Explorer
Explorer is a powerful add-on feature to Threat Flow that enhances Dark Web browsing capabilities by not only allowing you to explore cybercrime chatter but also providing automated conversation summaries. These summaries take unstructured chatter and package it as a conversation that you can browse easily, enabling you to engage directly with critical information in a more structured and actionable format.
For more information and access to Explorer, contact your CSM.
Threat Flow Explorer provides a wealth of information to digest, so let's break it down.
The left-hand panel displays summarized conversations based on your searches, condensing multiple chains of cybercrime interactions. Threat Flow does its best to specify which organizations are targeted, what products (if any) are being discussed, and the specific locations that are mentioned.
Conversation Explorer results are filtered to show content with a relevance of 75% or higher to your search criteria.
Click on any conversation summary for more information, which brings up the right-hand panel. Here you'll find additional metadata, an overview, and the actual thread.
To view the entire conversation, click the link, which will bring you to the Events feed in Flare. Here you can browse the individual events (the thread) that drove this particular conversation.
Explorer enables you to create "Custom Intel" within Threat Flow using the Custom Intel Builder, allowing you to select conversations relevant to your research and organize them in a dedicated section. This powerful feature helps you streamline and focus on critical information.
Semantic Search understands the contextual meaning of search queries and content, enabling more relevant and accurate results by considering the intent and relationships between words.
- Start with a Search: Explorer's Semantic Search allows you to search for anything. Try searching for something similar to "Healthcare Sensitive Data" and use the Date filter to select a more recent date range, such as the Last 7 Days
- Choose Conversations of Interest: Use the + next to each conversation to select it.
- Preview Intel: Click Build Custom Intel to view your selected conversations. You can continue to add additional conversations using searches, or remove them by clicking the x
- Create Intel: Click Create Custom Intel within the Build Custom Intel panel to name and create your new Intel. This will be automatically added to the Generated Intelligence tab. It will take a few minutes to complete.
The Intel will provide you with a summary of all of the individual conversations you selected, provide you with the related conversations as well as a list of all of the related events.
Whenever possible, using specific terms when performing symantic searches can significantly improve the resulting discussions and or relevance of the topics being discussed. The following are some common suggestions.
Finance: Use specific terms such as bank credentials, BIN numbers, cryptocurrencies, or institution names.
Ransomware: Include terms similar to ransomware group, ransomware activities, ransomware recruitment, or known threat actors such as LockBit or Cl0p
Critical Infrastructure: Use terms like energy sector, telecommunications, internet providers, military, government" and transportation
Avoid overly specific or "mixed-topic" queries for the most relevant results.
Some examples include phishing, VPN, brute force, reverse shell, orCVE-2024-XXX
You can use Explorer's Advanced Filters to narrow down your results and focus on the most relevant information. Here's an overview of the available filter categories:
Metadata Type | Description |
---|---|
Organization | Names of targeted or compromised organizations or entities. |
Product | Names of targeted or abused products or technologies. |
Threat Actor | Usernames mentioned in related chatter. |
Location | Geographical locations referenced by threat actors. |
These refer to specific forums you can filter for, such as BreachedForums, Hacktown, Dread, and others.
Score Type | Description |
---|---|
Sophistication | An inferred score indicating the proficiency level of the threat actor. |
Criticality | An inferred score indicating the urgency for the target organization. |
Attribute | Description |
---|---|
Remote Code Execution (RCE) | A vulnerability being actively exploited. |
Targeting Critical Infrastructure | Critical infrastructure provider is being targeted. |
Targeting Mainstream | Mainstream software, hardware, or products are targeted or compromised. |
Database Leak | An actor mentions a large data leak. |
Sale | An actor is attempting to sell compromised data or information. |
Actively Exploited | A vulnerability that is currently being exploited. |
Remotely Exploitable | A vulnerability that can be exploited remotely. |
Targeting Large Organizations | Large organizations are being targeted. |
Weaponized | An exploit is available for one of the mentioned vulnerabilities. |
Geopolitics | The discussion involves geopolitical topics. |
Initial Access | Involves the sale of initial access to a network. |
Drama | Discussion involving conflicts between threat actors. |
Requires Prerequisite | A vulnerability requires certain conditions to be exploited. |
Contains Code | The message includes code snippets. |
Request | An actor is making a request for information, services, or goods. |