[Webinar Transcription] DarkOwl and Carahsoft – Darknet Investigations for Government
Recorded April 23, 2026
During this webinar, Jennifer Ewbank, DarkOwl Board Director and Former Deputy Director of CIA for Digital Innovation, and DarkOwl’s Chief Business Officer, Alison Halland, explore darknet data’s threat-intelligence capabilities across government and enterprise environments.
In this interview-based session, attendees gained:
- A forward-looking view of how regulatory frameworks and intelligence practices will reshape cyber-defense requirements over the next decade.
- First-hand perspective on how darknet intelligence informs national-level investigations.
- Deep insight into criminal ecosystem behaviors and the evolving tactics threat actors rely on within anonymous networks.
NOTE: Some content has been edited for length and clarity.
Jennifer – I’ve really been looking forward to this conversation with Alison and great to have all of you who’ve dialed in and welcome to those who watch later in recorded version. To kick us off, I just wanted to observe that I think most people think of the dark web as a place where criminals and conspiracy theorists gather – and I suppose that’s true. But the real story is maybe a bit more interesting and the reason we’re here today is that there’s a bit more utility in it all as well.
So today, we want to pull back the curtain a bit on what’s actually there in the darknet, how serious investigators are using information that is collected there, and why increasingly it matters to all sorts of organizations that may really think that this dark corner of the internet has nothing to do with them. It probably does. So Alison Halland is Chief Business Officer of DarkOwl.
DarkOwl is a fantastic company that maintains the world’s largest commercially available index of darknet content. They turn it into insights and intelligence for governments and enterprises and others who track these things. So, this hour together is a conversation. It’s not a lecture. Please do pop your questions into the chat. We want to know what’s of interest to you, what catches your attention.
So with that preamble, we’re going to turn to a question to kick it off. And really, maybe we should start at the beginning because not everyone spends a lot of time studying the dark web. So, let’s start with the basics, Alison. When we say darknet or dark web, what are we actually talking about? And how does DarkOwl collect from that hidden corner of the online world?
Alison – Yeah, thank you, Jennifer. And a big thank you to Jennifer, who has been so helpful as a board member to DarkOwl and helped us steer both our collection and our product in a way that’s going to help folks conduct these investigations. So, this slide in the background summarizes where DarkOwl collects data from.
So, Jennifer’s direct question was, what is the darknet? And interestingly, we’re in a space where I’m not entirely sure there’s consensus on that. I would say most people would agree that Tor is kind of the tried-and-true darknet source. However, DarkOwl’s take is if there are conversations or criminal activity or, you know, interesting back and forth going on, that is an area that we want to collect from.
So, our definition of dark web and dark web adjacent is sometimes broader than some others in the space. I would directly point to this lower right-hand corner, our direct messaging platform collection. There is no doubt that Telegram is our most requested data source today. Just given that community, what they the talking about, the transient nature of it.
We also get a lot of requests for our marketplace and forum data. That I would definitely highlight as well as an area that, historically, we have a strong collect here – part of that is a reflection of our history and some of the personas that we’ve honed over the years. This is quite frankly a difficult, meaning time consuming, expensive place to collect from. It takes a manual work at the onset. Sometimes other providers will defer away from this area, whereas DarkOwl has traditionally hung our hat on really making sure that we have collected from those forums and marketplaces to make sure that we can illuminate that space for the folks coming in and doing investigations.
Jennifer – Great. Well, thank you so much.
Back where I started, I think most people I talked to about the dark web assume that it’s largely going to be drug dealers and ransomware gangs who operate there. And they do, don’t get me wrong. But is that still really the reality or has this changed in recent years? And what does it look like today?
Alison – It is absolutely an ever-changing ecosystem. The groups and categories you just described flourish in the space, but so do a lot of others. One great example is when people think of dark web marketplaces, they immediately go to narcotics – and narcotics is the most reflected marketplace listing by category in our dataset. However, at least at my time at DarkOwl, the range in what people are selling has grown exponentially. So, you can buy anything from someone’s AWS keys to, I mean, it’s just exploded in terms of what’s being listed there. So, Jennifer, I do think you’re correct that people tend to have a pretty narrow view, but there are so many uses for this data, both on the government and commercial side in terms of understanding how the criminals are acting in this environment. I’m sure there’s folks on this call that have a ton of experience in this space.
And as everyone knows, 2025 was a pretty big year of upheaval for the dark web and, you know, this ecosystem in regards to just so many changes. I mean, when the XSS forum got taken down by Europol, I mean, people don’t just give up – they then move to a different platform, a different forum. There are so many conversations happening in the background at DarkOwl around where are we collecting from next? Are we try to move to the next platform or the next Telegram channel and understanding what those flows and data movements look like is extremely important, as you know, from your previous work, Jennifer.
Jennifer – That’s so true. I just think that the diversity of activity that’s represented on the dark web these days is really noteworthy. I imagine there are those who maybe aren’t as familiar who’d be surprised by some of the entities that are that are operating there, and what they try to do. It’s everything as we’ve said from the criminals to, you know, hacktivists, to you name it, all sorts of bad guys.
Alison – And it’s reflective of like real world events too. When the conflict broke out in Iran, within three or four days DarkOwl added about 140 Telegram channels to our collection. These were either channels that had just sprung up or had kind of recategorized their their purpose and they were reflective of both sides of the war and obviously those are conversations that are pretty pertinent to a lot of use cases.
Jennifer – And you mentioned, you didn’t use this word but how sites come and go, right and this almost is ephemeral nature where they’re moving targets is is that the reality these days to you know authorities kind of glom on to some sort of criminal activity and then they what rebrand move. How do you track that?
Alison – And part of that is we try and be a member of that community so that we understand where things are going, but that is that is absolutely the reality – everything is shifting and changing. Some of these marketplaces will gain a huge following, a huge transaction volume and then overnight they’ll be an exit scam and and those you know that entire marketplaces is gone and those sellers are trying to relocate and a lot of that conversation on where to go, what to do, happens in some of the areas that we’re collecting from. So, we try and be a part of that and follow right along.
Jennifer – I think that’s where your tradecraft and your history really come into play, where you’re able to maintain that collection over time and the insights derived from it. One little kind of asterisk I’ll put on the conversation about what’s out there is just to highlight for folks how the marketplace on the dark web for deep fakes and synthetic personas has just exploded in the last couple of years along with technology developments that make it much more achievable, easily so and less expensive to create fake personas, face images, faces, voices, you name it, entire video packages that you can purchase in an online marketplace just as if it were a regular online store with customer reviews and money back guarantees and all of that kind of stuff. I say that kind of funny way but the reality is pretty grim – how easily one can acquire really sophisticated tools that can defraud a financial entity that can defraud people and then there’s a whole scope of just really personal tragedy out there with non-consensual intimate imagery which is for sale on the dark web. So, lots of things happening there, very little of it good.
Alison – And like the speed of creation with AI on the table is so much faster and you know I think a lot of times folks kind of giggle at the fact that some of the same, all the same marketplace dynamics, are in place like especially in a criminal environment where the only thing you can hang your hat on is you know your reviews or your reputation. So, everything matters in the same way it does if you were transacting legal goods: reviews, reputation, all of that’s really important, so we see a lot of that in terms of how vendors are trying to promote their listings.
Jennifer – Crazy. So, when I was still in government, of course we looked across all these various open source areas as a place where we’re just trying to find some kind of signal in all of that volume of noise, right. We used to talk about a tsunami of data out there and really just trying to figure out what is happening how can you derive insights that are helpful. In the commercial world, of course I see that now every day with companies I’m working with. The thing about the darknet data that I found interesting and that I still find really interesting is just how much, and you’ve touched on this, how much behavioral insight is there, like how do organizations form, how do they operate, how do their businesses operate, and all of that goes far beyond just “hey I’m selling this illegal product.” So, the collection posture I think is really important here and DarkOwl has done a really fantastic job of maintaining those insights.
Let’s go just a bit deeper and think about how darknet intelligence works in practice right. So, you’ve defined what it is given us some examples of the kinds of information that’s out there, the kinds of actors who operate there. I want to think about how the data actually get used – how does darknet intelligence contribute to open-source intelligence investigations and, maybe for me and for all of those who’ve signed in, can you walk us through what an analyst is doing when they’re looking for this information and analyzing it?
Alison – I think a pretty typical workflow is coming into the darknet data set with some sort of indicator or an entity. So, trying to identify a person of interest that may be behind and they may come into that investigation having gotten a username off of traditional social media or an email address from a data leak and then taking that breadcrumb and putting it into the DarkOwl dataset can often be the puzzle piece that’s missing. A lot of the investigations previously, 10-15 years ago, weren’t including this dataset. I think given the structure of the dark web and the fact that folks know that there is some obfuscation happening and that their identity is somewhat protected I think oftentimes they’re a little more loose on what on what they’re sharing or or presenting.
Coming into the dataset with let’s say it’s a username, J EWBANK, and then you pop that into the DarkOwl data and lo and behold there’s a vendor on a marketplace that goes by that same name, or an iteration on it, or there happens to be a Telegram channel that’s focusing on extremism and has a user in there with a similar name and now all of a sudden you have a user ID and you can pivot from there. So, oftentimes it’s coming into the data with an entity and then grabbing one more that you didn’t have previously and either taking that through a different dataset or continuing to follow those breadcrumbs within our data and finding additional pieces of information. There is a whole, especially with the onset of AI and looking at bigger datasets more quickly, there is a whole workflow here around just like migration in conversations and movement and you know obviously there’s not a geolocation ability within our dataset in the traditional fashion but you can do a lot through language detection and you know a lot of other techniques as well to figure out where people might be physically located.
Jennifer – Thank you. You may have already alluded to this, but I think of the darknet as this kind of you know, as this cavernous area with little corners and dark rooms and alleys, and bad dudes and vendors hiding there in the shadows, but is there a particular corner these days somewhere out in there in the darknet that you’re finding particularly productive in terms of supporting investigative activities?
Alison – Yeah, I would point right back to Telegram. That’s just become such a critical collection target for us and we’ve seen a growth in just in terms of volume around records that are being collected. We also interestingly, I will say that, oftentimes a prospect will ask you know how many Telegram channels do you have and my response is often it’s it’s not so much the quantity but the quality because there are groups being stood up for you know non-criminal reasons and making sure that you have eyes on the subset that you’re interested in can be crucial because there is a lot of noise. So, I would point to Telegram absolutely and some of the techniques that we’re using to try and get into those channels. You know these are workflows that can be cumbersome if you’re trying to do it in a manual fashion one-off versus we’re trying to aggregate and use some of those skills so that we can park all that data in a central location and people can query across all different channels versus having to do that in a one-off basis.
Jennifer – That makes a lot of sense, that’s really where I think expertise comes into play because you could see where somebody might just think it might want to have access to like I want them all that that’s not necessarily going to be helpful I think you can be overwhelmed that way – so the quality of the data is always critical.
A related question – the way you’ve described Telegram, it almost seems to me like it’s now serving as different, let’s say different layers of this ecosystem, right accomplishing different things. It used to be just you know hey we’re going to communicate in something that’s relatively private. So, is it a place where for example, when a site goes down, do people kind of bump to Telegram for a while? Is it a place where you see indicators of bad actors planning, and of course it’s a marketplace too, but like do you think of it in that way? Do you think of it as as layers or different functions, or is it just the case that, and this is powerful, but with your collection you can kind of accomplish all of that and you just make sure you’re focused on the high quality data?
Alison – No, I think there’s definitely categories that emerge across it. The three that jump to mind that I know our analysts talk about a lot is the signal layers, so around people signaling hey we are going to do this or have some sort of action, and then there’s definitely a migration layer, when marketplaces go down or forums you know where are we moving what like that becomes the communication channel on you know where are we gonna migrate, and then like you said there is a whole I think of Telegram outside of the dark camp marketplaces, but I probably shouldn’t. There’s so much transaction happening in Telegram channels as well where the sole purpose is to sell in a marketplace fashion, whether it’s, you know, stealer logs or narcotics. So, I would say those three, the signal layer, the migration layer, and then also the marketplace layer would be the three, I think my analysts would highlight.
Jennifer – It’s fascinating because there’s so many different paths that an investigation could take. And I think of the signal layer as being kind of an almost an intelligence layer where you can see what will happen in a sense, right? I think a migration, as an investigative layer, like what’s happening now and the marketplace layer could probably be a forensic layer later. I mean, there are lots of different uses, but I think about them also in a temporal fashion like how do you lay that out across an investigation.
So anyways, fascinating stuff. Let’s go back to the marketplace topic where we kind of landed. And I know that you and your team mentioned to me that you’ve expanded your dark web marketplace collection pretty significantly and you have a new capability that you’re calling ‘Darkmart’, if I’m not mistaken. I’m wondering if you can, oh, there it is. If you can give us a sense of kind of what that is and more importantly for those who are thinking about how open-source intelligence can support investigations, what does this kind of data tell you? What does it reveal?
Alison – We did do a big revamp to our Darknet Marketplace Content, and what I mean by that is our collection was always strong in these areas, but the structure behind the data made the workflows somewhat manual and challenging to say, okay, well, I’m interested in this vendor on this one marketplace. So, what are the first 10 questions you want to ask? Like, well, what other markets are they on? What country do they ship from? What category are they? Do they have listings in? So we have taken all that data on our historical collect and put a lot more structure around it.
There’s an oversight view that I think has been, and this was from direct feedback from our users that has been really powerful in our launch of ‘DarkMart’, which is our word for these darknet marketplaces. And to your direct question, doing these investigations in lieu of the structure was a time consuming process. So, now if you just look at some and choose any one bullet on here, just the ability to sort and sift through all of this marketplace data is a lot easier and more compelling. And what we heard from some of our government clients is there are use cases you could be at, you know, be on the drug enforcement side of the house and you’re specifically tasked with a specific drug versus you could be someone who’s law enforcement in a small five eyes country that’s just trying to view what’s being sold coming out of their country. And those exact asks pre-structuring were hard to discern, whereas now with the marketplace data restructured within DarkOwl, you can do that much more quickly. I could even jump in and show an example of that. But the ability to sort and sift through this has just become so much easier with our new ‘DarkMart’ release.
Jennifer – Well, that’s really powerful, as you say, without structure around the data, you have a richness, the riches of all the collection, but without the ability to gain the insight and I think, or at least not to do it conveniently, and if you’re not an expert, right, you’re, your analysts are all experts can do that, not every company, every entity, every government agency has people who are deeply experienced in that. So, having an interface to help you get there is really important.
Here’s a funny question because people talk about the dark web and the marketplace and such, what did the listings contain? Like, what does that look like? And, and then maybe pivot off that, it’ll become obvious, but how does an investigator use that data?
Alison – So I’m now in our platform right now. So, this is a live view into just the subset of our data that we call ‘DarkMart’. So, we have about half a million listings showing up right now and you can see that we have 83 markets that we’re now capturing in this new structured format. We still have a lot of markets that we’re moving over into this. It’s definitely an evolution. But for instance, if you wanted to just come in and see, you know, you were interested in what category and I mentioned earlier, like most of the listings are in narcotics, but I think all these other subsets are definitely growing in quantity as well.
But let’s see, let’s pop into one market. So, this marketplace, Prime, has categories and vendors selling across all different subsets. So, to answer your direct question, you know, what do the actual listings look like? So, let’s actually wanted to pull up a more expensive one. So, here we have someone. So this, this is a good representation of how we’ve restructured this data.
So, within two clicks, we’re able to see, okay, here’s a vendor that goes by this username. And they were first seen on January 8th of this year. They last changed their listing a couple of weeks ago. And this is what they claim to have the, some source code for Bitcoin. They have a listing. You can contact them. Let’s do business. Not business. So this, this would be pretty typical of a listing. There are also some that contain reviews and we always capture what currencies they’re operating in. So, as we think about this from like a country standpoint, in terms of, what people’s mission is this can be helpful as well.
Jennifer – It’s literally vendor drugs for cheap.
Alison – Yeah. You can also go out into the live market and see what imagery vendors are presenting and what categories are growing. And I think this speaks back to your earlier, kind of that signals layer around, you know, what categories are growing from a marketplace standpoint, which would point to, you know, going back to those items and being like, what are we doing from a protection standpoint that we’re missing if these are so easily fraudulently being sold?
Jennifer – I think that’s another benefit of the restructuring of the data and the interface for users is to get a sense of where the trend lines are and get that insight earlier in the cycle so that you, whatever your role might be somewhere, you can really start planning for it.
Alison – In pretty short order, you can see the use cases both across government and commercial in terms of just what these listings look like. And as you mentioned earlier, and, you know, I won’t spend the time digging through a lot of these, but you can pretty quickly find someone for very cheap selling, you know, deep fakes, like you said, or access and all of these vendors are starting to specialize just like we do in industrial economy. So, that time to execute is so much shorter.
Jennifer – Crazy. So, you mentioned earlier, I can’t remember the name of the vendor you mentioned, but you mentioned one of the big ones that was taken down in ’25. And so what happens when a major vendor does get taken down? I mean, I assume they pop up again somewhere else, but what do you see? What’s the normal pattern there?
Alison – Yeah. I just clicked on one of our vendors that we have in our marketplace. You can see that this vendor is, we believe, is active on 25 different markets. And you can see the number of listings as well. So, you know, the hypothesis there under the scenario you just described would be that if any one of these markets was either taken down by law enforcement or had a exit scam that those listings would migrate somewhere else. So, with this new restructuring, that is something we can absolutely track as things ebb and flow. And you can do it both at the vendor level. We’ve also had some of the shipping companies ask us to do it across and we have an awesome blog on our site around what is the preferred shipping method for criminals, which if you are, you know, working at one of those companies, whether it’s government backed or commercial, understanding why you’re being selected to ship those drugs versus someone else is important. The aggregation of this data can be really powerful and is something you can do today that wasn’t as easy prior to our data restructuring.
Jennifer – That’s awesome. It’s both scary but also really fantastic that the capability exists and that there are smart people working on all this stuff. I think also passing earlier, you mentioned Infostealer, kind of malware and it’s one of the big stories in cybersecurity is really the explosion in this kind of malware. I’m wondering, could you maybe spend a moment and let our colleagues online here understand what is DarkOwl seeing on the dark website of all of that dynamic?
Alison – Yeah, absolutely. I mean, the number we are asked about Infostealer logs on multiple times a day and that is an emerging space. I have some stats written down here that Infostealer has infected over 11 million machines in 2025, estimate that it produced about 3 billion stolen credentials. And that’s such a easy way for people to transact and probably the most traded commodity on the darknet. And the thing about the Stealer logs is they can bypass MFA entirely. I think there’s a lot of movement happening around people trying to protect against that. But in the meantime, the understanding that data is out there is very timely because they can be exploited almost instantaneously. So yes, Infostealers is a huge category. And I don’t see that decreasing. If anything, I think it will continue to grow and grow as people move away from traditional passwords.
Jennifer – Yeah, I think the credential side is where a lot of the action is. And is, so, you know, everything is as a service these days? So, is this an area as well? Have they jumped on the bandwagon? Is it malware as a service and all that?
Alison – Yeah. I don’t have it handy right here, but there’s malware as a service subscriptions that start as low as $30 a month. So yeah, the specialization and the execution and frankly the price is coming down precipitously.
Jennifer – You see that I think across all of these, let’s just say more nefarious corners of the web where the “as a service” is exploding. You’ve had ransomware as a service. Now malware as a service, specifically credentials, deep fakes as a service. Everything’s a service these days. Even criminals are innovating, right?
Alison – Yeah. There’s, I mean, we have one of, I would say probably one of our most frequently visited, or some of our most frequently looked at telegram channels are those that are selling, stealer log subscriptions. And you and I in preparation for this call, were talking about how as recently as January, there was a researcher that discovered that database containing like 150 million login password pairs. And they think it was compiled entirely from Infostealer operations. So, that gives you a sense for the scale.
Jennifer – So I, you know, intuitively, I gather that there’s a specific connection here in the supply chain for ransomware. And I’m wondering, you know, what, what does that supply chain look like for, for bad actors in the ransomware, ransomware world? Say that three times fast.
Alison – Yeah, in the same way that all the market dynamics work on the customer service side, you know, the same exists from a supply chain standpoint. think a pretty typical supply chain workflow would be that the infostealer harvest, like they grab the credentials, then the initial access broker would like package those up and sell them on a marketplace or on one of those telegram channels. And then the ransomware operators buy those, that access. And then they get in and grab the files and then, you know, approach company and say, yeah, here’s what I have and, and pay the ransomware. So, it’s definitely, and we talked about this earlier, the specialization is happening in the same way it’s happening for all of us on the right side of the fence.
Jennifer – Yeah, exactly. Thank you.
Like all things, I have to assume that the dramatic improvements in generative AI are having a big impact in this area. Is that correct? I mean, is that accurate to assume that AI is also fueling this pipeline?
Alison – Yes, absolutely. And you know, they also have the advantage of not having to ensure that those AI deployments are being done in an ethical or safe or sort of consumer-friendly way. So, some would argue that, that speed of adoption is even faster in this ecosystem.
Jennifer – Let’s scope out a little bit, zoom out. Around the world, we’re seeing a lot of interest in regulatory action around the space. Leak, you know, legislation, like Europe’s been very active in these, these related categories with all sorts of protections on data and the models that are used for AI and lots of other things. And in here in the States, of course, the SEC has its own filing requirements for those who will fall prey to ransomware and other cyberattacks. But I’m just wondering if one does agree that there’s an upsurge, uptick in interest in regulatory and legislative actions in this space. Does that change the calculus for companies, organizations, government agencies and departments on the kinds of intelligence or insights that they would want to collect from the darknet?
Alison – I think there’s a shift happening or it’s already happened from a reactive to more of a proactive intelligence posture. I’m going to date myself a little bit, but I’ve been at DarkOwl coming up on either 10 or 11 years, and I remember one of the first demos I ever did was with a CISO and, and she said to me, I don’t think I want to know if the information’s out there. And, you know, I think that was, knowing was not, knowledge was not power at that time. That was potentially, oh, no, we haven’t done our job as an organization, or we haven’t protected our information. Whereas in today’s world, you can just walk the floors of any cyber conference, the number of TPRM and third-party risk management providers has skyrocketed. So, the responsibility and the onus to know not only what’s out there, but how it got out there, and have that proactive angle of like, I’m hiring a vendor in this category. You know, are they reputable? Do they have exposure is becoming the norm? Compared to what it was previously.
Jennifer – Now, that makes a lot of sense. Ultimately, it just seems wherever one is in this ecosystem on the right side of the fence, as you say, your ultimate goal is to collapse the timeline between exposure of data and vulnerability, and the bad actor’s ability to use it against you. And having that insight, particularly from deep collection and kind of an interface and analytic framework around it would be super helpful. And unlike the CISO that you met years ago, I think more and more CISOs and cyber defenders today are eager to get those insights so that they can be prepared before the bad day happens. That makes me think though, because you mentioned the CISO and others working in cyber defense and risk. Is there something about the darknet threat landscape that you think they consistently or that many consistently underestimate?
Alison – Um, yeah.
Jennifer – You know, some key aspect of it, you wish people would understand better or maybe they just don’t have the insight yet.
Alison – It’s that the old methodology is we just need to kind of protect our own four walls, batten down the hatches and whatever’s happening outside is not telling or informative. And that is not the case. The darknet can be very much a leading indicator of what that exposure looks like, where those vectors of attack might be coming from. Demonstrating and making sure that people have visibility is extremely important, not just that they responded correctly to an attack.
Jennifer – And attacks are far more, intrusions are far more, sophisticated and subtle and multi-layered than they were even just a few years ago and I think understanding the threat environment and the threat environment around all of your partners and vendors and anything in your supply chain is really critical because you’re only as secure as the weakest link in that chain.
Alison – Yeah, not only like the weakest link, but the speed at which that stolen data moves from exposed to exploitation is fast.
Jennifer – That timeline is collapsing pretty dramatically. I think if you go back just a few years when a vulnerability was identified and publicized in order to get patches, you had time, right? Today that timeline is really collapsed with the power of AI and how bad dudes can manipulate that to get an exploit out of a vulnerability through reverse engineering. It’s really, really rapid.
So lots of value out there in this kind of information. And I think really relevant to investigators and analysts across a broad range of functions. So, we’ll turn to our friends and colleagues who’ve dialed in in a moment, but maybe last kind of question forward-looking, right? So, let’s look out over the next couple of years and if you had to, your crystal ball, how does that threat landscape evolve? And as we’ve touched on once or twice already, how does AI fit into that picture? Both for, let’s say the threat actors who are out there, how is it gonna help them? But also for defenders because we want to defend.
Alison – My short answer would be that this category of data will continue to be a very integral part of investigations. I think historically has been either overlooked or bypassed because it was hard to aggregate and look through this data alongside other data, but that’s where AI is gonna be so powerful in that respect. Do I think if we did the same webinar five years from now that Telegram would be where everyone was communicating? Probably not. I think that where all that happens, I think we’ll continue to flux, but there will, I don’t see any scenario where this data isn’t an important piece of the puzzle. And I think looking at the bigger puzzle is a much easier task with some of the amazing developments that are happening in AI, so that organizations like the one you work for aren’t that timeline to figuring out or getting some intelligence that could lead to an action or investigation should be shorter as well, not just the criminals are gonna benefit from AI.
Jennifer – Yeah, thank you. We don’t want them to benefit but the defenders need to benefit. So, we’ve spent about 45 minutes and we’ll turn to questions here in a moment, but if let’s just say it for the folks who’ve dialed in and maybe later for those who watch on the platform, is there something you think that someone should go do? Like if they return to the office, is there something that they might take away from this conversation? Is there an action that would be helpful for them?
Alison – The low hanging fruit is out there. Go get a dark web risk assessment done, understand what information both of your own as an individual or your organizations is out there. And that will give a lot of insight into where, I think that would be the one task I would do in short order. And then if there are folks on the phone that are doing investigations in this space, I would just think about time and energy spent having someone who can aggregate this information and make it searchable and queryable is gonna be a good use of that skill set so that those analysts continue to connect the dots but aren’t spending 20 minutes waiting for a tor page to load.
Jennifer – Yeah, exactly. So, I wanna encourage anyone who’s on the call to drop a question in the chat. I have it up on my screen here, we’ll watch for those.
You know, not every organization is big with a wealth of resources, right? And a lot of small organizations out there that might have more limited both capabilities due to fewer staff and resources in terms of money. But is there an entry point for smaller organizations when it comes to darknet data and intelligence?
Alison – Absolutely, and oftentimes, from a just pure economic standpoint, the price point of a dedicated darknet tool for a smaller medium business might not be feasible but there is dark web data going into everything from larger thread intel platforms to MSSPs. I think we all know that those small and medium businesses are oftentimes the target just as much as the bigger ones, just given that actors know that they don’t have the security posture of a bigger firm. So, I do think there is, not only can this data help a small and medium business, but I think there are more ways for them to get that today given that this data is being fed through a lot of different layers, not just directly.
Jennifer – Now, I think the vulnerability of small and medium size enterprises is really something that needs much more attention and I add into that group, charitable organizations, hospitals, schools, community colleges, lots of places that you wouldn’t think should be huge targets but they’re lucrative targets for the ransomware world because they’re often less defended and criminals go back there because they’re successful. So, a really important area, I think, for dark web data to help give insights into what the threat landscape reveals about their organizations.
There are a lot of companies out there who offer a variety of different kind of threat intelligence insights. And everyone’s kind of packaged differently, they do different things. Is there differentiation there? I mean, there are some big names out there that I won’t mention, but how in that environment are these capabilities differentiated or are they all the same?
Alison – No, they’re definitely not all the same and I think it comes down to, you know, depth of collection in any one area and the structure and usability of that data. And there’s some, there are a lot of folks aggregating threat intel from all different data sources. I think DarkOwl, one of the reasons I love our mission is that we are so committed to staying focused on this space and continuing to provide compelling data. It comes off the dark web and not trying to spider into other areas. So, we’re often turned to fill that plug for other organizations. But yes, everyone has pros and cons. I mean, it’s a big Venn diagram and we’re a data provider and there’s gonna be overlap with others, but there’s oftentimes a delta between a lot of the different providers.
Jennifer – Awesome. I’m gonna ask maybe another question. While we wait to see if anybody has something that is burning in their minds. So, I don’t mean this one to sound like a challenge, right? But I’ve heard this question. So, you talked about personas and the collection and over time. Are you ever asked about the legality of all of that? And I know more.
Alison – Yes. All the time, oftentimes from people applying to jobs, how are you able to legally do this? You know, we’re, I think the title of this webinar and the tech expo that we’re attending next week, it’s all around OSINT, open-source intelligence and DarkOwl skill resides on the fact that this data is hard to get to and it’s hard to find and it’s time consuming to get to. But at the end of the day, it is open-source information. So, we are able to legally collect this because it’s defined as open source. It may be hard to get to. You may have to create a login or become part of a community, but that’s the definition and we follow DOJ guidelines and we don’t purchase stolen data. We don’t go behind firewalls. So the data that we hold is ethically collected and considered open source.
Jennifer – Great. I knew that, of course, being on the board. But I just wanted others who might have that question, because I’ve heard that question before too. So, I just wanted others to hear directly from you.
And then maybe as a final question just because of the world I came from before coming into the private sector, my sense is that nation-state actors out there use a lot of the same darknet infrastructure as the criminals do. A, I guess, is that accurate? And B, are there areas where those two worlds overlap most directly?
Alison – I mean, yes, in terms of targeting the US. I was in preparation for this looking up some stats and IBM X-Force produced a report that said that North America is now the most attacked region for the first time in six years. So, from a nation-state perspective, there is no doubt that the targets on our back may be more so than ever an understanding that all of these ecosystems support those nation-state actors as well as the reality.
Jennifer – I think that reflects a growing sense that I’ve had or insight that I had in government too. But it’s clearer now that how a lot of these activities, these illicit activities against companies and organizations in the country really have a national security flavor to them these days and kind of teasing apart what is a national security threat, what is a commercial threat, what’s an economic threat. These days, that’s harder and harder because it’s just, it’s all interconnected in a way that’s really powerful today.
So, I think we are nearing the end. Maybe Allison, is there any last bit of advice or observation you want to offer for those who’ve dialed in?
Alison – I do want to share with folks that we, DarkOwl, will be attending the OSINT Tech Expo next week, which is being hosted by Carisoft at their office in Reston, Virginia. So, if anyone on the call is attending, and correct me here, Gabi I think if they’re a government employee, they’re able to attend either a free or at a reduced cost. But anyway, I just wanted to highlight that. We will be attending. And if any folks want to see the data set live, I’d be more than happy to do that for anyone.
Jennifer – Well, that’d be fantastic. In the notes, I’m going to call an audible here and ask if maybe Gabi can help us in the notes afterwards just to make clear, to specify how people can look for that expo. I see it’s on the screen here, but maybe in the notes later, it’ll be helpful as well. OK, so I want to say thanks to Alison who sat here through an interrogation for almost an hour and answering question after question. I really thank all of you as well who signed in to listen today and then welcome those who watch on the platform later.
And I should take a special note here as well for Carahsoft for hosting and organizing the webinar. And if folks walk away with maybe one thing, there’s lots in what Alison had to say. But I think for me, I would just note that the dark web is no longer, dark web data is no longer something just for a few specialized investigators. I think with the advent of new tools and ability to query and analyze the data, I think it becomes a much more useful capability for a broader range of folks in government and in industry. And so it’s kind of your live feed, if you will, on how the criminal ecosystems are changing and how the threat landscape is changing. And ultimately, whether you’re in government or industry, it should give you a better optic into how you protect yourself. You monitor the threat landscape in order to protect yourself and your friends and allies. So, we will make sure that there are links to all the DarkOwl resources in the notes later. And as Gabi said, if somebody has a question that didn’t get answered during the webinar, DarkOwl will be happy to answer it after. And everyone hopes to see as many of you as possible at the OSINT Expo being hosted by Carahsoft at the end of the month. So OK, I think with that, I’ll turn it over to you.
Alison – Thank you, Jennifer. I just want to thank you personally. You’ve been so helpful to DarkOwl and the pace at which you operate in a post-retirement state and amount of businesses and speaking engagements and you still have your finger on the pulse and I’m very grateful that you’re on our board. So, thank you.
Jennifer – Oh, thank you. It’s a pleasure, and you’ve got a great team. Great team, great product.
