Establishing a Dark Web Threat Intelligence Framework

6 minute read

Frameworks 101: How Can We Leverage a Framework for Dark Web Threat Intelligence? 

In security, we often talk about frameworks. But what is a framework and why is it important? Frameworks, simply put, provide structure and guidance for addressing issues. Rigorous application of frameworks drives consistency in assessment protocol and resulting outcomes while creating a structure that can be modified and refined in order to iterate around more robust methods and achieve higher fidelity results. Thus, when applying frameworks to threat intelligence, and when establishing a framework for Dark Web threat intelligence in particular, there is not a one-size fits all approach. Any framework should be constantly assessed and updated in order to address new inputs, pivot to address new and unforeseen challenges, and/or adjust for new desired outcomes. Any and all frameworks should be positioned to drive results addressing specific intelligence requirements, which are unique to each industry, geography, and organization.

For purposes of the conversation, this blog addresses external threat intelligence, specifically in the context of the Dark Web and associated framework application. In short, we’re focused on addressing threat intelligence inputs that expose threats or risks external to the firewall/secure perimeter.  

What is the Cyber Threat Intelligence Framework?

The Cyber Threat Framework was developed by the US Government to enable consistent characterization and categorization of cyber threat events, and to identify trends or changes in the activities of cyber adversaries. Considerable time and effort are spent generating and producing cyber threat intelligence. As such, a framework provides structure for assessing, triaging and dispositioning this intelligence.

Externally, understanding inputs and preparation for targeting activities is critical for planning said action. Once planned, specific engagement is the next key.  This may include research, covert engagement and, ultimately, drive results.  As a result of these external activities, internal actions, monitoring, defense, and/or disruptive activities can then be executed.

In a practical application, let’s look at Attack Surface Management. Understanding what your attack surface actually is would be the first step. Once clearly understood, collection of threat intelligence associated with that attack surface can be curated and the associated risks assessed. Physical assets, contact with known threats (IOCs), phishing sites, command and control servers, etc., which connect to resources within your organization, represent significant risk to these targeted assets as well as any internal intellectual property, corporate data, and/or PII.  As a result of specific threat intelligence identification, alerting, triage, prioritize, quarantine/isolation, cleansing and security can all be actioned.  Monitoring activity is also a useful process and can provide key insights around specific activity, modes, behavior analytics, desired targets, actor attribution, etc. Further, if an opportunity to engage the actor is possible, engagement and/or disruption can then take place.

In the context of framework application, how are different data applied? 

The 3 Types of Threat Intelligence Data

Depending the rigor of the framework, it may be loosely structured in order to apply to a wide array of threat intelligence inputs.  Let’s take a moment to look, at three different types of TI and how they may drive different framework applications. Strategic, tactical and operational threat intelligence can all be applied to the CTI framework.   

  • Strategic Intelligence – Overview around an actor group, TTPs, general targets, trends. Generally, high-level and positioned for non-technical audiences.
  • Tactical Intelligence – immediately actionable, discrete intelligence. Can easily be actioned: blocklisting, account suspension, access control revocation, etc. (IOCs and compromised credentials are two examples of this TI.)
  • Operational Intelligence – Targeted, contextualized, specific threat, exploitation or other risk, targeting organizational assets. Typically, outlines motivations, profiles attackers and threat vectors and delivers content in contextualized action oriented manner. This generally includes some level of analysis or compilation of “finished” intelligence.

Depending on the nature of the inputs, intelligence is gathered, risks are understood, and resulting requirements can be prioritized and activities can then be planned in order to achieve specific outcomes.

How To Use A Dark Web Threat Intelligence Framework

In the context of this discussion it is assumed that the Dark Web is an inherent area leveraged for intelligence gathering.  Much of the activity surrounding threat intelligence occurs there, as it is a rich hunting ground for threat intelligence collection. However, this is largely because the Dark Web enables threat actors to operate and conduct activity with a level of anonymity. Thus, it is critical to approach the Dark Web as a tool or venue within which specific activities occur or against which your policies can be applied. Determining a strategic approach regarding your level of access and engagement is an important step. 

There are two main ways you can leverage Dark Web sources for threat intelligence. You can either leverage a Dark Web monitoring service, or you can set up your own monitoring capability. There are several vendors that allow you to integrate their Dark Web intelligence feeds into your threat intelligence process or tools.

Through the acquisitions of Cyveillance and VigilanteATI, ZeroFox has established itself as a primary CTI provider of both Dark Web data and Operational Engagement services within closed-source Dark Web access. As such, ZeroFox delivers Strategic, Tactical and Operational threat intelligence in an effective and cost sensitive manner.  The result is highly curated, context rich content at an exceptional value. With a pipeline of features to be released over the next several quarters, the ZeroFox Platform will increase visibility into the underground economy and further reduce time to action.  

Leveraging Open Source Tools for Dark Web Threat Intelligence

In contrast to Dark Web closed-source intelligence, there are many open source tools for cyber threat intelligence collection when developing a Dark Web threat intelligence framework. This can range from information obtained on open forums, social media and/or darknet sources using scrapers and human operatives for intelligence collection.

The opportunity to leverage one organization that can provide content from OSINT sources, domain registration, exclusive access in closed source communication channels with long-standing trusted cyber personas, unique compromised data, engagement within the underground economy, access to trusted underground sources and relationships, delivers covert services, etc., is crucial to your success in capturing relevant, refined intelligence for application within the CTI framework.  ZeroFox is that entity and delivers on all fronts.  ZeroFox delivers the intelligence required to enable effective planning and engagement, action, and disruption.  


A framework is only effective when the inputs have a level of quality that will result in highly efficacious results.  Thus, inputs are critical. GIGO (garbage in, garbage out) is certainly applicable and, again, the objective is to achieve strong resulting actions, without getting bogged down in alert fatigue against meaningless data vs. timely, relevant and actionable threat intelligence. As such, leveraging a wide range of highly specific content is critical.  Ultimately, when considering a Dark Web threat intelligence framework, the objectives are simple:

  1. Protection against fraud, breach, exposure (Protect)
  2. Risk/threat mitigation (Predict, Prepare, Act)
  3. Decisive high impact action (Effectiveness)
  4. Reduced time to action (Efficiency)

With limited resources, most teams do not have the luxury of unlimited time, money or human resources.  Applying frameworks will allow you to squeeze as much as possible out of the limited resources that are available.  Further, strategic partnering enables tremendous leverage and scale. Learn more about ZeroFox’s Dark Web threat intelligence capabilities and how we can be your trusted CTI partner.

See ZeroFox in action