In my last column on SecurityWeek, I’ve provided tips on how to pick the best threat intelligence vendors to support the unique needs of your organization. While the column referred to threat intelligence vendors in general, my original idea for an article was to focus on dark web intelligence providers. After claiming most organizations may not benefit much from dark web monitoring services, I thought it made sense to follow up with an article for those who do need it. Alas, Flashpoint’s CEO and fellow SecurityWeek columnist Josh Lefkowitz has beaten me to the punch, writing about that exact subject.
As I still believe for certain organizations evaluating dark web monitoring services is important, I thought I’d share what I originally wrote in hopes it can provide insights. Please note that the following was written before seeing Josh’s article, so if there are similarities – it’s not plagiarism, only similar opinions.
It is also important to note that while IntelFinder is a threat intelligence service, we do not monitor the dark web directly.
Data vs. Service
In general, intelligence deliverables are not equal. They have quite a large spectrum – on one end you have raw data, provided without any enhancement or analysis, while on the other, a deliverable can contain thoroughly analyzed strategic insights meant for decision-making levels. Between those two extremes exist deliverables that include information that was enriched or processed on some level, as well as tactical intelligence designed to help perform daily operations of fraud or security incident prevention.
The same can be applied on dark web intelligence – some vendors sell data, while others provide intelligence alerts written by their analysts. Before purchasing a dark web intelligence solution, it is important to first understand what kind of deliverables you are after.
Some teams may only be after the raw information, posts from dark web forums for example, so they could search for whatever topics that are of interest to them in order to build better mitigation strategies. Compromised credit card data is another good example of raw data, which doesn’t require a lot of processing in order to be put into good use. Other teams may be interested in receiving intelligence reports that already highlight relevant information and include explanations as to how it is relevant to the organization. Raw data provides more flexibility and control over the intelligence operation, but requires far greater resources and expertise of team members – not only in fraud or cyber security, but in intelligence work and specifically the dark web (understand fraudster terminology, how they operate and interact).
A major criteria in vendor comparison is coverage. While this seems obvious, it is important to note several things. Not only are the number of sources and their quality critical to ensure relevant information isn’t missed, but the types of covered sources are also crucial. Relevant content isn’t found only in the dark web, but can be found on open source, social media and other sites. Certain vendors may have great coverage of the dark web but may have very little when it comes to anything beyond that. It is important to assess the coverage in all types of sources.
Types of Intelligence
One of the things that I like the most about intelligence work is the fact that two organizations may have access to the same type of data, while one sees no value in the information presented there, another has identified a way to generate value from the same data.
Dark web intelligence is no exception – vendors vary in the types of intelligence that they deliver, not just in the amount. Take the time to understand what kind of intelligence each vendor offers and assess which unique deliverables will have the biggest impact on your business.
The dark web is a very fluid place. Sources go up, sources go down. New types of sources emerge, as well as the data available on them. For an intelligence vendor to be relevant, they must have the infrastructure to enable flexibility. How quickly can they cover a new source, even if it is unlike anything that was encountered before? If you request a new type of data feed from them, based on the data that they have, do they have the infrastructure to quickly develop it? This may not be crucial in the short term, but can be quite important in the long haul. Moving between vendors always has cost associated with it, so it is best to bet right from the beginning on a vendor that will remain relevant for years to come. The more types of intelligence your team wants or needs to consume, the more relevant a vendor’s flexibility is, as these needs will only expand in the future. Don’t just ask about each vendor’s deliverables – ask them about the infrastructure they use to generate them.
Finding the best vendor is often finding the most relevant one, whose deliverables are most suited to your business, whose coverage includes the most relevant sources for you, and whose unique offering makes the most impact to your business. Understanding your needs is the first step, the rest is crossing off the vendors who are not best aligned to support them. Good luck!