top of page

Practical Advice for Effective Threat Exposure Detection Across the Clear and Dark Web

This guest post was contributed by Mark MacDonald, Flare

Mark MacDonald, Flare

Curating the detection of threat exposures across the clear and dark web can seem daunting. The internet is vast, so where do you even begin? Thankfully, there are a few basic steps companies of any size and security maturity level can take to progress towards effective threat exposure management.

Define Priority Intelligence Requirements (PIRs)

"Wisdom is knowing what you don't know." - Socrates

Originally a military concept, PIRs are critical in cybersecurity and exposure management because they answer the fundamental question: "What do we need to know?" Surprisingly, many businesses haven't taken the step to define their PIRs. While it can be intimidating for security teams that don’t have especially mature security or threat intelligence operations (many PIRs include technical intelligence like Indicators of Compromise (IoCs) and MITRE ATT&CK TTPs, or threat actor profiles), developing basic PIRs is crucial. This informs what types of threats to look for across both the clear and dark web.

For example, a hospital should monitor for any signs of stolen patient data being leaked on the clear or dark web, as this violates healthcare laws such as the Health Insurance Portability and Accountability Act (HIPAA). A simple PIR for a hospital could be: "We need to know whenever our patient's data is either deliberately or accidentally exposed on the clear or dark web." Monitoring dark web sources, such as ransomware data leak blogs, is a good starting point, as these are likely places for patient data to appear. Additionally, scanning the clear web for documents related to the hospital is prudent.

In contrast, a major retail brand like Adidas or Pepsi might have different PIRs focused on brand protection. With significant investments in major sporting events like Euro 2024 and the Paris Olympics, these brands need to monitor for counterfeit products or fraudulent websites imitating them. As global events approach, the likelihood of such threats increases. Retailers should keep an eye on online chatter and activities indicating potential threats to their brand reputation.

PIRs don't have to be over-thought or overly prepared to start. They can start as simple as a spreadsheet listing the top ten most critical things you need to know from a cybersecurity perspective, evolving from there.

Prioritize Identity Threat Exposures

“In this era, the focus has shifted to logging in rather than hacking in.” - IBM X-Force Threat Report

Consider how much data is hosted within enterprise SaaS suites such as Microsoft 365, Google Workspace, Salesforce, or Atlassian. Practically speaking, the only thing standing between a threat actor and that data are identity controls.

For most organizations, prioritizing the detection of identity threat exposures, such as leaked credentials or stealer logs, adheres to the 80/20 rule, which suggests focusing on tasks that yield the majority of results. Since the use of stolen credentials was the most observed action across all breaches in 2023 according to Verizon, monitoring for and mitigating identity threat exposures is likely to provide the most significant benefit.

Understand the Levels of Identity Threat Exposures

It's important to understand that not all identity threat exposures are created equal. At a high level, there are three tiers of identity threat exposures, each with varying probabilities of exploitation:

  • Tier 1: Widely Available Leaked Credentials: These credentials are often outdated or widely circulated, posing a lower risk of exploitation.

  • Tier 2: Fresh Breaches (Username + Password): More recent breaches with up-to-date credentials represent a moderate risk.

  • Tier 3: Stealer Logs: The highest risk, including usernames, passwords, active session cookies, browser history, and more. These are highly exploitable, often sold quickly, and have been the root cause of recent breaches impacting Ticketmaster and Santander Finance.

Leverage Automation for Threat Detection and Response

The detection and response to identity threat exposures can be significantly enhanced through automation. Integrating SIEM (Security Information and Event Management), SOAR (Security Orchestration, Automation, and Response), XDR (Extended Detection and Response), and/or cloud active directory systems can streamline the process and enable rapid response times.

What’s Next?

Starting with a clear understanding of your organization's knowledge gaps and defining PIRs sets the foundation for effective threat detection. Prioritizing identity threat exposures, especially leaked credentials, will be highly impactful for most security programs. Once these are in place, you can widen your threat exposure detection scope to include things like ransomware data leak blogs, brand mentions on the dark web, cloud service data leaks, and more.


bottom of page