Building the internal capability, and owning the responsibility of gathering meaningful data and intelligence from the Deep & Dark Web, is difficult and risky for companies, according to a report produced by Richard Stiennon, Chief Analyst with IT-Harvest, and sponsored by Flashpoint.
“Most organizations track mentions of their key executives, products, and company via search engine news alerts and searches of the Surface Web, social media and various paste and data dump sites,” said Stiennon. “But by the time this material bubbles up to the Surface Web, it has already been discussed, shared, and exploited by malicious communities active in the Deep & Dark Web.”
Aside from developing the necessary protocols and operational security to accessing the Deep & Dark Web safely and securely, obtaining the most salient information to unearth the actual threats that can impact a company’s financial well-being, intellectual property, brand, customers or employees is also extraordinarily difficult.
Successfully mining the Deep & Dark Web requires a powerful combination of human expertise and sophisticated technology built upon years of subject matter knowledge, automated data gathering, and a willingness to take calculated risks. This type of expertise and capability rarely, if ever, exists in-house at companies.
Among the findings in the report, Stiennon outlines a number of reasons why companies fail time and time again at gathering the right data and accurate intelligence. Some of these factors contributing to this shortfall include:
Linguist and cultural expertise: To monitor the most influential and threatening groups, security teams must be able to monitor activity across a broad swath of languages, including Mandarin, Farsi, Russian, Arabic, and Portuguese. Additionally, researchers need to have the substantive cultural savvy to blend in and understand these communities’ idioms, slang, social norms, and memes.
Determining actionable intelligence verses noise: Like any community, not all threat actors in the Deep & Dark Web are created equal. Without the relevant experience, you could set off time-wasting fire drills inside your organization. Your research efforts may lose trust internally.
Trusted environments are extremely hard to penetrate: Effective research and data gathering in these illicit communities means your researchers have to establish trust to open doors; once you have managed to pass a vetting process, surviving in these communities requires flawless operational security. An errant technical leak or even mere suspicion can jeopardize not only your access to the community, but can also invite the wrath of the community upon your company in revenge.
Significant time and money required: Mining the Deep & Dark Web for threat intelligence is resource and labor intensive. Researchers have to mimic the activities of full-time threat actors who operate seven days a week. They must monitor their source pools continuously and participate on a regular basis to maintain legitimacy and access to these malicious communities.
“It is immensely difficult for any organization to build a Deep & Dark Web research capability. It’s incredibly complex, time-consuming, resource-intensive, and can take years before it yields useful and actionable intelligence,” said Josh Lefkowitz, CEO of Flashpoint. “By leveraging outside experts, you avoid the substantial cyber and physical security risks to your people, and instead, arm them with the built-in expertise and tradecraft to provide you with actionable intelligence that will directly assist you in your daily battles to stay ahead of attackers.”