to better understand the scope and nature of detected threats, form a strategy to prioritize and monitor risk, and finally, better determine if and how to allocate resources towards a response or intervention.

At IntSights, our team has been focused on asking the right questions on the dark web for dozens of years. And no matter the client, industry or type of investigation we are conducting, the dirty secret is we always start with the same three questions - 1. What malicious intent or activity was discovered?, 2. Where and how was this information detected? and 3. When in the planning process would this information be valuable?




Am I Protecting:

Asset Types

Employee Groups

Geographic Locations

Customer Data

Secret Projects or IP

Am I Defending Against


Adversary Groups

Insider Threats

Customer Fraud

Did this Info Come From:

Forums & Markets

3rd Party Data Leaks

Mobile Messaging Apps

Government Notification

Are they Targeting

Employee Groups

Desktop (PC, Mac)

Infrastructure Targets

Cloud Apps

Was It Detected


Initial Compromise

Early Foothold

Lateral Movement

Data Exfiltration

Is Action Required


In the near term

Longer term

They may seem like obvious questions any CISO or SOC manager should be able to answer, but from our experience sometimes answering these questions thoughtfully can more challenging than it appears.

To help you out, our new white paper “The What, Where and When for Effective Dark Web Threat Hunting” breaks down how to go about answering these questions, offers tips on how to classify threat data to be more effective, and details how a large retailer was able to stay one step ahead of the adversary by making sure they were asking the right questions and always armed with the latest dark web intelligence.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.