IntSights' Blog

Winning Starts by Asking the Right Questions

by Alon Arvatz / November 8, 2017

"Computers are useless. They can only give you answers." - Pablo Picasso

Today’s great cyber threats are no longer malware or trojans, but humans. As the adversary changes, so too must defenders - but too many firms are still stuck in the past. The biggest problem - many are simply asking the wrong security questions and even more are putting their faith in computer to save them. 

Technologically driven solutions, while great at detecting malware, offer little to no protection against a determined human adversary. Instead, you need to focus on the motivations, thought processes, and goals of the person on the other side. Doing this starts by making sure you’re asking the right questions.


Armed with the right questions, it’s possible for even the smallest teams to uncover tips on a potential attack weeks or months before technical indicators of an attack begin to appear. Answering the right questions will enable you to better understand the scope and nature of detected threats, form a strategy to prioritize and monitor risk, and finally, better determine if and how to allocate resources towards a response or intervention.


At IntSights, our team has been focused on asking the right questions on the dark web for dozens of years. And no matter the client, industry or type of investigation we are conducting, the dirty secret is we always start with the same three questions - 1. What malicious intent or activity was discovered?, 2. Where and how was this information detected? and 3. When in the planning process would this information be valuable?





Am I Protecting:

•       Asset Types

•       Employee Groups

•       Geographic Locations

•       Customer Data

•       Secret Projects or IP

Am I Defending Against

•       TTPs

•       Adversary Groups

•       Insider Threats

•       Customer Fraud

Did this Info Come From:

•       Forums & Markets

•       3rd Party Data Leaks

•       Mobile Messaging Apps

•       Government Notification

Are they Targeting

•       Employee Groups

•       Desktop (PC, Mac)

•       Infrastructure Targets

•       Cloud Apps

Was It Detected

•       Reconnaissance

•       Initial Compromise

•       Early Foothold

•       Lateral Movement

•       Data Exfiltration

Is Action Required

•       Immediately

•       In the near term

•       Longer term


They may seem like obvious questions any CISO or SOC manager should be able to answer, but from our experience sometimes answering these questions thoughtfully can more challenging than it appears.


To help you out, our new white paper “The What, Where and When for Effective Dark Web Threat Hunting” breaks down how to go about answering these questions, offers tips on how to classify threat data to be more effective, and details how a large retailer was able to stay one step ahead of the adversary by making sure they were asking the right questions and always armed with the latest dark web intelligence.

3 Q's Every Threat Hunter Can Answer

1 Comment
previous post Bad Rabbit Ransomware Makes Victims Hopping Mad
Next Post Are Cyber Criminals Stacking The Deck Against The Gaming & Leisure Industry?
Alon Arvatz

Alon Arvatz

George S. Patton said “If everyone is thinking alike, then somebody isn’t thinking”. Alon thinks, but not like most of us. And it’s this quality that has given him vast experience and knowledge in the world of cyberthreat intelligence, and why he has succeeded in working in the most advanced environments in the world (most of which cannot be discussed here!). After serving in an elite intelligence unit in the Israel Defense Forces, Alon joined Guy Nizan to establish Cyber School, a center providing teenagers with courses, seminars and summer camp workshops on cyber intelligence.