GUEST ESSAY: Threat hunters adopt personas, leverage AI to gather intel in the Dark Web

By Brad Liggett

The Deep & Dark Web is a mystery to most in the mainstream today: many have heard about it, but few understand just a fraction of what’s going on there.

Related: ‘IABs’ spread ransomware

Planning your roadmap, executing your projects, and keeping an eye on the barrage of ransomware headlines, it’s understandable if you and your team are feeling some anxiety.

Cyber anxiety can indeed be paralyzing, but new software solutions have the potential to become game-changers for IT departments. These automated programs will hunt the Deep & Dark Web for you, trawling through the deepest and dirtiest pools, looking for the next threat that has your name on it.

There are many facets to what I’ll call “The Underground.” It extends beyond the Deep & Dark Web to: unindexed Web forums, messaging boards, and marketplaces, encrypted messaging systems, and code repositories. It is simply impossible for a human analyst to sort through it all.

Additionally, filtering through these channels is made even more difficult due to language barriers, as well as gaining trust and access to these various forums. Having automated tools that can process these various datasets is integral to enriching your team’s intelligence programs, whether you have a well-established team and process, or are just beginning your journey.

Hunting threats

To gain access to message boards and chats on the Deep & Dark Web, cyber professionals carefully cultivate their own personas – a task that takes significant time and practice but is the only way to gain access to hacker communities. Once vetted and accepted, threat hunters will go into these message boards and communities and search for anything connected to your business, for example:

•Corporate login credentials

•Data collections released after ransomware attacks

•Databases with critical IP and/or PII

•Chatter about the best methods to attack your business

Ransomware attacks hit indiscriminately across business categories, from private corporations to government agencies, including schools and universities, hospitals and healthcare providers, financial institutions, and everything in between. There is no safety in size: hackers also target smaller businesses.

The financial losses associated with a hacking incident – not to mention the loss of customer trust and faith in a brand – make for a difficult and expensive recovery.

The rise in Initial Access Brokers (IAB) markets give criminal groups easy access to purchase stolen credentials for a small fee. Hackers use these credentials to try and get a foothold inside a targeted company. The average cost for these credentials is as little as $10.

For example, a hospital that suffered a ransomware attack in 2021, had credentials to its VPN offered for sale in an underground market eight days prior to the attack.

In another example, it was reported that the Lapsus$ Ransomware gang bought and tried several sets of access credentials for T-Mobile, before finding a user with the right level of access to gain their foothold.

Staying vigilant

To help companies understand how they are being discussed and compromised on the Dark Web, the team of threat hunters and intel specialists at Cybersixgill offer a Portal that can be customized to look for any threat on the Underground that’s aimed at a user’s organization.


Think of the Cybersixgill Portal as a complex search engine that can reach the deepest depths of the Underground. It continuously crawls through more than 700 forums and marketplaces, and monitors more than 25,000 channels on platforms like ICQ, Discord and Telegram. Every day, Cybersixgill’s Portal brings in more than 7.5 million pieces of information, including indicators of compromise (IOCs), common vulnerabilities and exposures (CVEs), and malicious files.

To each of the hundreds of thousands of CVEs, Cybersixgill’s platform uses machine learning (ML) models to assist companies with patch prioritization. This method reaches beyond the common vulnerability score system (CVSS) which numerically ranks threats, so companies can easily prioritize which one to tackle first. It also integrates with many of the most popular cybersecurity platforms out there, like Crowdstrike, Splunk, Microsoft Azure, and dozens more.

Staying on top of the latest threats can feel overwhelming, but there is no need to be cyber paralyzed. Cybersixgill arms security teams with data straight from the Underground, making it much easier to stop attackers before they cause significant damage.

About the essayist: Brad Liggett is Technical Director, Americas Intel Architects at Cybersixgill a Tel Aviv-based cybersecurity company that supplies scalable, real-time, actionable, contextual, automated threat intelligence.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone