Cybercrime and Dark Web Research / How to Monitor Initial Access Broker Listings in SearchLight

How to Monitor Initial Access Broker Listings in SearchLight

How to Monitor Initial Access Broker Listings in SearchLight
Michael Marriott
Read More From Michael Marriott
February 25, 2021 | 4 Min Read

By now, you might have caught wind of Photon’s new research on Initial Access Brokers (IABs). It’s a pretty awesome, data-driven study analyzing more than 500 listings from 2020. If you’re a security practitioner that cares about the risks of unauthorized RDP, Citrix, or VPN access, I’d encourage you to gain access to the report, Initial Access Brokers: an excess of access, or listen to the recording of our recent webinar.

The inexorable rise of IABs has continued into 2021 and with that in mind, you can probably expect Photon to revisit this topic in future quarters. This blog, however, is for those that cannot wait that long and want to be the first to know when cybercriminals first list their accesses for sale.

In this blog, I will outline what four things you can do to monitor IAB listings if you are either a full SearchLight user or have embarked on a 7-day free trial:

  1. Intelligence Tippers. Short intelligence updates researched and analyzed by our analyst team, Photon.
  2. Actor Profiles. Curated profiles outlining everything Photon knows about the actors in question.
  3. Access Raw Data. Via Shadow Search, users can explore and set up custom alerts on the raw data from the forum listings themselves
  4. Custom Reporting. Through our Reporting Module, automatically schedule reports on IAB to be delivered to your inbox.

Access Photon Intelligence Tippers

The most popular method for monitoring IAB listings is via our Intelligence Tippers. Our own team, Photon, do the heavy-lifting–monitoring new posts on criminal forums where IABs may be listing new accesses. These tippers provide a quick intelligence write-up and include the essential information and context, including targets, source, and associated actors. Armed with this information, users can then gain more information in our tagged profiles or ask our team for a deeper dive.

An example of a SearchLight Intelligence Tipper, with links to associated actor and criminal location profiles

If you want to peruse all tippers about specific actors, these can be added as filters on the left-hand panel (as shown below).

SearchLight Intelligence Tippers, filtered by known Initial Access Brokers

Access Threat Actor Profiles

When presented with a listing that may be of interest to you, the next step is to make an assessment about the actor selling the access. There are plenty of actors attempting to scam fellow cybercriminals, and so not all listings will be for legitimate access.

This is where actor profiles come into play–providing essential context on their historical activities, reputation, associations, known sites, associated observables, and assessed threat level. For example, in the screenshot below, you can see in the “Summary” section that this actor has had successful sales of accesses.

An example of one IAB threat actor profile within SearchLight

Monitor the Raw Threat Data

For those that want to know as soon as the post surfaces, you can do that through Shadow Search. It’s possible to search by specific username or follow threads of particular interest. From there, you can set up saved searches and immediate email alerts.

Access to raw data from criminal locations, filtered by the actor in question

Create and Schedule Custom Reports

The final option is to schedule automatic reports to be delivered to your inbox at a cadence of your choosing. Within SearchLight’s reporting module, users can create reports based on private alerts and intelligence activities. In the example below, a report has been created based on Tags of known IAB actors. You can then schedule these reports to be delivered on a weekly, monthly, or quarterly basis.

SearchLight’s customizable reporting module, filtered by IAB actor tags

Get Started Today

Security teams love getting visibility into IAB listings—especially in the cases that those listings reference their company or suppliers.

Hopefully, with these four tips, you don’t have to wait until our next research report on Initial Access Brokers. For those who are not yet SearchLight users, you can head towards Test Drive and register for a free account to explore for yourself for 7 days.