Dark web threat intelligence

Dark web threat intelligence

Though the dark web sounds scary and dangerous (and it can be), it’s also a platform where Internet security practitioners can learn an enormous amount about the latest threats.

In this article, you're going to be looking at the dark web and the tell-tale signs to help improve your organisation’s defence against threats, attacks and incidents. 

Hooded hacker in front of computer screens 

The dark web/darknet

The dark web or darknet is the area of the deep web, accessible using the Tor (the onion router) browser, (or Freenet, or I2P: Invisible Internet Project), that acts to anonymise usage and hide the existence of the network and network activity

Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity. 

Dark web sites, content, and services are accessible only over a dark net. While there are dark web search engines, due to the anonymous nature of dark web services, many sites are hidden from them. Access to a dark web site via its URL is often only available via ‘word of mouth’ bulletin boards like Pastebin or Reddit. 

Investigating these dark web sites and message boards is a valuable source of counterintelligence. The anonymity of dark web services has made it easy for investigators to infiltrate the forums and webstores that have been set up to exchange stolen data and hacking tools. As adversaries react to this, they are setting up new networks and ways of identifying law enforcement infiltration. Consequently, dark nets and the dark web represent a continually shifting landscape. 

Very few cyber-criminals work alone. It’s alleged that 80% of cybercrime is linked to criminal collectives, and stolen data-shaped goods surface rapidly on deep/darknet forums and marketplaces following cyber security incidents where data loss is sustained. 

Given this situation, dark web threat intelligence is critical to security decision making at any level. It’s possible to gather information on exploits, vulnerabilities, and other indicators of compromise, as well as insight into the techniques, tactics, and procedures [TTPs] that cyber-criminals use. 

Understanding emerging threat helps us to develop mitigation techniques proactively. Dark-source intelligence can also help with identifying criminal motivations and collusion before attacks occur. It can even aid in attributing risks and attacks to specific criminal groups. 

Stand-up meeting with person explaining a point to fellow colleagues.

How to identify darknet security risks?

Looking out for some typical signs can make it easier to recognise darknet security risks. Dark web forums often sell company specific fraud guides, this can indicate an attack is imminent. Another sign is cyber-criminals posting individuals' personal data as a way of putting a company at risk.

Patterns of dark web activity can reveal an attack in progress, planned attacks, threat trends or other types of risks. Signs of a threat can emerge quickly, as financially driven hackers try to turn stolen data into profit within hours or minutes of gaining entry to an organisation’s network. 

Security operations centre and analysing intelligence

Once an instance of this kind is identified, the collected data should then be identified and sent through a human analysis process at a Security Operations Centre (SOC). The SOC team’s aim is to discover, analyse, and respond to cyber security incidents using technology solutions and special investigatory processes. The context rich threat intelligence that SOCs supply can reveal many different forms of risk. 

SOCs look at various sources of intelligence to identify and anticipate fresh threats, some of which follow below.

Organisation or industry discussion

Among the key risk factors and threats are mentions of an organisation’s name in forum posts, Pastebin sites, channels, or chatrooms. Contextual analysis can determine whether threat actors are planning an attack or actively possess stolen data. 

Personally identifiable information (PII) exchange

When a breach has occurred, the sale of PII, personal health or financial data or other sensitive information can be indicative of an attack. A single data record can sell for up to £20. This data is generally stolen from large organisations, such as credit agencies like Experian and banks, so a few thousand credit card numbers can turn a huge profit.

Credential exchange

Lost or stolen credentials were the most common threat action used in 2021, contributing to over 20% of data breaches, according to the Verizon report. The presence of usernames and passwords on Pastebin sites or marketplaces can indicate a data breach but contextual analysis is required to determine whether this is a recent compromise or recycled data from a prior incident.

Information reconnaissance

Social engineering tactics are employed in over 50% of attacks. Open and closed-forum exchanges between individual threat actors and collectives can reveal who is conspiring in these types of attacks.

RaaS (Ransomware as a Service)/phishing/smishing attack coordination

As smishing, phishing and whaling attacks become more sophisticated, dark web threat intelligence can reveal popular techniques, tactics and procedures, as well as risks. Threat actors can now purchase increasingly complex phishing-as-a-service software kits but if defenders are familiar with them, they can better educate users and put the right controls in place.


Although malicious insiders cause fewer breaches than simple human error, the dark web is an established hub for criminal collectives to recruit employees with network credentials, for a sophisticated attack.

Trade secrets and sensitive asset discussions

Trade secrets and competitive intelligence are another lucrative aspect of threat actor commerce, and these can signal risks to SOC researchers. In one recent incident reported by CNBC in July 2018, a likely Russian cyber-criminal sold access to a law firm’s network and sensitive assets for $3,500. Having had that information ahead of time could have saved the victim time, money, and reputational damage.


As you have learned, the dark web can supply us with a huge amount of useful information. Using this intelligence, you can better prepare your network against attacks, which is essential to your remit.

What's next?

After examining the dangers of the dark web, in the next Course, you’ll be examining the risk management life cycle and its treatment.

1h 4m

In this course, you’ll be looking at numerous aspects of the risk matrix including the risk and threats involved in big data, the Internet of Things (IoT), the dark web and social media. You'll also be exploring threat intelligence, unified threat management (UTM), and security risk. You'll also see how you can use open-source intelligence (OSINT) and Dark Web Threat Intelligence to help you establish, improve and refine your risk treatment. All of this ensures that your organisation is protected from and alert to the constantly evolving series of information security threats. 

However, before you go on to threat management, let's first review risk and see how it relates to cyber security. 

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.