threat analyst and hunter.jpg

What is Dark web threat hunting?

    Dark web threat hunting defined

    The dark web: It’s scary, it’s complicated, and it’s big. It is home to cybercriminals, secret forums and black markets, where drugs, weapons, and hackers for hire are bought and sold using cryptocurrency. Dark Web Threat Hunting turns cybercriminals’ biggest resource into your primary source of actionable intelligence. By monitoring and engaging in the dark web, you can listen in on the conversations of your cyber adversaries and identify potential attacks against your organization.

    What is the dark web?

    You have probably heard the terms “dark web” and “deep web”, but what is the difference between these two, and what separates them from the Internet we use every day? It comes down to how people are able to find and access webpages.

    • Clear Web: Pages that are indexed and available through search engines to the public.
    • Deep Web: Pages that are not indexed or available through search engines. These pages generally require users to be logged in to view. This can be emails, access to paid content, cloud storage, and more. The high majority of web content falls into this category.
    • Dark Web: A subset of deep web content that is based off a peer-to-peer network that requires special software to access and provides anonymity. This technology has many legitimate uses but has become synonymous with illicit activity.

    IntSights Iceberg-2

    Dark Web 101: What Every Security Professional Should Know Learn More

    Dark Web Monitoring

    There are endless threats that you can discover on the dark web, but you need to know what to look for. One obvious example is selling sensitive company data, such as details about a secret project or the names and email addresses of employees to be targeted for phishing attacks. Many enterprises have begun implementing threat hunting and dark web monitoring programs to uncover new threats that could impact their organization. To do this, these companies leverage tools and techniques to infiltrate forums, chat rooms, black markets and other cybercriminal “watering holes”. By going behind enemy lines, you can gain intel on your adversaries and keep a watchful eye for activity targeting your brand.

    Where threats exist:

    • Black markets : Sites that may sell information on corporations or employees, malware, or hackers for hire. You can monitor these sites for stolen credentials and proactively prompt employees to change passwords if their account information has been leaked.
    • IRC (Internet Relay Chat) Rooms: A communication tool hackers commonly use to communicate. These are setup in channels that resemble groupchats, and are used to discuss updates on a job or issue warnings to others in the channel.
    • Forums: Social sites where users can post and reply to topics including new malware, recent attacks, how-to articles, company reputations, or anything else.

    Pastebins: Sites where anyone can post text. Confidential documents, entries from a database, email chains, and other sensitive data are frequently posted to these sites, enabling anyone to view and access them.

    Use cases

    On the dark web, anything goes. There is tons of activity to monitor for, a lot of which doesn’t always pertain to your organization. So what are some of the threats you can find and should be monitoring for?

    • Proactive Threat Intelligence: Gain actionable information on the threats that are relevant to your company.
    • Phishing Detection: Phishing is popular among attackers because it’s simple and it works. If you know specific employees may be at risk, you can take steps to mitigate that risk.
    • Identify Attackers: Their ability, motives, and means of attack.
    • Brand Protection: Know what conversations your brand is involved with and identify schemes to impersonate your brand online.
    • Fraud Detection: Most organizations have a range of IT security tools in place, such as firewalls, gateways, IDS/IPS, and malware detection systems. With these tougher defense-in-depth measures to beat, many hackers now use fraud instead.
    • Vulnerability Prioritization: Given how fast the threat landscape grows and changes, manually correlating threat and exploit data to vulnerabilities is no longer a viable strategy.
    • VIP & Employee Targeting: Organizations need to worry about cybersecurity for other senior people associated with their businesses, including investors, board members, and advisors.
    • Compromised Credential Identification: The easiest and most effective way for any criminal to succeed is with direct, credentialed access.  Stolen credentials may be used in order to infiltrate a company’s systems.
    • Threat Investigation: Supplement your monitoring activities with threat actor engagement and further investigation to gain deeper clarity and context on threats.


    Best Practices

    Here are some best practices that should be followed when hunting for threats on the dark web.

    • Automation: Setup recurring searches for keywords on known sites to identify relevant threats 24x7. The less time you spend manually crawling the dark web, the better.
    • Leverage your digital footprint: Cybercriminals often reference key digital assets when plotting their attacks. Knowing your own corporate assets (e.g. IPs, Domains, Brand Names etc.) helps you pinpoint threats that specifically target your organization.

    • Use extensive sources: Different threats will reveal themselves in different places; monitor a variety of markets, chat rooms, and paste bins.

    • Stay safe: If you are venturing into the dark web, be sure to take precautions to protect your identity, your machine, and your data. The worst thing you can do is reveal yourself as a threat hunter, because that will instantly make you a target for cybercriminals.

      • Use a VPN and proxies

      • Maintain an alias (or multiple) that has a strong backstory

      • Use a dedicated device or virtual machine that is frequently wiped

      • Don’t leave any clues that lead back to you or your company

    white logo.png
    Discover how to start monitoring the Dark Web
    Download Our Dark Web 101 Guide