The optimal way of locating intelligence on the dark web is via a hybrid approach that combines manual searches and automatic algorithms, according to Intsights executive Gal Genut. He says online threats are here to stay so we need to make sure that we have the right tools to prioritize our resources
Locating pearls of intelligence in the depths of the dark web is a challenge for even experienced analysts.
It requires the right balance of manual and automatic methods because the dynamic of the "clear" web does not exist, as Gal Genut of Intsights pointed out on January 30 at the Cybertech Global 2020 conference.
"There is no Google-like search engine. It's not indexed. So if you want to learn and identify trends and specific acts in the dark web, you need to do something unusual," said Genut, vice president of the company's Intelligence and Operations division.
He oversees the daily operations of the company's analysts and research teams.
One way to locate intelligence is the manual approach. "In this methodology you can find analysts or researchers trying to explore the dark web, looking for different forums and trying to do queries and looking for different assets of their clients or their interests. They explore and they go from one forum to another and have their own index of interesting sources," according to the executive.
Genut said there are a lot of advantages to this approach because the analysts and researchers use the best tool that exists, the human mind, and they find very interesting data. But there are also disadvantages. For example, it is very difficult to scale this approach and it is not easy to monitor the dark web 24 hours a day, seven days a week, he said.
Another way of finding intelligence is the automatic approach that mainly involves collecting data and creating very big offline databases. But to create these databases it is necessary to find the right sources. This approach, Genut said, is mainly an effort "to create tools for scraping and crawling and jumping from one source to another." The collected data is analyzed using such methods as big data, algorithms, artificial intelligence, and machine learning. "The big goal here is to find the needle in the haystack, to try to find, from all of this data, the one alert that really counts."
"I think any intelligence expert will tell you that you can't measure intelligence by kilos. The weight doesn't matter. Sometimes one intelligent alert is the only thing that's relevant. That's why you need to find one thing in this big pile of data, and it's very complicated," Genut said.
According to the executive, the optimal way of locating intelligence is via a hybrid approach that combines manual searches and automatic algorithms. He said balance is very important in order to make sure that you have the right intelligence, and that's why each company in the industry tries to find the proper middle ground.
While some threat intelligence companies claim to have access to "thousands of sources and forums," or "hundreds of intelligence feeds," it should be pointed out that large numbers are not a guarantee of high-quality intelligence. Most of the time, a lot of sources means a high percentage of false positives, "so it's not about the quantity, it's about the quality," he said.
One of the strategies used by analysts at Genut's company is engagement of the threat actors. "We need to be proactive. Try to go to the threat actors, talk to them, engage them, understand them, sometimes fool them and try to infiltrate the right places to make sure that we have the right information."
It is impossible to resolve all of the threats so prioritization is important, the executive said.
"The threats are here to stay and the threats are evolving each day and that's why we need to make sure that even though we can't handle it all, we have the right tools to prioritize our resources and make sure that we do the best thing, the most important thing at the right time."
