By Christopher “Tophs” Elisan, Director of Intelligence, Flashpoint
All too often, cyber-defence measures protect only against known threats. But since threat actors operating on the deep and dark web (DDW), encrypted chat services, and other covert channels are constantly developing new methods in order to catch their targets off guard, organisations assume considerable risk in taking a reactive stance.
The cybercriminal underground is not a black box with unknowable inner workings, but the knowledge, skills, and technology required to observe these secretive online spaces exceeds the scope and capabilities of all but a select few experts. For this reason, Flashpoint’s Global Intelligence Team has a dedicated unit known as the Hunt Team that specialises in tracking down the newest threats emerging from illicit communities, enabling customers to be proactive about managing risk.
The Hunt Team’s work covers considerable breadth and is malleable to customer needs, but some of the core challenges they help defenders address include the following:
Emerging Cyber Threats
Signature-based security tools are largely useless for detecting and blocking threats whose indicators of compromise (IOCs) have yet to be identified. But in most cases, new cyber threats don’t simply appear overnight. Rather, they are the result of weeks—or even months—of threat-actor collaboration, coordination, and information sharing.
To help customers take action against emerging cyber threats before they are widespread, the Hunt Team scours DDW forums, illicit marketplaces, and encrypted threat-actor chats to identify and investigate new developments. When necessary, Hunt Team analysts may engage with threat actors to obtain malware samples or other critical information, an endeavor which requires a nuanced understanding of underground communities and an anonymous, well-developed online persona.
Once their investigation is complete, analysts produce finished intelligence reports that provide customers technical and contextual details—such as infection vectors, motive, monetisation methods, relation to other cyber threats, potential impact, and indicators of compromise (IOCs)—as well as recommended mitigations.
Evolving Tactics, Techniques, and Procedures (TTPs)
It’s a common mistake among defenders to think of cyber threats from only a technical standpoint. Cybercriminals are humans too, and understanding the rationale, methodology, and infrastructure behind their actions is crucial to outsmarting them.
Our Hunt Team analysts are well aware of this. So as they scour for emerging cyber threats and new collections sources, they remain cognizant of the big picture—how their observations relate to recent and historical findings—to identify bellwethers of change within the threat landscape. And on an ongoing basis, the team shares these insights in the form of finished intelligence reports spanning a broad range of topics, from changes in ransomware targeting methods to fraudsters’ adaptation to EMV implementation, thus informing customers’ long-term defence strategies.
Influenced by myriad factors, including law-enforcement takedowns, socio-political developments, and the introduction of new security technology, the online venues through which threat actors conduct their operations are always changing. To cite a well-known example, following the July 2017 takedown of the prominent AlphaBay and Hansa marketplaces, many threat actors have moved toward decentralised channels such as encrypted chat services, a trend which continues to this day.
The migration of threat actors to new—and often less centralised—online spaces can throw a wrench in efforts to monitor emerging threats. For this reason, the ongoing expansion of Flashpoint’s collections across the DDW and encrypted chat services is a core element of the Hunt Team’s operations. In addition to supporting their investigations and reporting, the team’s efforts to expand Flashpoint’s collections enhances the breadth and depth of our alerting capabilities and API-integrated datasets on an ongoing basis.