Threat intel is like a puzzle. You need to assemble the puzzle and get to the full image as quickly as possible. One of the main challenges many MSSPs face in leveraging intel is that even with a rich data set, event data, Indicators of Compromise (IoCs) and extensive reports, they are still missing crucial puzzle pieces that clarify the image. And even if all of the puzzle pieces are on the table, not all teams are equipped to orient and assemble them quickly. At the same time, criminals are working with the full picture and mixing up the pieces to make it hard on the good guys.

Josh Lefkowitz, CEO of business risk intelligence firm Flashpoint, says the piece that historically has been missing or misunderstood is the Deep & Dark Web. It’s essentially the "crucible" where assets -- PII, data, malware -- are combined, weaponized and augmented for greatest effect, the chicken to standard intelligence’s egg, so to speak. What partners need, says Lefkowitz, is the ability to take foundational intelligence and infuse it with targeted criminal context and tendencies. By overlaying this view onto the current one, and providing them with active tools to guide an investigation, it not only clarifies the context and urgency of real risk as it pertains to accumulated intelligence, but advances the ability to be proactive and even predictive in better controlling security planning and response.

Which is all well and good, but what, exactly, is the Deep & Dark Web, and why are the threats it poses so unique? We sat down with Lefkowitz to find out.

What’s going on in cybersecurity (both on the attack and defend sides) that is changing the game?

Threat actors continue to demonstrate their ability to adapt their tactics to circumvent new countermeasures. When it comes to malware, for example, we’ve seen cybercriminals in the Deep & Dark Web actively developing new strains designed to bypass common anti-fraud controls and exploit unpatched vulnerabilities. We’ve also seen that as organizations implement more stringent and comprehensive defenses, some threat actors are turning to schemes that are less-sophisticated yet still very effective.

Business email compromise (BEC) is a good example of this. By leveraging socially-engineered emails to convince employees to transfer funds to an adversary’s account, BEC has become the costliest type of cybercrime. These scams are so lucrative largely because BEC emails typically do not contain malware, which means they often bypass organizations’ network security solutions and land in employees’ inboxes. BEC is also one of many threats causing more organizations to expand the scope of their security strategies beyond traditional approaches based in indicators of compromise (IoCs) and toward risk-focused programs rooted in actionable, contextual intelligence.

Indeed, risk-focused programs are also gaining traction across all sectors in response to adversaries’ shifting capabilities and targeting strategies. While cybercriminals have traditionally been known to target individuals, many of today’s adversaries are recognizing the organizations that employ or are frequented by these individuals tend to be more lucrative targets. In many cases, adversaries have gained access to an organization’s systems and/or information by exploiting its employees, contractors, or third-party vendors. We’ve observed such scenarios give rise to more complex and multifaceted threats such as extortion, insider threats, intellectual property (IP) theft, supply chain vulnerabilities, and even large-scale cyber attacks, among others.

Another shift we’ve noticed is a growing overlap between the cyber and physical threat landscapes. Just as we saw with the WannaCry ransomware attack that locked hospitals out of their systems and consequently prevented patients from receiving care, threats originating in the cyber domain can and sometimes do have serious physical ramifications. The good news is that as more organization come to realize this harsh reality, many have begun to integrate intelligence in a manner that not only bolsters cybersecurity but also physical security and all other business functions across the enterprise.

Why aren’t IT professionals and channel partners, able to build a better defense?

Defending against the full spectrum of cyber and physical risks facing today’s organizations requires actionable, contextual intelligence. However, such intelligence can be difficult to come by -- especially given the confusion and opacity surrounding the market for intelligence offerings. As I mentioned, many organizations have traditionally relied on IoCs to inform their security strategies. While IoCs can and do play an integral role in helping cybersecurity teams detect threats, such an approach should really be just the beginning. Keep in mind that even though countless threats exist, they’re not all relevant to all organizations. Sometimes organizations are so focused on detecting cyber threats that they lose sight of which threats -- cyber or physical -- are actually relevant.

It’s also important to emphasize that IoCs focus exclusively on detecting threats -- not addressing overall risk. After all, risk is a function of three factors: threat, likelihood, and potential impact. The likelihood and potential impact of a particular threat can vary by organization. Relying on a solution that fails to provide proper context into these factors can lead to threats and vulnerabilities falling through the cracks.

What should partners who service SMBs be learning about these high profile attacks on larger enterprises?


It’s crucial for organizations to recognize that while high-profile cyber-attacks can and obviously do happen, there are plenty of lower-profile yet still damaging threats that need to be addressed. As I mentioned, BEC -- though unsophisticated and far less newsworthy than say, ransomware -- has yielded billions of dollars in damages in recent years. Organizations are far more likely to encounter BEC scams and other types of lower-tier cybercrime than face a large-scale ransomware attack.

But regardless of size or vertical, organizations with the most effective defenses tend to be those that A) promote a culture of security awareness and ensure all employees practice stringent OPSEC and InfoSec; B) proactively seek visibility into relevant cyber and physical threats via actionable, contextual intelligence -- primarily that which is gleaned from high-value sources in the Deep & Dark Web; and C) integrate such intelligence in a manner that serves not just cybersecurity teams but all business functions. Doing so decreases “risk blind spots” and ultimately equips organizations with a decision advantage over threats and adversaries.

Now that we have a broad idea of the landscape, let’s talk the deep & dark web. What is it exactly? What goes on there? Why has it been “missing or misunderstood” in the cybersecurity conversation?

It’s important to distinguish between the Deep Web and the Dark Web because while they do share many characteristics, they aren’t one and the same.

The Deep Web refers to the broad swath of the Internet that traditional search engines cannot access. In addition to housing vast amounts of mundane -- and often benign -- data, the Deep Web is also home to password-protected forums, chat services like Internet Relay Chat (IRC), file sharing and P2P technologies such as BitTorrent, and the entirety of the Dark Web.

The Dark Web is a subcomponent of the Deep Web that is only accessible to users who have installed specialized browsing software, such as Tor or I2P. Many forums, websites, and marketplaces on the Dark Web offer highly-anonymized environments for those seeking to conduct malicious activities and purchase illicit goods and services.

Together, the Deep & Dark Web (DDW) remains the key source for invaluable data and intelligence pertaining to a wide range of cyber and physical threats, fraudulent activities, and malicious actors. While more organizations are recognizing the critical need to incorporate intelligence derived from these online regions into their security and risk strategies, some might be tempted either to obtain such intelligence themselves by using their own in-house teams and capabilities, or, to engage with companies that don’t have the linguistic and cultural understanding of the DDW.

What are the risks associated with the deep & dark web?


A wide range of cyber and physical adversaries all use the DDW to varying degrees. In this sense, the DDW in and of itself doesn’t pose a risk; it’s the actors whose malicious schemes are developed within it that do. These risks are often multifaceted and range from nearly every type of cybercrime to more complex risks pertaining to, for example, physical security, fraud, insider threats, M&A due diligence, and third-party vendor risk, and supply chain integrity, among many others.

However, organizations seeking to access and glean intelligence from the DDW without the proper tools and expertise do face increased security risks. Many communities within the DDW are difficult-to-access and, above all else, built on trust. If a less-experienced analyst, for example, practices poor OPSEC and accidentally exposes their identity within one of these communities, the analyst and their organization could be subject to everything from retaliatory doxing and swatting to destructive cyber-attacks or even physical threats.

Flashpoint’s mission, and what gaps does it fill in the current security market?


At Flashpoint, we strive to deliver Business Risk Intelligence (BRI) to empower business units and functions across organizations with a decision advantage over potential threats and adversaries. Our sophisticated technology and human-powered analysis enable enterprises and public sector organizations globally to bolster cybersecurity, confront fraud, detect insider threats, enhance physical security, assess M&A opportunities, and address vendor risk and supply chain integrity.

We launched our Flashpoint Intelligence Platform because no other product offered what we, as intelligence analysts, really needed: persistent, scaled, targeted visibility into the Deep & Dark Web. By fusing our analysts’ subject matter expertise with our engineers’ sophisticated automatic tooling, our platform delivers actionable, contextual insights that enable organization across all sectors to gain a decision advantage over adversaries and mitigate a broad spectrum of cyber and physical risks.

We designed our API to make both Flashpoint Intelligence Platform and BRI more customizable and accessible within an organization’s own technologies. API v4 facilitates the integration of our Finished Intelligence, Deep & Dark Web data, Risk Intelligence Observables (RIOs) datasets. Comprising high-fidelity technical indicators with additional context, RIOs equip organizations with deeper insights into activities extending beyond traditional IoC-centric datasets.

Our API v4 also provides immediate benefit to our Strategic Partner Network by enabling them to create custom integrations for their platforms and enrich analysis for their customers. Our Global Channel Program allows our reseller and distribution partners to extend the benefits of BRI to more organizations worldwide. By delivering high visibility into threats, Flashpoint’s datasets and API v4 enable our partners to empower their users -- experienced and entry-level alike -- with the context they need to make better decisions about risks posed by cybercrime, fraud, and other physical and cyber threats relevant to them.

There are so many vendors out there touting their solutions as the be all and end all in cybersecurity. Why should people trust what Flashpoint is saying?


We have been mapping uncharted regions of the Internet for over a decade. Our multilingual intelligence analysts’ expertise and intimate familiarity with the Deep & Dark Web affords exclusive access to these impenetrable communities. They also use the same tools and datasets as our esteemed customer base, which currently represents leading organizations across 20 different verticals and a distinguished network of over 50 partners globally.

We’re also pioneers of Business Risk Intelligence (BRI) and have successfully helped our customers and partners leverage BRI to address an unmatched variety of diverse and complex use cases pertaining to cybersecurity, fraud, insider threats, physical security, M&A due diligence, vendor risk, and supply chain integrity, among many others.