Dark Web Education Hub

How To Investigate A Threat actor

More resources

Stopping threats by investigating threat actors

A mature cyber threat management program improves security by taking a proactive approach to threat monitoring and detection. Rather than simply responding to attacks as they happen, sophisticated programs seek out intelligence that can help the organization take steps to block attacks before they occur. 

A crucial element of this approach is understanding the motives, history and techniques of specific threat actors. By researching the past activities, preferred tactics and peer networks of specific cybercriminals who are targeting their organization, security teams can glean invaluable intelligence that can help them better defend against malicious attacks. 

These critical, actionable insights into specific hackers can only be derived from threat intelligence pulled from the deep and dark web – the epicenter of cybercriminal activity where threat actors go to buy data and tools and to share information that reveals their tactics, techniques and procedures (TTPs). That’s where the Cybersixgill threat intelligence platform can help.

Understanding threat actors 

Threat actors are people or groups who carry out cyberattacks against individuals or organizations. Most independent actors are motivated by money, while others are focused on ideology, revenge, entertainment, or simply “making a statement.” State-sponsored threat actors work at the direction of the military, intelligence or other state-controlled apparatus of their country, operating to promote their government's interests at home or abroad.         

Rather than simply monitoring and reacting to threats as they emerge, proactively researching specific threat actors can help security teams better understand the motivations, capabilities, patterns of activity and potential attack vectors of specific cybercriminals - and preempt these threats before they are weaponized. For example, by searching the dark web for mentions of a malicious IOC deployed against your system, you may find a list of posts by threat actors on various dark web forms and marketplaces. With a little research, security teams can gain critical insight into the mind of the actor behind the threat, answering a variety of critical questions:

  • How active is the individual?

  • What is their motivation – money, ideology, fun, a grudge?

  • What capabilities does the individual seem to have that could pose a threat for the organization?

  • Who else has entered into conversation with the individual about a specific threat?

With this information, security teams can not only determine the most effective means to remediate an existing or developing threat, they can also develop proactive defensive processes - looking for and identifying emerging cyber threats, and defending against them before they materialize. To aid this effort, it’s helpful to have a dark web threat intelligence feed that can alert teams to new posts by those specific individuals intent on targeting their organization, or posts about specific types of threats. That’s why, when developing intelligence about threat actors, more security teams today are turning to Cybersixgill.

Threat actor intelligence from Cybersixgill

Cybersixgill was founded to help security teams protect their organizations against malicious cyberattacks before they materialize. To accomplish this, Cybersixgill empowers security teams with access to our full body of context-rich threat intelligence - extracted in real-time from the clear, deep and dark web.

Our Investigative Portal provides a simple, covert and user-friendly platform for security teams to consume our market-leading threat intelligence collection, with a range of features and functionalities to support their efforts as they research, track and defend against the efforts active threat actors. Advanced filtering, tagging and Google-like search capabilities make it easy to hone in on the threats that matter most, gain critical contextual insight, identify the actors behind each specific threat and to follow their activity across the cybercriminal underground. Teams can customize automated alerts according to their unique assets and needs, ensuring they receive the earliest possible warning of potential threats - be they concerning posts, contact between specific users, replies to certain conversation threads or any other real-time development or indication of risk surfacing across the clear, deep or dark web. By fully leveraging the early warning capabilities of the Cybersixgill Portal, security teams can be better prepared to detect and preemptively counteract threats before they are weaponized by threat actors against their organization.      

The Cybersixgill Investigative Portal provides:

  • Unprecedented access. Security teams have real-time and ad-hoc access to our complete body of threat intelligence from the deep, dark and clear web.

  • Enriched data. A unique algorithm correlates external threat data with client assets and prioritizes security actions based on real-time, relevant and accurate threat context.

  • Individual profiles. Over 7 million detailed threat actor profiles detailing their history, activity, aliases, peer networks, tactics, MO and interactions with other threat actors.

  • Context. Cybersixgill operationalizes tactical intelligence by providing critical context regarding the nature, source, urgency and evolution of each threat over time, and helps teams understand how each piece of intelligence relates to TTPs of specific threat actors.

  • Alerts. Pre-configured automated alerts ensure teams are updated in real-time of the earliest indication of risk, helping security teams stay ahead of the threat curve.

Monitoring the intent of threat actors 

In addition to the ability to research and track threat actors with the Investigative Portal, Cybersixgill enables security teams to understand the likelihood that malicious actors will exploit a given vulnerability in the near future. Cybersixgill Dynamic Vulnerability Exploit (DVE) Intelligence measures and quantifies the risk posed by specific vulnerabilities, enabling security teams to identify and prioritize those vulnerabilities that pose the greatest risk to their organization, and manage remediation more effectively.

In contrast to the widely used CVSS scoring system – which only evaluates the potential severity of a vulnerability should it be exploited – DVE Intelligence relies on rich threat intelligence from the clear, deep and dark web to accurately predict the likelihood that a vulnerability will be exploited by cybercriminals in the next 90 days. Cybersixgill’s analysis measures the intent of threat actors derived from automated AI analysis of cybercriminal activity and discourse across the underground, as well as critical intel sources like code repositories, closed forums, social media and other sources. 

With this intelligence, security teams have the critical insight and context they need to accurately identify and prioritize the vulnerabilities that represent the greatest risk to the organization.

Why customers choose Cybersixgill 

Cybersixgill’s fully automated threat intelligence solutions help organizations to expose threat actor activity, preempt attacks and streamline management of threat intelligence throughout the organization. Our collection capabilities have proven to be the broadest in the industry, covertly extracting data from sources such as limited-access deep and dark web forums, illicit markets, code repositories, invite-only messaging groups, paste sites and clear web platforms. By enriching this data with context, we provide security teams with comprehensive insight for better decision-making.


What is a threat actor?

A threat actor, or malicious actor, is a person or organization that targets an organization’s IT security. Malicious actors may be cybercriminals outside the organization, employees or partners acting from within the organization, or nation-states targeting organizations to steal data and secrets, disrupt operations, compromise security, or damage the capabilities of an organization or government.

What is threat hunting?

Threat hunting is a proactive approach to cybersecurity where a security team searches for previously unknown threats or attacks that may have already slipped past their organization’s defenses or is likely to target them in the future. By monitoring for suspicious behavior or activity and using their knowledge of attack methods, threat hunting teams can successfully identify emerging threats and stop attacks in progress. Threat hunting relies heavily on intelligence gathered through dark web cyber security solutions that reveals the intent of threat actors as well as their tactics, techniques and procedures (TTPs).

What is threat intelligence?

Threat intelligence refers to the data that is collected and analyzed from multiple sources including the deep, dark and clear web to understand a threat actor’s motives, targets and behaviors. Threat intelligence is a critical element in helping security teams to understand the threats facing their organizations and to create programs for ransomware prevention, malware detection, brand monitoring and other security efforts.