Open-source intelligence (OSINT) has proven it has a place at the cybersecurity table. It is as valuable to security teams as paid, proprietary intelligence. Among other things, OSINT can be combined with threat actor profiling for hunting down initial access brokers (IABs).
IABs are cybercriminals who make a living by gaining unauthorized access to computer networks and then selling that access to a variety of threat actors. The hottest thing right now is selling access to those who specialize in ransomware attacks. The IAB makes money without getting directly involved in the primary attack, while the attacker can concentrate on his half of the equation without having to do the work of gaining access.
Table of Contents
The Basic Premise of Hunting
DarkOwl experts explain that threat actor profiling is a practice that allows security teams to better understand their adversaries. In terms of hunting IABs, the basic premise is simple. Use all available open-source channels to find IABs and learn how they operate. Typical open-source channels include:
- Dark web forums
- Telegram channels
- Dark web marketplaces
The dark web marketplace is the perfect example of why an OSINT threat actor investigation can prove so valuable. IABs are in the business of stealing and selling network access. Where do they sell it? On dark web marketplaces. Such marketplaces are highly effective hunting grounds because IABs can be found all over them.
The OSINT approach combines open-source intelligence with threat profiling to reveal broker identities. Security investigators can learn about pricing patterns, targeting preferences, and even specific attack vectors. They can then employ preemptive strategies like access revocation and service hardening.
A Closer Look at the Details
Taking a closer look at OSINT threat actor profiling reveals why it is so useful for hunting IABs. For starters, profiles built from OSINT data track IAB Tactics, Techniques, and Procedures (TTPs). The advantage of doing so is being able to link the information to specific threat actors via sales, auction details, and forum posts.
OSINT threat actor investigations support proactive hunts by drawing correlations between broker ads and organizational assets. For example, finding a link between a broker ad and an exposed VPN opens the door to early anomaly detection.
Tracing cybercriminal Supply Chains
Perhaps one of the least talked about benefits of hunting IABs with OSINT threat actor profiling is the ability to trace the entire cybercriminal supply chain. Although difficult in practice, the principle is easy enough to understand.
In the hands of a skilled investigator, OSINT threat actor profiling maps the full chain by closely following handoffs from IABs to their customers. Whether a customer is a ransomware specialist or an espionage actor, tracing the chain exposes the relationships and operational flows between parties. It is like seeing a future attack slowly unfold before it happens.
Profiling also uncovers large-scale operations that might otherwise be missed. Consider the bulk auction of hundreds of compromised networks through profiling a known threat actor. Tracing the supply chain sheds light on everything from geographic location to sectoral trends. Security experts now have a better handle on risk prioritization.
Both Practices Make Each One Better
OSINT threat actor profiling and IAB hunting can be practiced separately. Many security teams do just that. But when combined, each of the practices make each other better.
As long as security teams are going to hunt IABs, they might just as well do it with open-source tools. By combining their hunting efforts with OSINT threat actor investigations, they stand a better chance of finding both IABs and the customers buying their stolen network access.
