How MSSPs Can Deliver Value Through Dark Web Threat Intelligence

By Ben Jones

Ben Jones

By monitoring the dark web for precursory activity to a cyberattack — such as credentials being shared on criminal forums, IP addresses communicating with the dark web, breaches for sale, or even mentions of company secrets — MSSPs can take proactive steps to protect their customers, pre-empt attacks and demonstrate their value from day one.

Solving the MSSP Cyberattack Paradox

When a managed security service provider (MSSP) onboards a new client, it immediately begins to monitor the network for suspicious behavior. However, unless there’s an anomaly of some kind from the outset — i.e., a cybercriminal is already in the process of attacking the company — there can be very little for the MSSP to initially report back. This puts the MSSP into a paradoxical situation where it is waiting for an incident to occur before it can prove its worth to the customer, despite — of course — not at all wanting its client to experience a cyberattack.

This paradox can be removed if MSSPs can pre-empt potential incidents before they can be put into play. That’s where dark web monitoring and contextual threat intelligence comes in, steps that provide a very visible, and very quick, return on investment for new customers by extending their visibility beyond their organization out to where their potential adversaries operate: on the dark web.

Cybercriminals from opportunistic amateurs to state-backed ransomware groups use dark web marketplaces and forums to plan, execute and publicize their attacks. They discuss the organizations they’re looking to target, buy vulnerabilities and exploits and share exfiltrated data with other criminals.

The ability to gain visibility into this criminal underworld means that MSSPs can help businesses get off the back foot by identifying the early warning signs of attack before they are hacked.

The Value of Dark Web Monitoring

It’s not just the customer that can see a quick ROI from dark web monitoring. By incorporating this functionality within their service offering, MSSPs can create new commercial opportunities.

The most obvious of these fall into the security audits, penetration testing and consultancy areas. An MSSP, you would hope, already has the ability to find network vulnerabilities that could be exploited. However, being able to go further, to demonstrate not only how that exploitation could occur but also that such an exploit is already for sale on the dark web, is something else altogether. Moreover, the ability to collect and collate external threat data, such as traffic from the dark web going to an organization’s infrastructure components, helps the customer to better understand the attacker’s perspective, and the techniques they use at each stage of the “Cyber Kill Chain” to execute their attacks.

Another commercial opportunity that can be derived from dark web data is training and awareness programs, sold off the back of evidence of security risk. In the face of concrete proof of dark web criminals targeting their organization, it’s much harder for a customer to make the “show me the breach” argument before committing to any additional spending. Now the MSSP can present the evidence that, while the network may not have been breached yet, preventive action is urgently required.

Delivering Dark Web Context

Of course, one understandable hesitation among MSSPs looking to undertake dark web monitoring for their customers is the possibility of alert overload. Is this another threat intelligence source that is going to overwhelm their customers with irrelevant information?

This, however, highlights another benefit of dark web intelligence – unlike other threat intelligence, it is highly specific to the organization. This is because searching the dark web is based on “attributes” of the organization, such as credentials, IP addresses or executive names – as just three examples. This results in two things: context and actionability. Let’s start with the latter.

Threat intelligence is only valuable to a company if it is directly actionable. A generic threat trend report doesn’t help the customer implement new measures that will improve its security posture. It looks to its MSSP to make specific recommendations based on intelligence: we have evidence of X, which requires remediation using Y. For example, if a software vulnerability in a supplier’s technology is being discussed on a dark web forum, the company can take very specific preventive actions — such as alerting the supplier, applying a patch to the software, and actively monitoring the network for signs that an intrusion already has taken place.

As for context, the pre-attack phase of the MITRE ATT&CK framework, which maps defenses against the tactics, techniques and procedures (TTPs) of threat actors, illustrates how dark web intelligence helps companies stop cybercriminal activity earlier in the Cyber Kill Chain.

MSSPs can show how visibility into the dark web gives them coverage of the first two tactics of the framework — cybercriminals’ Reconnaissance and Resource Development — which take place outside of the company’s network. This proves they’re helping the customer take a more proactive approach to security by stopping cybercriminals while they’re still planning their attacks.

Ben Jones started his career in defence and aerospace as an engineer designing unmanned aircraft. He transitioned into cybersecurity after recognising the evolution toward virtual battlefields and the rapid growth of cyber threats to nations, organisations and individuals. Ben co-founded Searchlight Security to help in the fight to protect society from dark web threats. You may follow him on LinkedIn or @SLCyberSec on Twitter.