Tread Lightly with Threat Intel Add-Ons

Like leather upholstery for your new car, add-ons to your threat intelligence service are hard to resist. But Chris Camacho of Flashpoint* says “buyer beware:” threat intel add-ons may be more trouble than they’re worth.


If you’ve ever shopped for a new car, you’re likely familiar with the dizzying number of add-on features available—from custom paint jobs to built-in navigation systems. These features are enticing for an obvious reason: they enable you to customize your car to your preferences, and often at a reasonable price point.

Security Ledger Sponsored Content

Add-ons exist for more than just cars, of course. They’re increasingly available in the threat intelligence market, particularly with respect to datasets. Deep & Dark Web (DDW) data add-ons have grown especially prevalent in recent years, but as with any security-oriented product or service, these offerings aren’t suitable for everyone. Here are some key factors to consider before purchasing a DDW data add-on for your intelligence program:

Chris Camacho, Flashpoint
Chris Camacho is a VP of Strategy at Flashpoint.

Add-on = automation

Regardless of the offering, a hallmark of add-ons is once they are brought to market, vendors can usually continue to offer them at scale without impeding operational efficiency or marginal revenue. Car dealers are able to offer so many different add-ons because car manufacturers can quickly and easily produce and supply them to meet demand, for example.

This concept also characterizes DDW data add-ons, most of which employ automation in certain areas to boost efficiency and minimize manual effort for both the vendors and their customers. A common example is automated alerting features that notify users in near real-time when a preselected keyword—such as the name of a company, shareholder, or product, for example—is identified within an add-on dataset.

emerging threat graphic flashpoint
Buyer beware is the right approach to add-ons to threat intelligence services writes Flashpoint’s Chris Camacho in this industry perspective.

Data collection is another area where automation often comes into play. Fully automated data collection is common among add-ons and often praised for its efficiency, but this type of collection does have certain limitations. Specifically, automated collection is typically only possible for DDW data that exist within relatively accessible sources, such as some of the larger DDW marketplaces and lower-tier forums. Although these types of sources can and do support many intelligence operations, they represent only a fraction of the DDW communities in which adversaries operate, illicit activity occurs, and valuable data are present. Despite promising advancements in recent years, accessing and collecting data from various other types of DDW communities requires a caliber of human expertise that automation alone can’t yet mimic.

Collection Management: a Crash-Course

Closed sources such as invite-only forums, for example, are largely inaccessible to all but the most sophisticated adversaries and highly skilled analysts. Because many of these forums don’t operate in English, gaining access requires extensive linguistic expertise. And in most cases, fluency in certain languages isn’t enough. In order to earn the trust of forum administrators who are responsible for vetting and granting access to new members, analysts also need a keen grasp on the social and cultural nuances that exist within these highly exclusive communities.

Until automation becomes capable of replicating such skills, the many DDW data add-ons that employ fully automated collection will likely be unable to provide visibility into closed or otherwise highly exclusive sources.

Deriving value from DDW data is a hands-on process

In addition to being relatively painless for vendors to offer at scale, threat intelligence add-ons are also promoted as self-sustaining utilities. For instance, if I purchased leather upholstery as an add-on with a new car, it would almost certainly bestow comfort and aesthetics for years and with very little, if any, maintenance required.

DDW data, unfortunately, does not provide that kind of self-sustaining utility. Collecting threat intelligence data that is valuable, relevant, and from an adequate breadth of sources requires substantial resources and human expertise. But so does deriving value from such data. Regardless of its source, DDW data must be thoroughly analyzed, contextualized, and processed into intelligence—and ideally, finished intelligence—before it is suitable for consumption. But in most cases, add-ons of DDW data contain little more than, well, data that has likely not been vetted for accuracy and relevance and may also likely lacks context.

As a result, intelligence practitioners seeking to purchase DDW data add-ons should be prepared to invest time and resources into analyzing and processing such data to make it suitable for consumption. Some programs have the ample resources and expertise necessary to operationalize and produce finished intelligence from massive quantities of data with limited external support, but many do not.

DDW data is not one size fits all

The new-car analogy embodies another characteristic inherent to most add-ons: uniformity. If my neighbor buys the same car with the same leather upholstery as me, for example, it should provide him with the same level of comfort, aesthetics, and overall utility that it provides me.

Spotlight: Operationalizing Deep Web and Dark Web Intelligence

Uniformity also tends to underpin DDW data add-ons because, as I mentioned, most are based on fully automated collection strategies. As a result, these types of offerings typically contain similar types of data from similar types of sources. But while the intelligence practitioners who purchase these offerings usually do so for the same reasons—to help satisfy their operations’ intelligence requirements (IRs)—it’s crucial to remember that IRs and the types of data needed to satisfy them can vary immensely across programs organizations, industries, and so on.

In other words, DDW data is not one size fits all—and neither are collection strategies. Keep in mind that your IRs lay the foundation and set the direction for the entirety of your intelligence operation, so it’s important to find a vendor that understands your IRs and, ideally, can tailor its collection strategy to them as necessary. Instead of relying solely on automation and taking a hands-off approach with customers, these vendors typically have agile and iterative collection capabilities, provide highly skilled and accessible customer support and specialize in DDW data and intelligence.

As someone who has spent much of his career striving to better understand the DDW and how to operationalize it, I realize how confusing this can all be. But rather than let the proliferation of DDW data add-ons and the myriad similar offerings exacerbate this confusion, we must remember that every successful intelligence operation starts with the right data. And while obtaining this data is rarely easy, the considerations outlined in this article should help you make a more informed decision about which DDW data offerings are suitable for your needs.

(*) Flashpoint is a sponsor of The Security Ledger.  For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

Spread the word!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.