You may have seen that we’ve recently released Shadow Search, a new tool that gives you immediate access to both raw and curated intelligence from the open, deep and dark web. Whether you’re involved in a security operations, threat intelligence, or fraud role, the ability to search across criminal forums, dark web marketplaces, or criminal telegram channels without worrying about your own operational security is pretty powerful. Now imagine combining this with finished intelligence reporting, bulk WHOIS information, vulnerability databases and indicator feeds. That’s exactly what Shadow Search does.
However, there’s a lot more to Shadow Search than simply the access to a vast range of sources. Here are my top ten tips for getting the most out of Shadow Search.
- Filter your searches. Make the most of the vast coverage of different sources by refining your searches. You can filter by source type, data range, and then use Boolean operators to combine these with keywords or phrases. When setting up searches, try entering “type=” to filter by these different source types (see below). The returned search results can then be filtered by time, relevancy, or source-type.
- Set up alerts to save you time. You don’t want to be repeating the searches you care about every day. If there’s something you want to continuously monitor for, you can save the search and set up alerts that will be delivered to your email inbox. Think of it as Google Alerts but with more relevant sources to your day job. You can then choose the frequency of the alert mentions (you can choose from Immediate, Daily, Weekly and Monthly). If you don’t want to receive email alerts but still want to keep up-to-date, you can also opt to re-open tabs the next time you run a search. For example, you might want to set up alerts for any activity of a certain username that you have previously observed selling access to corporate databases within your industry.
- Extract and export observables. Configuration files for banking trojans such as Trickbot are often posted on paste sites. Not only will Shadow Search enable you to detect these, but it also parses IP addresses, domains, and other observables. This gives you the ability to export this information in CSV format. (It’s worth noting at this point that all Shadow Search information is also available through our API).
- Enrich searches with our “Highlight and Pivot” feature. When you’re in the middle of investigating something, it’s likely that you’ll spot an identifier you’ll need further context around. You can highlight and pivot on any search term within our portal, enabling you to enrich your search with sources like Webroot, AlienVault, PhishTank and Cylance Infinity. For example, you may have identified an IP from a suspicious domain and want to know what external sources have mentioned this IP address.
- Toggle between results, summary, and timelines views. I like my information to be presented in different formats, as pages of mentions aren’t always useful for distilling information and trends. You can toggle between views to see summary pages and timeline views. This is great for including in reports you may be working on. You can see the summary and timelines for “thedarkoverlord” below.
- Identify exposed credentials. Consider entering your company’s email domain, and setting up alerts for any time credentials are exposed online. While you’ll need the full SearchLight™ subscription to detect credentials exposed on closed sources, this is a great starting point to give you visibility into exposure on criminal forums, dark web pages, or paste sites.
- Use insight from the deep and deep web to prioritize vulnerabilities in your third-party software. You can search for mentions of CVEs to develop an understanding of where cybercriminals are developing or sharing exploits online. As Shadow Search allows you to granularly filter by source type, you can get back high-fidelity results. You can monitor sites like 0day to identify exploits against software your business uses. For example, here I’ve specified 0day’s onion address with AND any mentions of SAP.
- Stay on top of breaking news by monitoring for your favorite news and blogs sites. We all like to focus on criminal forums and dark web pages, but often news sources can be just as valuable. Search for topics that interest you, and get alerted on a cadence that suits you. For example, I might want to know about any revelations that relate to “ransomware” on bleepingcomputer[.]com, or anything from krebsonsecurity.com.
- Expand screenshots to save you time. Our spiders take screenshots of the pages they index, which means you don’t need to waste time booting up your virtual machine to access the page itself. Click on the magnifying glass to view the full screenshot.
- Quick access to recent and saved searches. If you forget to save a particular search term, don’t worry. Simply clicking in the search tab allows you to view your recent and save searches. This is particularly useful if you have used the “highlight and pivot” function, and wish to recall the suspicious IP addresses you searched for.
We also have a new demo video here:
I hope you find these tips to be useful, but let us know if you have any more questions. Email us at [email protected] or try Shadow Search for yourself on Test Drive.
To stay up to date with the latest Digital Shadows (now ReliaQuest) threat intelligence and news, subscribe to our threat intelligence emails here.