March 21, 2025

Or, watch on YouTube

Attendees of this webinar, hosted with Carahsoft, learned about how in today’s world, Open Source Intelligence (OSINT) plays a critical role in uncovering threats and mitigating risks by leveraging publicly available information. This webinar dove deep into the practical side of OSINT investigations, focusing on how dark web data can be strategically utilized to enhance threat detection and risk assessment for organizations.

During this webinar, the Director of Intelligence of Collections at DarkOwl, demonstrated the power of DarkOwl Vision through real-world examples, including:

• Tracking stolen credentials from a recent data breach
• Monitoring dark web marketplaces for insider threats
• Identifying emerging cybercrime trends
• Analyzing chatter on forums to predict potential attacks
• Protecting executives and high-profile individuals

Participants gained hands-on insights into gathering, analyzing, and interpreting OSINT data, with a focus on applying dark web intelligence to solve real challenges.

NOTE: Some content has been edited for length and clarity.

---

Erin: Hi everybody. I am the Director of Intelligence and Collections at DarkOwl and I’m going to talk you through some background on the dark web and some OSINT investigations.

What we’re going to cover today, I’m going to give you a little bit of background on who DarkOwl are, what the dark web is, why it’s important, how we can use it in OSINT. And I’m going to do a couple of use cases and walk you through some examples of what we see on the dark web and how you might be able to use it for OSINT.

A bit of background about DarkOwl. We’ve been around since 2014, but collecting data I would say from the dark web in earnest since around 2017-2018. So, our goal is to collect data from the dark web so people are able to use that data for their investigations and to protect their organizations. We allow people to do that in a number of different ways, so you can access data through our platform Vision, which I’ll be showing you how to use today, but we also have APIs and data feeds which allow you to access dark web data, and the idea really is challenging to access the dark web, and also it can be against policies and violations to access it. It’s not easy to access and there are things on there that you might want to avoid. So we allow you to access that data in a secure way.

What kind of data do we have? We have layers of the deep and dark web as well as some surface web, although we are primarily a dark web company. Everything that you see here in red is something that we do collect from. We’re always looking to increase our coverage though and look at other areas where we see criminals, cyber threat actors, insider threats, people proposing violence, operating. So, we’re always on the lookout for other areas that we can collect from. But as I said, we’re primarily dark web, TOR, onion sites is where we get most of our data from, but we do also collect some surface websites, things like Doxbin, paste sites, certain forums where we see extremist activity being discussed, as well as underground criminal forums and markets and discussion boards. We also collect from Telegram and Discord. We see a lot of criminal activity operating in those areas. And this just gives you a breakdown of the volume of data that we have.

I believe there’s a polling question up on the board for you now. And that’s just to highlight, are there any messaging apps you’re seeing as part of your investigations at the moment that you would like to have more coverage of. As I mentioned, we do cover Telegram and Discord, but we’re always looking for other options. So please fill that in. You can have multiple choices. But going back to the slides, you’ll see that we’ve got a large volume of data that we collect. We have been collecting since 2017, and we do not remove any historical data because that can still be important to your recent investigations. And so, you can see the numbers that we have here. We also extract particular entities, so email addresses, IP addresses, credit cards and crypto addresses that can help you with your recent investigations. And we also have a large volume of data leak records that we’ll talk about in a little bit more detail.

And this is just to give you an overview of how our ecosystem works. We do have the Vision UI where you can access all of our data as well as APIs. We have several API products that allow you to generate scores and risk assessments based on the exposure that an individual has as well as context information about our data leaks.

And we also provide darknet services. So, for those that don’t have the resources and/or do not have the experience working with the dark web, we are able to do investigations and OSINT investigations on your behalf and produce reports regarding whichever you’re investigating. So, this is our Vision UI, it supports Boolean logic, it has darknet data within it, and it can also be used for alerting, but I will go through that in a lot more detail later in the presentation. But so, just so that we’re on the same page, let’s start with talking about what is the dark web.

No OSINT presentation is complete without an iceberg slide so this is our obligatory iceberg slide which breaks down the surface net, the deep net and the darknet.

We really do focus on the darknet you know collecting from onion sites, TOR, ITP, ZeroNet that is specific software that you need to download to access that and also, it’s not indexed so you need to know the URL that you are going to in order to find that information. So, it makes it a lot more difficult to navigate and identify sources that are going to be beneficial to you as part of your recent investigations. And that’s one of the things that we assist with. We, you know, have broad coverage across the dark web. We’re always looking to identify new sites and new areas where individuals are communicating or buying and selling goods. And so that allows you to be able to search that information. We also do do the deep net. So, this is not indexed by search engines, usually behind a firewall of some kind or password protected. It’s not easy to access, but it’s easier to access than the dark web. You can still do it using your usual browser. And there are a lot of forums and marketplaces and vendor shops, et cetera, that sit on the deep net. And then you also have the surface net. So this is, you know, the internet we’re all used to. It’s indexed by search engines. So, you can, you know, go to Google, go to Yahoo and find a site that you’re looking for and it’s all open. I would say more and more we are seeing fights on the surface web that are also engaging in criminal activity. People seem to be less concerned about obfuscating what they’re doing then they had traditionally been and also, I think law enforcement’s been quite successful in taking down some dark net sites and that has kind of moved people onto the surface net so that’s an interesting trend that we’re seeing at the moment and that’s why we cover those areas as well as just the dark net.

To give you a little bit of history on the darknet, It started in around 2000. The Darknet Tor project itself was actually created by the US Navy as a means of secure communications for their operations. And then they decided to make it an open source tool. The Tor project is a not-for-profit that runs Tor and the onion sites and the bridges, et cetera. It’s always worth noting that there are fully legitimate reasons for using the dark web for those that live in countries where communications may be limited and, you know, they may not be able to access mainstream media, things like that. Tor can be used for that. And also, people who do really want privacy. They can use the dark web to enable that privacy. I’m not going to go through everything here on this slide obviously it goes up to 2020, but you can see that there’s been a lot of things that have happened in the darknet, things like cryptocurrency becoming more prevalent and being a semi-private way of people transacting and law enforcement operating on the dark web to take down sites has been a game changer as well. But there’s a lot of things that have happened on the dark web ecosystem and continue to happen to this day.

Okay, so why is dark web data important? I’ve kind of touched on this, but a lot of criminals operate on the dark web. So, we see people communicating on the dark web in forums, in messaging apps, having conversations, but we also see people selling and buying goods. We see people offering services. There is a lot of activity that happens on the dark web that can be useful to your investigations. And there’s also sites where people’s data is released. So, data leaks, stealer logs will go into in a little bit of detail, as well as things like DoxBin where people’s information is released. So, it can really help you in your investigations identifying information about individuals, but also can help you to kind of protect individuals from an executive protection perspective and we’ll talk about that in a bit more detail as well.

While we’re level setting on dark web, hopefully everyone on this webinar is aware of what OSINT is, but it’s basically the collection analysis and dissemination of information that is gathered from publicly accessible sources and these are a couple the sources that are out there that I think are familiar to most people doing OSINT investigations. But people don’t always think of the dark net. I think some people think it’s scary. There are questions about whether or not it’s truly open. But it is in fact open. It’s harder to access, but all of the data is out there for people to go and view if they choose to. So, I like to think of it as a tool in the toolbox that an OSIN investigator has. you know, you should be looking at social media, you should be looking at public records, you should be looking at, you know, other mainstream websites that are out there, things like the Wayback Machine, but the dark web is an important element of that investigation and gives you kind of a broader overview of information that you might not get from other sources. I feel like, again, I have the obligatory iceberg slide, this is my obligatory AI generated image. You can see that it’s AI generated because it’s the Dark Wab and not Dark Web. It seems that when you give it a few too many prompts, it gets confused, but this is my obligatory AI image.

Okay, so but what things do we see on the dark web? So hopefully people are familiar with some of these. I think some are more well known but marketplaces are definitely, you know, a mainstream and one of the things that first started in the kind of criminal ecosystem of the dark web with things like Silk Road, which was not the first market, I believe, Farm was, but, you know, marketplaces for buying and selling drugs, illicit goods, hacking tools, tutorials. You can purchase hitmen, you can purchase all manner of strange things, whether or not that’s legitimate or not is something that we can also discuss.

There’s also a wide range of forums, so people kind of talking about things that interest them. Breach forums is probably one of the most famous forums out there that works in buying and selling data and sharing data. But there’s also extremist forums out there, things like the in-sell community, right-wing extremists operating on forums too or people just discussing general things not all of the forums are bad. There are some social media sites that are on the dark web too. There are mirrors of things like Facebook and Twitter that appear on the dark web so people can access them in countries where there might be censorship so that that’s one of the more legitimate areas and also we  talk about social media and I’ll go onto this in the next slide as a dark web adjacent area where we do see criminals operating on mainstream social media as well.

Cryptocurrency obviously is the currency of the dark web. We still see bitcoin as the largest currency being used but things like Monero and Zcash and more of the privacy coins are also popular. You you know, wallet explorers, there are dark web wallets, there are tumblers, mixers, et cetera. So a lot of cryptocurrency activity can occur on the dark web as well as being, you know, again, perfectly legitimate information, there are a lot of new sites that are on the dark web. The BBC has a new site. I believe CNN has a new site. And there’s also just kind of other sites that share information. These can be kind of data repositories, you know, when information is leaked by whistleblowers that can sometimes appear on the dark web as well. And then we have data leaks. So rather than kind of whistleblowers, that’s more stolen data and data that’s been taken illegally. And in that vein, we also have ransomware. So, a lot of ransomware groups have leak sites on the dark web where they will kind of shame their victims into paying the ransom by saying that they are a victim and they’re gonna release the data. If the victim does not pay the ransom where they do usually then release that data which is downloadable on the dark web.

But as I mentioned, there’s also some things that we refer to as dark web adjacent. Oh, there’s a poll question. So, what areas of the dark web are of most use to you. So I’ve gone through some of them, but it’d be really interesting to know from your perspective what is most beneficial for you and your investigations and your day-to-day job. But in that thing we also have some dark web adjacent. That’s what we refer to as sites that aren’t or messaging apps or platforms that aren’t exactly on the dark web, but they’re still being used by the same community of people, i.e. usually criminals or extremists or some form of bad guy for one of the better phrase. Things like Telegram, ICQ, Jabber, Discord is a gaming site as is Twitch, where we see people are sharing classified information, they’re making threats. A lot of the so-called gore community are very active on places like Discord tends to be younger generations and people that are into gaming, as you would expect. But these are all areas that we think it’s important to also have coverage of in order to, you know, have a full coverage of these communities and these groups and how they’re interacting. Obviously, I would say there’s been some changes in Telegram. In recent months, but that we are still seeing a huge amount of people operating on Telegram in a malicious way.  And then the surface web, marketplaces, vendor shops, forums, as I mentioned before, excuse me, we are seeing some people that are operating in the same way they operate on the dark web on the surface web. You can find those vendor stores and those marketplaces, which I think is an interesting evolution and how these communities are operating.

Okay, so there is a lot of data on the dark web as well. So, we’ve kind of talked about the general themes and the types of sites that there are, but there’s also a lot of different types of data and a lot of different types of information. So, a huge amount of PII appears in data leaks and is discussed on some of the sites as well. Financial information, There’s a huge ecosystem of financial fraud, people selling credit card data, selling banking information, selling details of how to operate in a financial fraud way. So, we see a lot of people doing tutorials and giving guidance about how to conduct some of these scams. There’s also a huge, as you would expect, cyber and hacking community. So, people trading malware, and exploits, and different tools that you can use, you know, the phrase script kiddies, individuals who aren’t necessarily that sophisticated enough to build code or build these vulnerabilities, but they can purchase them and execute them and still kind of use them for criminal activity. So, we see a lot of trading of those kind of things, drugs, obviously, and cryptocurrency I’ve also mentioned. There’s a lot of activity that can come from this kind of data. We see cyber-attacks. We see data exfiltration and hacking. There’s also cyber espionage. I mean, APT groups are hard to identify, but they’re definitely operating in some of these places. And insider threats as well, people, you know, talking about sharing information that they should not be sharing or making threats to their organization. These are all the types of things that we see on the dark web.

Let’s dive in a little bit more into what data we actually see and kind of try to look at it from an OSINT perspective where possible.  Ransomware I have already mentioned. This is two examples of ransomware leak sites, one is LockBit, the other one, I actually don’t remember which ransomware site it is, but you can see like they will share the information about the company that has been victim of a ransomware attack.

But you can see they’re also operating the yellow image. You see that they have a Telegram channel. They are on Twitter and they are on Facebook. So they have a dark website where they share this information, but they’re also operating on kind of more of the mainstream areas. And that can be really useful for you as part of an OSINT investigation. If you’re trying to identify more information about these, you’re building that kind of what we call darknet footprint and digital footprint for these groups and how they’re operating. So, you know, their sites can give you information about them that can help with understanding how they operate. But also, you know, the information that they share while stolen and really should not be shared can be used as part of investigations as well. Especially if you’re concerned about supply chain or third party risk, understanding what data has been released about an organization can help you protect your organization if, you if one of your supply chain vendors is in there, or if you are the person that has been leaked, sorry, had been ransomed, knowing what of your data has been released and is out there for other criminals to kind of delve into, is an important thing to know. And I think some people get concerned about this data and it’s stolen data, but the thing I think people need to understand is criminals have access to this data, threat actors have access to this data and they will use it to conduct more criminal attacks, so it’s important to know what is out there from a risk perspective so you can better protect yourself.

Financial crime I’ve mentioned, we see a lot of marketplaces but also places like Telegram being used as a market for people to sell financial information. So, you can see here there’s stimulus checks being sold, there’s people selling plain credit cards, there’s other things that they’re making available on here, cash apps, etc. So there is a huge ecosystem of this financial crime.

And in the theme of markets, we also see people selling drugs and weapons on the dark web as well.

You’ll see that a lot of these markets look similar to what you would expect to see from, you know, a commerce website on the surface web as well. They provide pricing, they provide images, they also provide reviews. And that can be really useful for us from an OSINT perspective. So, you know, things that you might want to look into on these markets that can give you some clues that you can go and look through in more traditional sources. So, you know, you’ve got OSINT, sorry, you’ve got reviews, as I just mentioned. So, these are some examples of reviews. I don’t know that they are legitimate to be honest, but you’ve got the username, you’ve got the date that they purchase, And sometimes they give some information in there, like, you know, it arrived really promptly that could give you ideas about, you know, where are they based? Where are they purchasing from? And, you know, how it operates. We’ve also got here, like, more descriptions about the drugs that they’re selling. So, they’re telling you the type of drug. It’s a pressed pill. They’re made in-house. So that’s something that they’re, you know, Again, you can never really trust a threat actor, but they might be operating this themselves. That’s something to go on. And they’re also saying that we ship worldwide.

We’ve got other examples where they tell you where they’re shipping from. So, this is actually counterfeit money that they’re shipping. And they’re telling you kind of how they operate it, what techniques they have in terms of producing this counterfeit money, but also they say they’re shipping from Romania. It’s a pretty good starting point that they could be operating in Romania and that they’rei ndividuals based in that country. Again, with OSINT, you also always have to verify everything. You can’t take anything at face value, but these are data points that I think it’s important that you pull out.

And this one is a little bit maybe harder to read, but I thought it was important because they’re giving them details and almost like TTPs of how they’re operating. So they’re telling you they ship it in an envelope that it uses anti-extra bags and if it’s inspected, it will get through it. And they’re actually saying that the National Post Service is the safest way to order it and that they also use express shipping. So, if you’re doing an investigation into kind of the methodology of someone selling these drugs or counterfeit goods, I think I believe this one was still a counterfeit money. You can get from these marketplaces and from these sites information about how they are actually operating, which can really help you in your investigation and maybe where you wanna focus to identify things from other sources that are out there.

Stolen data is also a big one. I’m not really going to show real examples here because I don’t want to expose people’s PII, there’s some of that. But these are, this is Breach Forums and I believe LeapBase. These are sites that appear on the dark web where people are sharing data. And again, we get a lot of questions about is this open? I would say predominantly on these sites; the data is shared freely. Sometimes you need credits, so you need to have a reputation on the sites and that have built kind of some of that persona. But by and large, this is freely available data that again, criminals are going to have access to and it’s something to be aware of.

This gives you an idea. This is a breakdown from data that’s in our platform and Vision.

I looked at the last 90 days and it gives you a breakdown of some of the PII that is available in these leaks. So, you know, names and email addresses you’d expect, but you’re also seeing identification numbers, information about people’s genders, information about companies, phone numbers, dates of birth. You know, there’s kind of two use cases for this kind of data, I think, in the OSINT realm. One is, you know, attribution of looking at threat actors. There’s so much leaked data out there now, but threat actor information is going to appear in there as well as, you know, legitimate people’s data. So, it can really help you with that kind of attribution use case but also from a risk analysis perspective understanding what information is out there about yourself or your employees or you know individuals that you might seek to protect. This lets you know kind of what level of risk they have, what level of exposure they have and how criminals might be able to target them.

Stealer Logs is something that we’ve seen a huge rise in. They’re not new, but they just seem to be a lot more prevalent in the last year or two than they were previously. This is an example. ALIEN TXTBASE is a group that have been sharing not full stealer logs, actually, but what we would call combo stealer logs, where it has the URL, the password, and the username of an individual. And they’re making that available on Telegram. So, you know, this is great for criminals in terms of they are able to log into accounts, do account takeover attacks, depending on what URLs appear here, it could be access into someone’s network. But CELA logs are basically malware that exists on your computer or a victim’s computer and steal things like cookies like your auto fills on your browser, your passwords, and your usernames. It can also steal things like cryptocurrency wallet addresses, basically anything you’re doing on the internet, it can hoover up and we have some good blogs that I would recommend about stealer logs and how they work and how they operate and the different types of them. But they have a huge wealth of data in them.

And again, threat actors have been victims of these as well as legitimate citizens. And we’ve seen a lot of research where you are able to search for places like XXS or exploit, you know, dark web forums and see people’s user information and that can really help with attribution, but also knowing that risk of your password and your username is out there and that can be used for a variety of different attacks is really important and also because the cookies are in there it can help threat actors get past two-factor authentication and OTP codes as well, so that’s something to bear in mind. Again, I said I wasn’t going to share actual data, so I wanted to give a really basic description of how some of this data can be useful. But if you have an email address for a threat actor or someone you’re interested in understanding more about, you can search for that in leak data, and it might appear and show that it’s linked to a password. Depending on how unique that password is, you might be able to identify other accounts that they’re using because we all reuse passwords. We shouldn’t and we get told not to all the time, but most people do. So, you might be able to identify other email addresses and then you can use other OSINT techniques to find more information linked to that. There are tools out there that will allow you to search for an email address and using open-source techniques can find things like telephone numbers that link to social media accounts, that link to things like Cash App and Venmo that can give you access to the real identity of an individual. So, this is a very basic, simplistic way of talking about the workflow, but you can definitely use information and data leaks to be able to investigate individuals. I see it as another tool in the toolkit of data that’s open that you can use as part of your investigation.

We also see a lot of extremist activity on the dark web and on particularly Telegram. So, these are some images that we identified related to ISIS but we also have things on there that are you know right-wing, extremist, racist information that’s being shared and it’s important to monitor these because they can lead to real world threats and so we need to identify what is being done. You can see with the ISIS threats these were around some sporting events where they were encouraging people to target the sporting events and they were giving specific areas that they should do that and this is something we’ve definitely seen an increase of is using the dark web using things like telegram to incite violence in others and create loan actor attacks. So, it’s definitely something that needs to be monitored.

Executive protection is also a use case that we’re seeing more and more active on the dark web or the data on the dark web helping with that use case I should say. So here I’ve got and I apologize for some of the language in this, but just to highlight, on the left-hand side, we’ve got a post from DoxBin where they’re talking about X FBI agent, whether this information is accurate, I don’t know, but you can see they’re providing things like date of birth, address,] telephone number, his wife’s information, what their role was. He’s also got their daughter’s information. So, huge amounts of data are being shared about individuals on Doxbin. If you’re not monitoring that, then that’s going to be an issue because, you know, a lot of when people’s information is shared here, it can lead to real -world attacks, like things like swatting attacks. A lot of that information would come from Doxbin. You can also see we’ve got a data leak here that specifically mentioned CrowdStrike employees. Again, I haven’t provided any of the actual data, but you’ve got first name, last name, email, where they’re located, their phone number, their job title. So, this is information that’s being released about employees. And again, why you need to kind of be monitoring data leaks for your employee’s information being shared. And I think it’s really important as well that you do that from a corporate perspective of looking at corporate email addresses, but to do this completely you also need to have access to personal information too. And then the the one with the not great language so apologies again for that is it’s from 4Chan and it is an example of a particular individual that I have blanked out being threatened and being said he will be shot, shot like the healthcare CEO and it’s a long time coming. So, we can see kind of chatter and rhetoric of people making threats against individual on dark websites as well. And it’s really important to analyze those and make a judgment about, you know, the risk that these individuals pose and then using OSINT techniques to see if you can identify who these individuals are so you can have a bigger picture. 4chan unfortunately, is a difficult one to do that with because it’s anonymous, but it’s so important to know what people are discussing.

And then you can also do threat actor investigations and attribution. So, this is a bit of a historic one, but Pompompouren was the admin of Breach Forums previously. He was also on raid forums, and you know, from analyzing the data, we were able to look at the username and see that he was active on all of these different dark web forums. We were really able to build that footprint of how he’s operating, but you’ll see he was also, on Discord. And so, it really allows you to kind of understand how this person’s operating, and obviously you can analyze their language and what they’re talking about. And if there’s any clues within those forums to location and information. But I highlighted the DoxBin for executives through Actors Get Docks all the time as well. So, this is an example of information relating to him that was shared online. Several people doxed this individual. So, it’s clear now that Pompompouren was Conor Bryant Fitzpatrick. He was subsequently arrested. So, using the data, and again, this is a very simplified version, but you’re able to identify a real person based on a username and kind of how people are interacting in the community. And from that, we were able to identify telephone numbers that they use that you can do further research on IP addresses that we use. And I believe one of the IP addresses that was associated with of Fitzpatrick was actually where he was hosting breach forums, and the FBI were able to use that. He is now or he was incarcerated, he was charged. So using the data and the information online can really help you doing investigations into threat actors as well.

Okay, and we have a third question. So what use cases are most important to you? I think it’s important to understand what use cases people are working on so we can best identify kind of the data that’s going to support that from the dark web.

But with that said, I’m going to move on to a couple of quick demos to show you real world examples of how we can find data using the Vision platform (see recording for demo portion).

---

Interested in your own demo? Request one.

February 19, 2025

Or, watch on YouTube

Executives are increasingly targeted by activists of all types, posing significant threats to them personally and risks to their organizations. Many of these attacks can be detected or even predicted by monitoring exposure of the executives in the darknet, including leaked and stolen PII, credentials, chatter around the executives, and in some cases direct threats.

Despite utilizing various security tools, many organizations lack a dedicated executive protection service to monitor and alert on potential threats or negative chatter targeting executives. Addressing this challenge might seem complex, but the stakes have never been higher.

In this webinar, attendees learned how to effectively baseline, monitor, and alert on organizational and executive threats using Dark Owl’s Vision platform. Discover practical steps to safeguard your executives and your organization against these evolving threats.

NOTE: Some content has been edited for length and clarity.

---

Kathy: Today’s webinar will be held as a fireside chat with Mark Turnage, DarkOwl’s CEO as our moderator. Before we begin, we’d like to give each company a moment to introduce themselves.

Brandon, would you like to tell us a little about Ascent Solutions?

Brandon: Absolutely. So, if you’ve never heard of us before, we are Ascent Solutions. We’re an award-winning Microsoft Solutions partner that specializes in the Microsoft security stack. We offer a wide range of cybersecurity services to include advisory, professional services, as well as managed services, including Cyber Threat Intelligence, Security Operations Center, and Threat and Vulnerability Management as a service, just to name a few.

Kathy: Mark, would you like to tell us about DarkOwl and then start our chat?

Mark: I’d love to. My name is Mark Turnage. I’m the CEO of DarkOwl and Co-founder of DarkOwl. DarkOwl is a company that was established for the sole purpose of monitoring the darknet and what we call darknet adjacent networks for criminal activity and underground activity on behalf of our clients. We monitor over tens of thousands of sites a day and they include everything from the traditional TOR network all the way to Telegram channels where threat actors are now, are now active. Our product is, our data is available via a number of different ways, UI, APIs, data transfers, and we number many of the world’s largest cybersecurity companies as our customers.

It’s a pleasure to be here today with Brandon, and I’m going to just let Erin introduce herself really quickly, and let’s start with questions.

Erin: Hi, everybody, I’m Erin. I’m the Director of Intelligence and Collections at DarkOwl, so responsible for the data that we collect as well as doing investigations on behalf of our customers.

Mark: Great, let me go ahead and start. I’m going to direct this question first at Brandon and then at Erin. Can you give us the basics of executive protection? What is it and why is it important?

Brandon: Well at Ascent Solutions we offer what we call digital executive protection monitoring and alerting services that succinctly tie in with our team’s approach to continuous threat exposure management. Our approach to executive protection is actually rather simple. We provide enhanced monitoring of the dark web that specifically focuses on key executives and organizational leadership, so alerts that we recognize that alerts specifically pertaining to these individuals and key personnel could require a more tailored and of course timely approach with additional requirements actions activities and engagement beyond just the regular security team.

Mark: Great. Thank you. And Erin. Why is it important to monitor specifically, executives’ data online?

Erin: Executives tend to be the most visible people in any company. So, their information is out there, they’re doing things like webinars, they’re putting press releases out, et cetera. And so that makes them more of a target to individuals. And I think historically we’ve thought about physical threats and that’s still a concern obviously in terms of people being targeted, but more and more we’re seeing with cyber threat actors is that they’re using the information that they can obtain in the digital realm in order to target those quite visible people. And they can do this in a number of ways and this is why it’s important to monitor digital activities from different perspectives because there’s information that can be leaked about executives which can lead to information that threat actors can use and they can get their credentials and get access things that way. But there’s also a social engineering aspect to this, you know, if people are putting a lot of information out there on social media about their movements, about their hobbies, about how they operate, that makes it a lot easier for threat actors to impersonate them or use them to target members of the company. And we see that a lot with phishing attacks. So, I think it’s really important to understand, especially for executives, but probably for all employees and individuals, you know, what information is out there about you and what steps can you take to protect your digital footprint.

Mark: And I’m gonna go off script here, so I’m gonna cause our hostess Kathy to have a heart attack.

You know, I have heard through the years and have seen it, we’ve seen a little bit of it ourselves that oftentimes not only are executives the most visible members of a company, but also, they’re the least cautious. It’s the C -suite. Have you guys found that to be the case in some cases? I don’t want you to bad mouth your clients or our clients, but do you find that to be the case?

Brandon: I’d say it depends on the executive when it comes to that, but I’d say that there’s some consistency with that, Mark.

Erin: Yeah, I would say anecdotally, that does seem to happen. But I feel like maybe it makes bigger splash when it’s the C -suite that’s messed up. But you know, people, I think as well, like it could be, you know, a generational thing as well. C -suite tend to be older. They tend to be less tech savvy. They tend to not think about social engineering attacks or how the information that they’re providing could be used. But then in the same vein, younger people put way too much information on social media, in my opinion, so it’s a balance.

Mark: Sure. I mean, I’ve been subject to phishing attacks myself. Some of them quite sophisticated. And all of them, all of the most sophisticated ones tried to take advantage of the fact that I was the CEO. They had a message or a sender that I would pay attention to. They were quite sophisticated.

Brandon: Yeah, I would love to add to this one too big time. Multiple vendors throughout 2024 identified that threat actors are increasingly targeting executives basically to get a foothold into their organization causing reputational damage or just picking an insidious activity. This is also actually quite consistent with what we’ve mentioned about what we’ve seen in our SOC and we have to keep in mind that executives often have access to the organization’s most critical business functions that threat actors can have used to gain the foothold. We don’t exactly, to Erin’s point, make it very hard either. We feature our executives, in some cases, we feature the contact information, direct contact information for these folks and stuff out there as well. So, putting it all together, we basically roll out a red carpet for these folks to attack our most senior folks.

Erin: I think it’s what you have to think about the senior folks being impersonated as well. So, you know, employees are much more likely to respond to a phishing email if they think that it’s coming directly from an executive. And, you know, with things like AI now, you can generate an executive’s voice. If an executive is out there doing a lot of press webinars, their voices on the internet, you can impersonate that and use that against their employees. So there’s aspects of it as well.

Mark: We’re gonna come onto that. And the question I had for you, Brandon, was what is it about now? What’s different about now that makes monitoring this type of data more important than ever?

Brandon: Well, I think threat actors are getting more creative every day. And we’re seeing them attack and exploit things that are often on the periphery, especially since throughout 2024, we watched a lot of different vendors, third party vendors and stuff that have access into different environments get hit and whatnot. So, I do think that most of the time, when we get dark web monitoring and learning services, it’s specifically monitoring your email domain. But we need to open up the aperture on that, in my opinion, we need to be monitoring the organizational and any mentions of the organization, obviously email domains and credentials. But specifically with executives, sometimes a lot of these executives’ link some of their non-business email addresses or contact information to their business email contact information as well. So, with that, we got to be mindful of threat actors exploiting these fringe and these periphery things and stuff to get access. Their goal remains the same, causes much damage, get access, sell access, etc. We’ve got to be cognizant of that.

Mark: And Erin, what’s different about the dark web as opposed to more social media sites? Give us some sense of that difference.

Erin: Yeah, I think people on the dark web have a bit more of a sense of they can do whatever they want. So, you know, we see things like doxing, where threat actors will just provide information about individuals, and it will basically be a dossier of that individual, all the information that they can find about them. We don’t tend to see that shared as much on things like social media. And also, just the sheer breadth of kind of leak and stolen data and Stealer Logs is something that we’re seeing, a huge surge in and the dark web is where they buy and sell that information.

And I think everyone needs to be cognizant of this. You can be as careful as you want about your digital data and your footprint, but you don’t have any control over the third parties that you’re putting your information into. And if they get breached, your information is out there. So you can be pretty savvy, you can have limited social media profiles, you can have all the privacy settings, etc. But if you have my fitness power, my fitness power gets leaked, your information is out there. So that’s on the dark web. So, I think it’s very important to be aware of that.

And then kind of moving to some of the dark web adjacent sites that we monitor as well, things like Telegram and Discord. We see a lot of individuals talking about targeting or talking about accessing particular companies or just geopolitical events that their lives and you know are hitting on organizations and companies so I think just monitoring that rhetoric as well, stepping slightly away from specific executive protection but just kind of general organizational protection and reputational risk there are a lot of individuals out there that you know making anti-Semitic comments making violent comments you know making threats against executives and against organizations. And I will say social media has probably changed slightly in the last year or so where some people feel that they can do that on that open web as much as they can on the dark web, but it’s certainly something we’ve seen in the dark web, you know, over the last few years increasing.

Mark: And Brandon, give us some examples of some of the threats and risks that you guys have found and maybe talk about a unique case that you’ve you’ve come across.

Brandon: I think most commonly we see stolen credentials, data breaches ransomware posts, threat actors discussing sharing proofs of concepts or just the sale of weaponized exploit code targeting specifically vulnerabilities amongst many other different nefarious things. So, we got a couple of I think the most consistent one that we see, I would say more than often is, you know, we, our customers ask us, well, why, why are my executives, my leadership the most phished? Well, it’s like, well, look at your website, man, you got the contact information right up there. And, or, it’s something as like, your boss keeps signing up for all these random newsletters that continue to get hit, you know, with his business email, which is why he’s on X amount of different data of different data breaches. That’s the most common, the most consistent. But I think the most bizarre case that we ever had to respond to, we had a customer that had just moved organizations and went to an organization that recently got hit by a threat actor. And he had called us in to give him a hand and some assistance. Specifically, my part was to monitor the dark web, kind of get a good idea of what their presence really looked like on the dark web as well, which was very important for him, obviously. So built a couple of different cases, a couple of different cases, specifically watching for organizational mentions, email domains, or just anything and all things related to the victim company. And sure enough, the threat actor wanted to gloat about his ill -begotten gains, and he threw up a post detailing exactly what he had stolen from the company at that point took that handed it over to the team that was investigating the situation and it kind of gave them a better idea of where this threat actor could have been. So, continuing to monitor updating as needed you know especially the posts and stuff as the thread grew on there and I guess the threat actor made some enemies of his own kind, and they decided to dox him.

Mark: Oh my god.

Brandon: After they doxed him, they basically put it out there like this is who he is, thisis where he lives, this is his home address, this is where his parents work, here’s all his socials, these are all his data repositories, this is where he stores his data. And they basically stripped this threat actor, all this anonymity and then immediately I turn that over to the team and I would like to believe they finally adjudicated him. I haven’t seen a post from him since. So, it could be that, well, let’s hope.

Mark: That’s very, very interesting. Erin, give us a sense of what trends you’re seeing in terms of threats in the current environment.

Erin: Yeah, I just want to jump onto what Brandon was saying there. I always find it really interesting, like I think we focus very much on, “let’s protect our executives and our organizations,” or it’s absolutely we should be doing but I love the fact that the data that we have in leaks and from doxing and stealer logs helps us to attribute who is actually doing this so we can kind of use what they’re using against us back against them and it really helps to know kind of why someone’s doing something and what their motivation is because it allows you to assess the threat you know a lot better you know there’s a difference between armchair trolls that are just making threats because they’ve got nothing better to do and someone that is going to follow through on that threat. So, I think it’s really interesting to have that motivation.

In terms of trends, we’re just seeing a huge mass of data, it’s just growing and growing. We’re not seeing that diminishing in any way in terms of data leaks. I think stealer logs, they’re not new, but they definitely seem more prominent in this sector in terms of people being able to use those, the amount of credentials that are stolen and how people can use that to access things. I think we’ve definitely as well seen a lot more sophisticated social engineering, I think particularly some threat actor groups in terms of targeting call centers and targeting help desks of organizations as well as the executives and CEOs, and being pretty convincing based on the information that they’re able to find on both the dark web and the surface web to put that out there. Brandon’s already mentioned phishing as well, you know, not a new trend, but phishing is not going anywhere. I think as long as your email address is out there, it’s a technique that works. I mean, you look at things like colonial pipeline that was, you know, really basic phishing and lead to credential attack that, you know, led to the shutdown of the colonial pipeline. So, I think those are the things that we continue to see and that we have to continue to mitigate against.

And then I guess the other thing that I’ve kind of already touched on that we see in terms of threats being made against executives or organizations, I feel like anecdotally, people are less concerned about the threats that they’re making there. They’re not trying to obfuscate who they are as much as they used to. I think people feel a little bit braver about what they can and can’t say. And you know, part of that’s people on the internet, they’re sitting behind a screen, you know, they think they’re untouchable. But also, I think it’s just kind of the way things are developing geopolitically, people have a sense that they can do things and take action. And I think, you know, we’d be remiss in an executive protection webinar not to talk about the United Health Care assassination. You know, that individual, as far as we know from reports, obviously, I wasn’t involved in that investigation in any way, didn’t have a huge amount of rhetoric online, you know, thinking about doing that. But I think it really just highlights, you know, when people have pain points, and they’re talking about those pain points, you need to kind of pay attention to them. And that the digital world and the digital things that people are talking about and the exposure that people have, you know, he had to know that that executive was going to that hotel at that time, and that was probably from his digital footprint. And so there can be real world, you know, real world impacts outside of, you know, hacking and, you know, network things that I think it’s important to be aware of as well.

Mark: And can I ask you both a question when you’re monitoring an executive take me as an example you’re monitoring Mark Turnage. How often do you pay attention to Mark Turnage’s is spouse or partner and family. Have you seen that as an attack vector by threat actors?

Erin: I would say it’s definitely an attack vector. Again, executives will get education through their security, through their SOC, whoever telling them what they shouldn’t do and they can improve that. Whereas kids might post where they’re going on holiday and things like that, and it can make them more vulnerable. What I would say about that, though, is that it’s really up to the organization and the executive whether they want to extend the monitoring that wide. A lot of people for very legitimate reasons don’t want to share the more personal side of their information, their family, their personal emails, etc. I would caution against that because, you know, you need to look at things in the whole when it’s looking at this. But yeah, that does tend to be an issue is the privacy concerns around that.

Brandon: Yeah, I grouped that with the periphery as well.

Mark: We’ve seen one or two cases where the social, as Erin said, the social media posts of children were a primary attack vector because they could follow an executive’s family around. And as Erin said, it’s a choice for the executives and the organization to make.

Give me a sense, Brandon, what practical steps can be taken to baseline an organization and then monitor it? And how have you used DarkOwl to monitor and alert to these threats?

Brandon: Yeah, absolutely. Well, one thing I learned after 20 years in the Marine Corp., is collection planning is key for any different type of operation. So, what we do for Digital Executive Protection Monitoring and Learning Services, we have a whole menu of different things that we offer our different customers and stuff who wish to subscribe to this. So, it’s up to them. From there, we pump that stuff into DarkOwl to specifically monitor for those different things. And the great thing about DarkOwl is you’re able to build a case and stuff where it’s gonna go out and fetch whatever frequency that you want it to. This is the information that you ask it to go look for on various different things. If I wanna specifically look in extremist forums or just other threat actor-based forums, I can have it look specifically for these different things and stuff there. Or if I just wanna focus on email domains or email addresses or all that in these different forums, like – Yeah, absolutely, I’m gonna go do that. Most consistently, as far as our basic package goes, what we do is we monitor the organization, organizational email domain, and the names and the business email addresses, and in some cases, personal email addresses that are joined to the network environment of the different executives, and we build a case around that. So anytime something does pop up, it’s I get a notification and then we handle it accordingly.

Mark: So great. And and those can be in relatively real time, you know, within a minute of a post being posted.

Brandon: Yup.

Mark: Erin, give me a sense of what mitigations companies can take to protect their executives. I mean, it sounds like there’s this Wild West world where data is being spilled out there or doxed out there, you know, what kind of company or an organization really do to mitigate the risk to their executives and to the organization itself?

Erin: Yeah, so I think one is doing this kind of monitoring and being able to baseline what is already out there because there’s no way that there isn’t something out there to begin with. So, you want to have that and you want to be able to see for any changes. But basic steps that organizations can take is giving people cybersecurity training on phishing attempts and what to look out for, giving people advice on what they shouldn’t share on social media and how they should set their privacy settings, etc. I think having a really strong password policy leaks are going to happen, but if you’re not using the same password on every account, it really reduces the risk that it has to your overall footprint. I think using things like password managers can really help with that.

And then I think being cognizant of what data is out there, you know, there are ways to remove some of that data, not on the dark web, unfortunately. So if your data is on the dark web, your data is out there. But there are a lot of kind of data brokers and other organizations that will hoover information up from public records and from social media and you can legally ask for that information to be removed. So that’s something that you should probably look at doing as well.

And I think just being generally vigilant, making sure that your employees are trained and know what to look out for, but also know what they should and shouldn’t do. Like, don’t post too much information on social media. Don’t mix your personal and your business email addresses on accounts like don’t use your business account for your hotel bookings and things like that because that’s the way that threat actors can you know piece together your life and do those kind of doxes that Brandon was talking about. So, I think it’s just having good cyber hygiene and having good education to try and mitigate and reduce the risks as much as possible. I think everyone needs to be aware that you can’t remove the risk. You know, there’s steps you can take. We can do this monitoring. We can be looking out for that. We can be as vigilant as possible. That we can’t protect all third parties where we’ve put our data. And so, you just need to be very vigilant for these types of attacks.

Mark: And you must get this question all the time, Brandon. What do we do about this? Can I take darknet data off the darknet? Can I take my data?

Brandon: No.

Mark: You must get this asked this all the time by your clients.

Brandon: All the time. Adding to what Erin said, I think enacting a continuous monitoring of your executives on the dark web and integrate custom alerting into your SIM to identify and respond to potential security threats. I think that’s awesome, which is why we bring that into our continuous threat exposure management, modest operandi here at Ascent Solutions. We bring this all in together. And I think it’s important having the sufficient processes in place and stuff to monitor for these specific things. DarkOwl enables a lot of that. And there’s a lot of science that goes after that when these things happen, which is why I’m just very graceful to have such an awesome SOC team that I’m a part of.

Mark: And we haven’t talked about this. Let me ask this question. How deep in an organization is it? Have you monitored for executive protection below the C-suite level, senior management as well, or do you tend to focus on just the C-suite?

Brandon: I think it depends on the organization and where they have determined their most critical business functions are. So, although this person is a mid-level part of the organization, this person is in charge of all these different industrial control system equipment here, and they have a public-facing presence that interfaces with the OT environment and the IOT environment. So yeah, that’s definitely a high-valued individual. It depends on the organization to answer your question, but yes.

Mark: Yeah, I was thinking about system administrators, for example, they’re not as sweet, but they’re very, very important people and in organization.

Erin: Yeah, I think it can depend on the role. Again, it depends on the organization, their size and their appetite for this kind of thing. But there are certain roles that you definitely need to kind of be aware of. But I think it’s also, I think to Brandon’s point, what public exposure those individuals have, the bigger footprint that they have out there, the more likely they are to become a target. So, you might be someone that has a really important role, but you’re very discreet and kept quite quiet and not publicly listed on the website or anything like that. And that’s not to say you shouldn’t want to say for them, but it’s probably less risky.

Brandon: Correct.

Mark: I’ve never heard of a company like ours or yours doing this, Brandon, but you might want to do a social media audit of all the employees to see who has the most social media exposure. Because I mean…

Erin: There’s a direct correlation with that, right? Like, so Mark, you were talking earlier about how you get phished all the time. And I know other people in our company have received those phishing emails. I never get them. And my hypothesis is, because I’m not on LinkedIn. So, you know, you can make yourself less of a target by protecting your digital footprint in certain ways. I know anecdotally of a case going back to what you were saying of family members and like checking social media and things. They had an executive who was pretty careful and pretty secure, but their wife had uploaded a review that included locational information. So, you know, it’s what people put out there.

Mark: Yeah. I have seen CISOs, system administrators, and other cybersecurity professionals very active on social media, which is an interesting tension given their roles. We’ve talked a little bit about use cases, but if you guys could both finish with sort of – one of the most unique cases that you’ve seen using the tool, that’d be, I think it’d be informative for our listeners here.

Brandon: I think the one that we specifically talked about with the other company with the threat actor getting doxed, like that was the absolute most unique case that I’ve ever seen. You know, and that’s definitely in the Hall of Fame for as far as DarkOwl for the win moments for our company.

Erin: I’m trying to think I don’t know that I can think of something that’s particularly unique. But I mean, we definitely see impersonations of executives on telegram and other areas, threats being made, a lot of memes being used for that kind of activity. And then I just think that the doxing thing is such an interesting area of data set that we collect from. I’ve seen everything from executives to FBI agents having their information released. And once that information is out there, there’s very little that you can do about that, but you need to know that it’s out there. So having that monitoring capability to know what of your information is out there and how you can be vulnerable. But as I said, I think turning that back, the threat actors do this themselves to each other. And so, it’s very helpful. I mean, there’s a lot of threat actors out there that are involved in things like swatting, they’ll swat executives and other famous people’s homes or schools or universities. And they make a kind of a game out of that. But because they’re interacting with each other, they, you know, they anger each other and that causes their information to be doxed, which helps us as an investigator to find out who is doing this. And as I said, that important part of motivation, which I think some security people, they just wanna stop an incident, they just wanna stop data being stolen. But I think it’s always really important to look at that motivation piece as well.

Mark: And Brandon and Erin, do you see any trends and threats to executives that are sort of based on geopolitical events. Something happens geopolitically or politically here in the US or something like this shooting, this tragic shooting of the United Health Care CEO. Do you see risks go up or chatter go up or does it tend to be fairly flat line throughout?

Brandon: From a geopolitical perspective, absolutely. We got to go back in time for this one a bit. But when Russia was getting sanctioned a lot by a lot of different commercial vendors and stuff, that kind of set off a red flag for a lot of the Russian-based e-crime actors and stuff to start going after and specifically targeting these companies because of the Russia-Ukrainian war and stuff. So that really prompted a lot of these folks and stuff to start going after them. So yeah, it really depends. It really depends on the situation, you know, and what the and what the atmospherics are surrounding that situation as well.

Erin: Yeah, I mean, we’ve definitely seen, I think the most recent one off the top of my head that I can think of is the Israel Hamas conflict. That definitely caused a lot of individuals that were Jewish to be targeted, and Palestinians to be targeted, so you definitely see those trends in relation to big geopolitical events, and I think that’s something that executives and organizations need to be aware of as well as posturing around these types of events. I would say with the main trend I’ve seen with the United Health Care incident was executives are more concerned. they’re taking more of a proactive approach to maybe looking at their footprint. And I think a lot of people were very surprised by the response to that from a lot of individuals on social media, on things like Telegram, where there wasn’t a lot of disgust at what the alleged assassin had done, and more concern about, you know, we don’t like these executives. There was one individual on social media who produced a deck of cards with different CEOs’ faces on them as targets. So there’s definitely that kind of rhetoric, whether that leads to actual threats or it’s just people talking. You know, it’s hard to say, and that’s again why that motivation point is important. But yeah, I think there’s definitely trends and activities that happen that have an impact on all of this kind of thing.

Brandon: It’s never a dull day in the life of a threat intelligence manager in a cyber security.

---

Check our blog on Executive Protection and the Darknet. Read Here