Implementing a good threat hunting strategy helps a company to identify emerging threats and protect against targeted attacks. Monitoring alone is sometimes insufficient. Even the most perfect monitoring fails to detect the initial phases of an attack (for example passive reconnaissance or weaponization). These phases happen completely outside the organization and leave no trace in the infrastructure.
Therefore, you have to go behind the enemy gates and collect the intel right from the source – on the dark web and in hacker forums. Hackers tend to brag about their achievements on forums. They make claims for certain attacks. Sometimes they announce in advance information about their future targets or share some of their TTPs.
Another good reason to hunt for intel on the dark web is post-attack investigation. It helps you determine what data actually leaked during the attack and is available for sale. Being aware of this fact you can estimate the damage more precisely and responsibly decide what actions you need to take.
You have to take your time and carefully establish your reputation if you want to be accepted on hacker forums and really get the valuable intel there. It is not an easy job – agents are specifically trained to perform this task. They have to pay attention to the details. For example, they have to carefully pick the right vocabulary in order to blend with the hacker underground.
Forums and markets often get shut down, therefore you have to stay on top of the new sources. Telegram groups are also a good place to get intel about new forums. However, always think about privacy and avoid exposing your true IP or telephone number.
Dark web threat hunting strategy
So once you dive deep into the dark web, how should your strategy towards success look like? When you are starting with dark web threat hunting, you have to choose sources relevant to your business category. There are many types of markets on the dark web. Some of them are:
- General markets
- Personal Identifiable Information
- Credit Cards
- Remote Access
- Electronic Wallets
There is plenty of information on forums and it can range from absolutely benign to truly malicious. You can encounter many false claims or recycled data from old attacks there. How to know your way around and identify actionable information? We would recommend checking several sources to piece together the clues. Sometimes you should even ask for sample data to verify its validity.
Threat hunting on the dark web has many benefits. You can get information about attacks planned on your organization or estimate the amount of leaked data after an attack. However, it is a challenging job – you should blend into the community and be able to sort out all of the unnecessary or false intel.