SOCRadar® Cyber Intelligence Inc. | The What, Where & When for Effective Dark Web Threat Hunting


Jul 05, 2021
5 Mins Read

The What, Where & When for Effective Dark Web Threat Hunting

Many companies worldwide have implemented dark web monitoring tools to detect emerging cyber risks proactively. However, hunting threats on the dark web is an extremely skillful and accurate work to prevent discovery without your cover revealed.

The collection and analysis of data is a cyclical and non-linear process known as the intelligence cycle. Intrusive intelligence can include malware capabilities, new tactics, compromised technologies, and instructions for future attacks. The data search can be carried out by web bots that are in use around the clock. 

Threat hunting has become increasingly important for companies that want to keep up with the latest cyber threats and respond to potential attacks. As the cybercrime ecosystem evolves, cyberattacks have become more complex and creative, tailored to the industries and organizations they target. Attackers research, prepare and seek information about their targets before attacking. 

Implementing a good threat hunting strategy can help companies identify emerging threats and protect themselves from targeted attacks. Threat hunters assume that an adversary is behind a system and launch an investigation to find unusual behavior that indicates the presence of malicious activity. Hypothesis-based investigations can trigger new threats from a large pool of crowdsourced attacks identified and provide insight into the latest tactics, techniques and procedures of attackers (TTPs). 

When a threat intelligence platform identifies an external source or target for abnormal behavior on the network, it’s dark web scanner and threat information database can identify malicious actors involved in this behavior. As such, it can be a data loss prevention system, a threat protection system for insiders. When threats from the dark web are detected, it raises the alarm in the surveillance dashboard. 

Data loss prevention and threat protection system that includes a dark web scanner. Prevention of account takeovers and threat information databases derived from dark web scans. Threat intelligence service, which includes dark web scanners and information sources. 

New generations of security technologies are able to detect a larger number of advanced threats than ever before. Automated detection techniques are predictable, but nowadays attackers are aware of this and are developing techniques to bypass, bypass and hide behind automated security tools. The top threat-hunting services have a three-pronged approach to detecting attacks

There are three key questions for detecting new risk sources and potential attack indicators: What? Where? When? They may sound apparent, but it can often be rather difficult to answer these questions from our experience dealing with clients throughout the world.


Figure 1 – The What, Where and Where for Effective Threat Hunting (Source:

A common perception is that state actors involved in APT campaigns work in solitude and carry out their destructive attacks as secretly as possible, rendering preventive intelligence measures against them useless. Perfect surveillance can lead to the initial phase of an attack not being detected, e.g., Passive reconnaissance or armament. This happens when an organization leaves no trace in the infrastructure. 

The cyber threat hunting area has been set up to counter advanced malicious activity. To qualify as a threat a bad actor must have malicious intentions, skills and the ability to carry out his attack. 

Effective threat search begins with a foundation of planning, baselining, and hypotheses conducted by experienced cybersecurity experts. In a digital operating environment, companies need to improve their game with cyber risks in terms of investment in people, education, awareness, and infrastructure. 

This is a focused, iterative approach that can be used to identify and eliminate cyber threats that evade traditional security tools. These threats include attacks and malware that infiltrate corporate networks and lead to stolen intellectual property and personal information. 

For instance, SOCRadar recognizes that publicly available personal information can be used by hackers to gain access to their or their employer network, targeted phishing campaigns, leaked credit card information and dark web exploits of fraudsters. 

The Dark Web is an anonymous, non-indexed part of the Internet that is not accessible through standard browsers or search engines. It is an opaque realm that most people never want to visit and which we assume will not affect our lives. 

Although the dark web is not synonymous with cyber criminality, it still poses a significant risk to businesses and employees. Knowledge of this information can provide companies with ways to mitigate these threats. 

Businesses need to take proactive measures to detect these types of threats, which puts them first when it comes to countering them. When you start hunting for threats on the dark web, you should select sources that are relevant to your business category. Private message boards and platforms for disrupting business are targeted attacks on sectors, individuals, and businesses, such as environmental groups, that discuss how to disrupt operations or hold demonstrations at office sites.

SOCRadar’s research team ventures into the dark web to investigate the ransomware capabilities of our customers. Our dark web hunting services search the surface and the deep dark web to identify and detect nefarious activities targeting your organization. Intelligence services that threaten the dark web include workflows and machine learning to detect abnormal behavior on the network.

Discover SOCRadar® Community Edition for free

With SOCRadar® Community Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Try for free