Threat intelligence provider Recorded Future has said that 70% of its customers are using threat intelligence sourced from the dark web. The data is being used to identify compromised assets such as user credentials and intellectual property. It also says that customers are using the data to assess their vulnerability to attack.
According to Matt Kodama, Vice President of Product at Recorded Future: “Security teams may look to the dark web first for incident detection: are our credentials or sensitive information exposed? But operational monitoring is just one way to leverage dark web sources.
"We know that adversaries will find new intrusion methods and fraud schemes. Which technologies are emerging as targets, and how are threat actors finding exploits? By harvesting and indexing the dark web at scale, we highlight these emerging trends as a key input to an intelligence-driven security program."
What Dark Web sources are companies using?
Recorded Future says that customers are monitoring underground forums where threat actors discuss intrusion methods. This is good news if the customers are using it to harden defences and educate security teams and staff. It is also important that it doesn’t become a fear factor. There are always large numbers of potential weaknesses in corporate cyber security. Rather than just run around trying to patch them all, cyber security teams will need to risk assess the threats and prioritise their use of resources.
Fortunately, Recorded Future is doing the assessment and preparation of the threat intelligence data for their customers. This means it can be presented with much more context than would be seen by security teams going it alone. It also removes a major risk factor for those teams. Taking part in forums and looking for data on attacks is a quick way to expose the unwary to serious attack.
Monitoring the dark web also allows Recorded Future to gather data from breaches that affect their customers. They are able to identify chatter that could indicate an attack is being considered against one or more customers. It also provides an opportunity to provide customers with a list of stolen data from their business. This allows them to see if the data came from their systems or through a third-party. It also means that they can act quickly to inform customers of any risk to them. This helps prevent the bad publicity that an attack would generate.
Another benefit is that it helps customers deal with the vast amount of threat data that is out there. Without a security analyst capable of interrogating and making sense of threat data, it is easy to misread or be swamped by the information. Not only does Recorded Future do the collation is also carries out the initial analysis for customers. Customers can focus on the key alerts and apply those to their business.
What does this mean
Anything that helps improve cyber security is good news. With the costs of competent security analysts continuing to rise, security vendors are filling a gap for their customers. More importantly, attackers are shifting their focus to small and medium sized businesses. These are the very companies that cannot afford analysts and are often overwhelmed by alerts.
For larger customers, this becomes a service that they can recommend to their supply chain. It will allow that supply chain to harden its cyber security and not be a conduit to attack large organisations. This is a serious challenge at the moment.
Many security companies monitor the dark web. If they didn’t, the data they were using to protect customers would be significantly compromised. However, the level of access they then provide to this level of threat intelligence varies widely. It will be interesting to see how much more data Recorded Future will add and what additional security services they will offer in the future.