CORE FEATURES
Threat Flow

Explorer

11min

What is Explorer?

Explorer is a powerful add-on feature to Threat Flow that enhances Dark Web browsing capabilities by not only allowing you to explore cybercrime chatter but also providing automated conversation summaries. These summaries take unstructured chatter and package it as a conversation that you can browse easily, enabling you to engage directly with critical information in a more structured and actionable format.

For more information and access to Explorer, contact your CSM.

What Does Explorer Look Like?

Threat Flow Explorer provides a wealth of information to digest, so let's break it down.

The left-hand panel displays summarized conversations based on your searches, condensing multiple chains of cybercrime interactions. Threat Flow does its best to specify which organizations are targeted, what products (if any) are being discussed, and the specific locations that are mentioned.

Conversation Explorer results are filtered to show content with a relevance of 75% or higher to your search criteria.

Document image


Click on any conversation summary for more information, which brings up the right-hand panel. Here you'll find additional metadata, an overview, and the actual thread.

Document image


To view the entire conversation, click the link, which will bring you to the Events feed in Flare. Here you can browse the individual events (the thread) that drove this particular conversation.

How Do I Create My Own Custom Intelligence?

Explorer enables you to create "Custom Intel" within Threat Flow using the Custom Intel Builder, allowing you to select conversations relevant to your research and organize them in a dedicated section. This powerful feature helps you streamline and focus on critical information.

Intel Builder populated with 2 Conversations
Intel Builder populated with 2 Conversations


Semantic Search understands the contextual meaning of search queries and content, enabling more relevant and accurate results by considering the intent and relationships between words.

  • Start with a Search: Explorer's Semantic Search allows you to search for anything. Try searching for something similar to "Healthcare Sensitive Data" and use the Date filter to select a more recent date range, such as the Last 7 Days
  • Choose Conversations of Interest: Use the + next to each conversation to select it.
  • Preview Intel: Click Build Custom Intel to view your selected conversations. You can continue to add additional conversations using searches, or remove them by clicking the x
  • Create Intel: Click Create Custom Intel within the Build Custom Intel panel to name and create your new Intel. This will be automatically added to the Generated Intelligence tab. It will take a few minutes to complete.

The Intel will provide you with a summary of all of the individual conversations you selected, provide you with the related conversations as well as a list of all of the related events.

Document image


Search Best Practices

Use Specific Terminology

Whenever possible, using specific terms when performing symantic searches can significantly improve the resulting discussions and or relevance of the topics being discussed. The following are some common suggestions.

Finance: Use specific terms such as bank credentials, BIN numbers, cryptocurrencies, or institution names.

Ransomware: Include terms similar to ransomware group, ransomware activities, ransomware recruitment, or known threat actors such as LockBit or Cl0p

Critical Infrastructure: Use terms like energy sector, telecommunications, internet providers, military, government" and transportation

Create Intel for Specific Topics of Interests

Avoid overly specific or "mixed-topic" queries for the most relevant results.

Include Specific TTPs, Vectors, and Vulnerabilities of interest

Some examples include phishing, VPN, brute force, reverse shell, orCVE-2024-XXX

How Do I Filter the Results?

You can use Explorer's Advanced Filters to narrow down your results and focus on the most relevant information. Here's an overview of the available filter categories:

Metadata

Metadata Type

Description

Organization

Names of targeted or compromised organizations or entities.

Product

Names of targeted or abused products or technologies.

Threat Actor

Usernames mentioned in related chatter.

Location

Geographical locations referenced by threat actors.

Data Source

These refer to specific forums you can filter for, such as BreachedForums, Hacktown, Dread, and others.

Scoring

Score Type

Description

Sophistication

An inferred score indicating the proficiency level of the threat actor.

Criticality

An inferred score indicating the urgency for the target organization.

Attributes

Attribute

Description

Remote Code Execution (RCE)

A vulnerability being actively exploited.

Targeting Critical Infrastructure

Critical infrastructure provider is being targeted.

Targeting Mainstream

Mainstream software, hardware, or products are targeted or compromised.

Database Leak

An actor mentions a large data leak.

Sale

An actor is attempting to sell compromised data or information.

Actively Exploited

A vulnerability that is currently being exploited.

Remotely Exploitable

A vulnerability that can be exploited remotely.

Targeting Large Organizations

Large organizations are being targeted.

Weaponized

An exploit is available for one of the mentioned vulnerabilities.

Geopolitics

The discussion involves geopolitical topics.

Initial Access

Involves the sale of initial access to a network.

Drama

Discussion involving conflicts between threat actors.

Requires Prerequisite

A vulnerability requires certain conditions to be exploited.

Contains Code

The message includes code snippets.

Request

An actor is making a request for information, services, or goods.