Flashpoint’s Hunt Team: Shedding Light on the Cutting Edge of Cybercrime

By Christopher “Tophs” Elisan

All too often, cyber-defense measures protect only against known threats. But since threat actors operating on the deep and dark web (DDW), encrypted chat services, and other covert channels are constantly developing new methods in order to catch their targets off guard, organizations assume considerable risk in taking a reactive stance.

The cybercriminal underground is not a black box with unknowable inner workings, but the knowledge, skills, and technology required to observe these secretive online spaces exceeds the scope and capabilities of all but a select few experts. For this reason, Flashpoint’s Global Intelligence Team has a dedicated unit known as the Hunt Team that specializes in tracking down the newest threats emerging from illicit communities, enabling customers to be proactive about managing risk.

The Hunt Team’s work covers considerable breadth and is malleable to customer needs, but some of the core challenges they help defenders address include the following:

Emerging Cyber Threats

Once their investigation is complete, analysts produce finished intelligence reports that provide customers technical and contextual details—such as infection vectors, motive, monetization methods, relation to other cyber threats, potential impact, and indicators of compromise (IOCs)—as well as recommended mitigations.

Evolving Tactics, Techniques, and Procedures (TTPs)

It’s a common mistake among defenders to think of cyber threats from only a technical standpoint. Cybercriminals are humans too, and understanding the rationale, methodology, and infrastructure behind their actions is crucial to outsmarting them.

Our Hunt Team analysts are well aware of this. So as they scour for emerging cyber threats and new collections sources, they remain cognizant of the big picture—how their observations relate to recent and historical findings—to identify bellwethers of change within the threat landscape. And on an ongoing basis, the team shares these insights in the form of finished intelligence reports spanning a broad range of topics, from changes in ransomware targeting methods to fraudsters’ adaptation to EMV implementation, thus informing customers’ long-term defense strategies.

Threat-Actor Movement

Influenced by myriad factors, including law-enforcement takedowns, sociopolitical developments, and the introduction of new security technology, the online venues through which threat actors conduct their operations are always changing. To cite a well-known example, following the July 2017 takedown of the prominent AlphaBay and Hansa marketplaces, many threat actors have moved toward decentralized channels such as encrypted chat services, a trend which continues to this day. 

The migration of threat actors to new—and often less centralized—online spaces can throw a wrench in efforts to monitor emerging threats. For this reason, the ongoing expansion of Flashpoint’s collections across the DDW and encrypted chat services is a core element of the Hunt Team’s operations. In addition to supporting their investigations and reporting, the team’s efforts to expand Flashpoint’s collections enhances the breadth and depth of our alerting capabilities and API-integrated datasets on an ongoing basis.

To learn more about our Hunt Team analysts’ responsibilities, their professional backgrounds, and the customer use cases they support, contact us.