Supply chain operations can be vast. While globalization and digital technologies are making the world a smaller place in many ways, they also increase the number of potential vulnerabilities that security teams and supply chain managers must monitor. Current threats to the logistics sector include climate and weather events, piracy, terrorism, DDoS attacks, malware and data breaches.

The range of potential threats is exacerbated by the vulnerabilities of the supply chain and the sheer size and scope of the operations involved. For example, around 90% of the entirety of global trade flows through only 39 bottleneck regions. An effective attack on any of these 39 traffic-heavy logistics hubs would have far-reaching consequences impacting billions of dollars of trade.

One example is the Hong Kong-Shenzhen freight cluster, a critical gateway for global manufacturing and trade, through which tens of millions of tonnes of container and air freight move annually. Additionally, there are a number of geographic chokepoints, such as the Panama Canal and the Strait of Malacca.

It is no longer merely the threat of attacks to these areas, which could halt a vast amount of freight. Incidents, such as the grounding of the Ever Given in the Suez Canal in 2021 and the drought that restricted movement through the Panama Canal in 2023-24, demonstrate that these geographic chokepoints are increasingly vulnerable.

If this wasn’t enough, digitization has increased the number of threats that logistics companies need to consider. This increase in vulnerability needs to be addressed through effective security measures, such as real-time data collection using Open Source Intelligence (OSINT) software.

How can transport and logistics companies secure their supply chains?

Ensuring secure passage

One of the key concerns – and one of the oldest – that logistics and transport companies have to contend with, is tangible and physical security threats; terrorism and piracy being the obvious examples. The rise in extreme weather events, such as hurricanes and droughts, also places pressure on logistics routes. Organizations need real-time information to carefully and continuously assess the threat level, implications and risks surrounding these physical security concerns.

These analyses help organizations to develop mitigation strategies. They also help to establish contingency plans for worst-case scenarios. Organizations need to be able to adapt and respond quickly to events as risk levels change. Supply chain managers across all industries need to consider higher transportation costs, longer travel times and potential issues in meeting schedules when alternative transportation routes are used.

These strategies depend on continuous visibility of current and emerging threats. Without this response, planning is compromised. Being caught unawares could have far-reaching and even devastating consequences. And, in some cases, business models based on time-critical deliveries may be squeezed out of the market.

Keeping cyberspace safe

Cybersecurity is a concern that should be receiving increasing attention as cybercriminals continue to evolve their tradecraft.

In 2017, a cyberattack cost shipping giant Maersk upwards of US$300 million. A vicious malware called NotPetya took down Maersk’s IT systems. Maersk was handling roughly one container ship into port every 15 minutes. So, it's easy to imagine the logistical nightmare that ensued as the company was forced to turn to manual processes to keep things moving.

The Russian military developed NotPetya to target businesses in Ukraine – but the malware quickly got out of hand. Soon, it was spreading around the world, taking down networks and causing billions of dollars in damage and lost revenue. In this scenario, Maersk was simply collateral damage.

More recently, Expeditors International were affected by a cyberattack that forced them to shut down their operating systems, disrupting their services for more than three weeks. Expeditors later revealed the attack had cost them $60 million in lost revenue, investigation and remediation.

Transportation is already heavily reliant on Information Communication Technology (ICT), with virtual threats growing in frequency and complexity. For this reason, cyber threats are an increasing concern across multiple industries. Additionally, for transportation and logistics, cyberattacks designed to induce physical damage are an increasingly common attack vector.

OSINT software for a more secure future

Some organizations operate with hundreds of individual suppliers. If any supplier is disrupted, consequences across the supply chain could be costly. Expeditors International and Maersk are just two examples of this.

Investing in live threat detection doesn’t just reduce risk; it also keeps operations running smoothly and predictably. When it comes to security and supply chain management, it’s especially important to look at future scenarios and manage security proactively. Reacting to crisis situations is not enough. Companies must find the right combination of preventive and reactive measures to achieve the optimal level of supply chain security.

Executives should also keep an eye on so-called wildcard events. That means examining the potential financial impact, the relative vulnerability of their business model, and their company’s ability to respond to low-probability, high-impact events.

As supply chain threats multiply, staying ahead of the intelligence flood becomes more difficult. Signal’s tools cut through the noise by using AI to perform tasks, such as triaging alerts and providing contextual SITREPs for possible threats. This sort of practical application of AI creates efficiencies within security teams, without compromising the crucial situational awareness needed to keep logistics lines open.

How Signal is already helping secure logistics supply chains

• Signal alerts a customer to a supplier’s merger. They can find new suppliers in a timely fashion, preventing disruption and revenue loss.

• Signal provides data on severe weather warnings that affect multiple suppliers and disrupt transportation routes.

• Confidential data is found for sale on the dark web, allowing the organization to act quickly for threat mitigation.

Dark web marketplaces are online platforms, where people can buy and sell illegal goods and services while remaining anonymous. The offerings include leaked credit card details, exploit kits, hackers for hire and advertisements for hitman services.

Because of the range of goods and services available, as well as the conversations that occur around these transactions, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are typically under intense scrutiny from both law enforcement and security professionals.

These marketplaces have become increasingly sophisticated, with slick user interfaces that resemble familiar online storefronts, such as Amazon, along with seller ratings and escrow services for secure payment. This makes the barrier for users lower than ever before.

5 dark web marketplaces

People have been organizing illicit trades via the internet since the 1970s. Those early examples were through closed networks, with actual exchanges of money and goods usually taking place in person. With the advent of cryptocurrencies, it has become easy to complete online trades without leaving a trail. As a result, the online trade of illegal goods has become increasingly commonplace, and vast dark web marketplaces have emerged.

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road, created by Ross Ulbricht in February 2011. Over the following two years, the Silk Road set the standard for dark web marketplaces. By the time it was shut down in October 2013, and Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.

Torzon Market

Torzon is one of the largest general-purpose darknet markets still active in 2025. It offers a familiar mix of narcotics, fraud tools and digital services. The site operates on Tor and supports Bitcoin and Monero, utilising escrow to facilitate transactions. Torzon also imports vendor feedback from other platforms, providing some continuity for buyers and sellers who have migrated after past shutdowns.

STYX Market

STYX has carved out a role as a hub for stolen data rather than drugs. Its listings focus on stealer logs, initial access and financial credentials, making it highly relevant for financial security professionals. Unlike older drug-oriented markets, STYX looks more like a specialized cybercrime exchange than a bazaar.

STYX is a great example of a ‘new model’ market with a searchable structure and trusted vendor processes, which helps buyers quickly filter for fresh data. The market grew through 2023-24 and remains active in 2025, underscoring how access and credentials have become commodities on par with drugs in the dark web economy.

Russian Market

Often written as RussianMarket, this is the largest marketplace for stealer logs. It aggregates credentials, cookies and session data harvested by malware such as RedLine, Raccoon and Vidar, and sells them in bulk. This makes it both a goldmine for attackers seeking account takeovers and a persistent monitoring target for security professionals.

Researchers estimate that millions of logs are for sale, with new ones added daily. Its endurance shows how cybercriminal demand has shifted from physical contraband to stolen identity data. For enterprises, Russian Market illustrates why compromised credentials remain one of the most common entry points for intrusions.

2easy

Sometimes branded 2easy.shop, this site has become known as the budget marketplace for stolen logs. Rather than focusing on premium access, it thrives on low-cost, high-volume sales. Individual log packages are often priced between $5 and $25, making them accessible to a wide spectrum of buyers. 2easy's persistence highlights the democratization of cybercrime. Criminals no longer need large budgets to obtain working credentials, just a few dollars.

BriansClub

BriansClub is a long-running carding shop, best known for selling stolen credit card ‘dumps’ and CVVs. Despite a 2019 breach (and law enforcement action) that exposed millions of its records, the shop has remained active and continues to attract buyers in 2025.

Estimates before the breach suggested a nine-figure annual turnover and, while its exact scale today is harder to verify, it remains one of the most recognisable carding brands.

Other markets include Abacus market, BidenCash, Exploit, Exodus Marketplace and more.

The diffusion of dark web marketplaces

With the rise of encrypted communication apps, such as Telegram and even Discord, some of the trade previously undertaken on the dark web has ‘surfaced’ to the unindexed deep web. Channels such as CrdPro Corner, AsCarding Underground and Daisy Cloud are flourishing on Telegram, with thousands of users in each channel trading everything from logs to bots. These channels often operate as subscription services, providing fresh dumps of material daily.

How to keep track of evolving darknet marketplaces

There are various active dark web marketplaces. One of our data providers estimates there are approximately 20 active, leading dark web marketplaces and dozens of smaller, additional marketplaces. With the diffusion to the unindexed deep web, this number becomes even greater.

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons. For example, law enforcement might close them down; or, perhaps to help avoid this fate, they frequently change their domain address. It could even be because the admin implemented an exit scam, as happened with Empire Market, where the admin team is estimated to have made off with approximately $30 million worth of Bitcoin in August 2020. Almost none of the marketplaces featured in the 2020 version of this article are in existence now.

Due to this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found; as such, there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find forums and marketplaces on the dark web, as well as in the deep web, you need to know what you’re looking for and how to look for it.

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to gather usable intelligence effectively. Doing this manually requires vast amounts of resources; however, you also can't simply scrape the website, as such activity can quickly get you banned from a site.

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The role of OSINT tools when monitoring the dark web

OSINT tools allow security professionals to effectively and efficiently monitor the surface, deep and dark web. Using Signal, you can create targeted searches with Boolean logic and run the results through intelligent filters powered by our advanced AI. The process can be automated with real-time SMS and email alerting.

This reduces the need for skilled professionals to spend all their time manually monitoring the entire web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted upon without ever actually having to go onto the dark web or painstakingly gain access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on autopilot; reducing costs, while simultaneously increasing efficacy. As cyber-criminals embrace new technologies, it’s becoming increasingly necessary for security professionals to do the same to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in real-time.

What is Doxing?

The term itself originates from the phrase “dropping docs” and was later shortened to “docs” and then “dox”. As the original term suggests, doxing is when someone collects and then shares information about another person or organization.

There are numerous reasons someone might dox someone else or be the victim of doxing. It could be for revenge or a personal grudge, a disgruntled ex-employee might target their previous employer, for example. In 2014, Sony was the victim of a doxing attack backed by, experts believe, the North Korean government after they released a film which made fun of their leader. Other motivations include harassment and cyber-bullying, vigilante justice (for example, exposing neo-Nazi’s), and doxing for financial gain. 

Organizational doxing is on the rise and can be immensely damaging, exposing company secrets and customer data, or more directly exposing executives to new levels of threats.

Doxing Strategies and Goals

Traditionally doxing started with an online argument escalating to one person digging out information on their adversary and sharing it online. More recently though, doxing has become more of a cultural tool with hackers taking down people or groups with opposing ideologies. When it comes to organizations, threat actors have been known to both target an organizations reputation and to use information gained through a doxing attack to leverage financial reward.

For example, in one scenario an employee at a bank was blackmailed after a doxing attack into using his position in the bank to steal over $100,000 from customers for his blackmailers. 

The fallout is generally reputational with the victim suffering from online abuse such as death threats to them and their family in lieu of the new information shared. However, on occasion, the fallout can be significantly worse. There have been examples of mobs dishing out physical vigilante justice after a person's information, such as an address, was shared online.

There are numerous ways you can be identified online. By following ‘breadcrumbs’ of information a dedicated doxxer can assemble an accurate picture of a person - even if they were using an alias. The kind of details they might look for include, full name, current address, email address, phone number etc. Additionally, some doxxers might buy information from data brokers.

IP/ ISP Dox

There are various methods that can be used to locate your IP address, which is linked to your location. With just your IP address a doxxer could then use social engineering tactics against your Internet Service Provider (ISP) to discover the information they have on file such as:

• Your full name

• Email address

• Phone number

• ISP account number

• Date of birth

• Exact physical address

• Social security number

This requires the doxxer to go through a dedicated process, which may not even work, however, it’s just one strategy they can employ, and even if they are unable to gather further information through a gullible ISP worker they still have the first parts of the puzzle - your IP address and a rough location.

Doxing with Social Media

If your social media accounts are public then anyone can view them. Often things a threat actor can find out include your location, place of work, your friends, your photos, some of your likes and dislikes, places you’ve been, names of family members, names of pets, names of schools you attended, and more.

With this kind of information, they can then find out even more about you, or even discover the answer to your security questions helping them break into other accounts such as your online banking.

As such it’s recommended to keep your social media profiles private, and if you use multiple online forums to use a different name and password for each to help prevent doxxers from compiling information from across multiple online forums and social media sites. 

Data Gathered through Brokers

Data brokers on the internet collect information from publicly available sources and then sell the data for profit. Generally speaking, they sell this data to advertisers - if you’ve ever found yourself randomly receiving emails from companies you’ve never heard of before, this is why. However, for a doxxer it could be an easy way to start building a detailed profile of their target.

How Might Doxing be Used Against Your Organization?

For organizations to be successful with their media strategies they necessarily need to share relevant information and regularly engage with their customers through social media channels. This provides a substantial opportunity for doxxers.

By combining publicly-available data with basic attack techniques, such as phishing campaigns or credential stuffing, malicious actors can uncover large quantities of supposedly secure data. For consumers, exposed information could lead to identity theft or public shame. Meanwhile, companies face the prospect of large-scale reputation damage or lost revenue if proprietary project briefs or intellectual properties are leaked to the public.

Additionally, doxing can be used as an incentive to expedite the resolution of ransomware attacks. This is where the cyber attacker threatens to release documents or information to the public should their target not pay the ransomware fee promptly. This adds to already serious financial implications.

How Can you Prevent Doxing?

Unfortunately, it's nearly impossible to completely remove personally-identifying information from the internet, especially parts which are part of public records. Still, there are some tips to reduce your attack surface.

Keep your profiles private 

People and organizations do have a lot of say as to what gets published on the internet. Make sure to practice general data privacy best practices.

• Avoid posting identifying information

• Keep all social media settings at the most private level, and don't accept friend requests from people you don't know

• Change the settings on Office and your phone's photo app so personal info isn't embedded in those files

• Use a "burner" email address for signing up for accounts when possible.

• Set the ‘whois’ records on any domains you own to private

• Ask Google to remove personally available information about you, and request the same from data broker sites

Implement Safe Browsing Measures

These steps are good internet hygiene in any case, but can also prevent a breach that can lead to your info being exposed to a potential doxxer:

• Use a VPN, especially when using insecure public Wi-Fi networks

• Switch to a secure email system with built-in encryption

• Vary your usernames and passwords

Self-Doxing

Humans remain the weakest link in the security chain. In most cases, malice isn’t the problem or the intent when someone lets a threat actor in. Instead, employees overshare personal data on corporate platforms by accident or use insecure third-party applications. In both cases, however, following the breach and identifying the potential compromises is difficult when IT teams start from the side of defenders. 

By flipping the script and looking at your organization from the view of potential doxxer it becomes easier for IT and security teams to spot key areas of weakness. They can then develop strategies and staff training programs to protect against them.

Final Words

Doxing represents a growing threat to organizations and individuals. However, by self-doxing with security intelligence gathering strategies, security teams can create accurate attack surface maps. With this intelligence, they can then enhance threat modelling and deliver actionable insights to staff to reduce overall risks.

Using OSINT software like Signal you can learn about potential threats as or before they occur, learn about potential exploits targeting your organization, and self-dox to help identify weaknesses and shore-up defences.

People are increasingly aware of how their data is accessed and used, whether this is the security of their private conversations, their online browsing history, or even Personal Identifiable Information (PII). With this increase in consciousness for data privacy, chat applications have had to promise better encryption and anonymity if they are to compete.

As such, over the last few years new chat apps, with a primary USP of better privacy have hit the market. This includes the likes of Telegram and Discord. The anonymity and data security offered by these apps have quickly made them popular with both legitimate users and criminals. On Telegram, you don’t have to look too hard to uncover conversations around the sale of illicit goods, examples of extremist views and hate speech, the trading of PII, and more. It’s also worth noting that many marketplaces and forums on the dark web also have chat groups on Telegram.

Many of the groups and channels on apps like Telegram are open to the public, allowing users to easily reach a large potential market relatively risk-free. Not all groups though are open to the public making it substantially harder for security professionals and law enforcement to monitor these channels successfully.  

However, with a tool like Signal, you can view and monitor data from many of these closed communities and hard to access groups easily and efficiently.

About Telegram

Telegram is a messaging app that was launched in 2013. It focuses on supplying a fast, free and above all, secure messaging service. The chat app has end-to-end encryption and several other features which add to it’s perceived security. These features include “secret chats” which store data locally, a timer on messages to self-destruct after a specified time, notifications of screenshots, and messages in secret chats can’t be forwarded. Their main USP is to provide a service where data is protected from thirds parties, including any curious government or security agencies.

Unlike other chat apps, Telegram promotes itself as providing its users with full anonymity, including the ability to set up a unique username and make your phone number to private. It’s because of these security features as well as the offered anonymity that the application quickly became a popular choice for criminal communications.

How Can You Leverage Data from Telegram for OSINT?

There are various channels and groups on the Telegram app in which illicit and criminal activity is discussed or undertaken. This ranges from the sale of illegal goods, stolen data, to planning physical attacks on an organization or individual.

For example, on the group “Carders” on Telegram, a group which has over 5,000 members you can find stolen credit card details including full numbers and CVV codes. This chat group is linked to an online shop getbette.biz (which was taken down in early 2020). Most of the conversations in this group revolve around some form of financial fraud, whether that’s leaked card details or the sale of PII.

On other Telegram groups, you can find details for hacked personal accounts like Netflix, Disney Plus, Amazon Prime etc. These logins might be sold for a variety of reasons, such as credential stuffing, or for personal use.

It’s not just dealing in illegally obtained data though. Telegram is used for a broad variety of purposes. A particularly popular one is the sale of drugs. Narcotic Express DE is one such group. With close to 1,000 members, this German group is a closed group which focuses on the purchasing, sale and distribution of drugs. 

Closed groups cannot be found in a search within the app or in the dedicated Telegram search engine, instead, you have to be invited and sent a link by another user in the group. In addition, users can only see posts, not post themselves into the group.

Other examples of leveraging Telegram as a data source include monitoring for:

• Hate speech and death threats,

• Hacking services for sale,

• Exploit kits,

• Data breaches,

• Hate groups.

Using Telegram as an OSINT Source

As outlined above, are plenty of conversations of interest that happen through the Telegram app and its various groups. These groups can offer insight into criminal activity and better enable organizations to protect their assets and staff from emerging threats. For example, you might find information on a recent data breach through the app. Having this early knowledge of the breach is essential for mitigating costs.

However, as with any potential data source, it’s not a case of simply downloading the app. Efficiently scanning and monitoring the platform for potentially relevant or information of interest requires the right tools.

First, groups like Narcotic Express DE are closed groups, meaning locating and gaining access to them is a challenge in itself. Secondly, with features such as message self-destruct constant surveillance is necessary. These challenges mean time and resource need to be devoted to this specific channel, time and resource that might be better spent elsewhere.

Using an OSINT tool gives users the ability to access and utilize hard to reach data sources like Telegram. Data from Telegram is gathered by our data provider Webhose, who scrape the publicly available data from both open and harder to access closed groups continuously. Signal users can set up searches with Boolean logic, selecting Telegram as one of the data source options available. 

Ransomware is a form of malware which is installed on a victims device or devices with the main objective of seizing and/or locking away sensitive data. As the name suggests in order for a victim to regain access to their data and systems they need to pay a ransom. More often than not, the two options a victim is presented with when they succumb to a ransomware attack is to either rebuild their systems from scratch and potentially have the attacker leak the data online - or pay up.

As such, it’s unsurprising that, in our increasingly digital age with more and more data on the cloud, that the number of attacks and the success of ransomware attacks is on the rise. Approximately 58% of ransomware victims paid in 2020, compared to 39% in 2017.

Ransoms for these kinds of attacks range from a few hundred dollars to thousands or even millions of dollars payable in cryptocurrency such as Bitcoin. In return for the payout, the attackers will release a decryption key allowing the organization to return to business. Certain industries, such as government organizations and hospitals are more susceptible to ransomware attacks due to the nature of the work that they do often being time-sensitive. For example, a ransomware attack crippled a hospital in Germany, leading directly to one patient’s death.  

There are numerous strategies that ransomware attackers employ to gain access to a victims database. One of the most common though is through social engineering tactics, such as phishing emails. Cybercriminals can make these emails look exactly like trustworthy emails from official sources, tricking victims into downloading compromised software onto their device. 

Because of the nature of social engineering tactics, and the evolving cyber threat landscape no organization can ever be fully secure from malware threats. Below we outline 12 of the biggest ransomware attacks that occurred in 2020.

12 Ransomware Attacks that Happened in 2020

1. ISS World 

Estimated cost: $74 million 

In February of 2020 ISS world, a Denmark based company went down due to a ransomware attack. Thousands of employees were left without access to their systems and emails. This cost them an estimated $74 million which includes regaining control of the affected IT systems and re-launching critical business systems. 

2. Cognizant

Estimated cost: $50 million

A ransomware attack on the organization Cognizant in April of 2020 is said to have cost the company over $50 million, potentially as much as $70 million, including legal and consultation costs and data recovery costs, along with the financial loss reflected in their second-quarter earning in 2020.

3. Sopra Steria 

Estimated cost: $50 million

The company Sopra Steria revealed that they were hit by hackers using a new version of the Ryuk ransomware in October.

They estimate that the fallout, including dealing with the various systems that went out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

4. Redcar and Cleveland Council 

Estimated cost: $14 million

Redcar and Cleveland Council in the UK suffered an attack on their systems in February of 2020 costing the council an estimated $14 million.  The ransomware attack is said to have disrupted the company’s network, tablets, computers, and mobile devices for 3 full weeks. The council announced that in March, that it could take months for a full recovery and estimated the overall costs to be between $14 - $21 million.

5. Software AG

Estimated cost: $20 million

Software AG is the second-largest software vendor in Germany. They were reportedly hit with the Clop ransomware in an attack in October of 2020. The company disclosed that the ransomware attack disrupted a part of its internal network but didn’t affect customer services. The cybercriminal group responsible demanded a $23 million ransom.

7. Travelex

Estimated cost: $2.3 million

It was reported that Travelex the money exchange firm was hit with a file-encrypting malware attack which shut down its internal networks, website and apps for several weeks. Reportedly Travelex paid a ransom of $2.3 million in BTC to the dark actors to regain access to their data and restore services.

8. University of California San Francisco (UCSF)

Estimated cost: $1.14 million

UCSF was targeted by a malware attack which encrypted servers used by the school of medicine impacting students in June of 2020. The ransomware was prevented from travelling to the core UCSF network and causing more damage. The authorities negotiated with the cybercriminals and UCSF ended up paying approximately $1.14 million in ransom of the $3 million demanded. 

9. Shirbit Insurance 

Estimated cost: $1million

After a cyberattack on the Israeli Insurance provider Shirbit in December of 2020 the attackers demanded roughly $1 million in Bitcoin. In order to pressure the company into paying they demanded immediate payment or an increase in the ransom cost, doubling after 24 hours. Additionally, to show they weren’t empty threats they dumped the first 300 records online, again threatening to dump additional records every 24 hours until they received payment.

10. Communications and Power industries 

Estimated cost: $500,000

California-based Communications & Power Industries (CPI) makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology. The company counts the U.S. Department of Defense and its advanced research unit DARPA as customers. Reportedly, CPI paid $500,000 to obtain the decryption key to unlock their servers and return services.

11. Grubman Shire Meiselas & Sacks 

Estimated cost: $365,000

Grubman Shire Meiselas & Sacks is a law firm that specializes in law for those in the media and entertainment industry. Their clients consist of a range of A-list celebrities and, with such high profile individuals on the line, the stakes for them were extremely high. They were targeted and files encrypted by REvil ransomware. The firm agreed to pay an estimated $365,000, however, the attackers started demanding more afterwards and the company has since kept quiet on what it has or is willing to pay.

12. Tillamook County 

Estimated cost: $300,000

Tillamook county in the US was attacked by cyber attackers in January. The attack interrupted their email network, phone systems and website. After exhausting alternative options, they estimated the costs to restore service would cost well over $1 million and take several years and opted instead to pay the $300,000 ransom. 

Keeping your data and organization secure

1. Never click on suspicious links or any links attached in unsolicited emails. 

2. Back up systems and data continuously. Create a separate data-backup in an external hard drive that is not connected to your computer, so that you don’t have to pay the ransom if a ransomware attack happens.

3. Never disclose personal information over the phone or over email. 

4. Educate employees of cybersecurity best practices and social engineering tactics that may be used against them.

5. Limit employee access to sensitive data to reduce attack surfaces.

OSINT Tools and Mitigating Costly Ransomware Attacks

Early warning of data beaches through OSINT tools can help you predict and prevent cyber attacks as well as enable organizations to take mitigating actions faster. While open-source intelligence tools can’t prevent ransomware, they can help organizations reduce the risks and potential damages. 

OSINT tools can be used by organizations to monitor their supply chains, allowing them to learn of potential disruptions in real-time and enabling them to implement contingency plans fast. 

Additionally, organizations can use tools like Signal to monitor for ransomware and malware currently being used. This can help security teams determine emerging threats being used against other organizations in their industry to better inform ongoing cybersecurity best practices.

Ultimately, by using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.

There are numerous threats that could evolve to seriously impact an organization, from natural disasters, to acts of terror, to targeted attacks on executives. Currently though, tensions around the US election are high on both ends of the political spectrum. There has been an increase in polarization of political views and even militarization of the public in recent months, and many Signal customers have expressed concern.

For many American’s this is seen as the most important election of their lives so far. Fears of voter fraud and voter suppression are rife, which is reflected by an unprecedented number of early votes being cast with more than 90 million votes already cast a week before the election, more than two-thirds of all the votes cast in 2016.

This, paired with a deadly pandemic and a summer of protests, many of which became violent, and one can see the potential for civil unrest around a contentious presidency. To mitigate this risk organizations need relevant intelligence as events unfold to ensure they take the necessary precautions to protect their employees and assets.

As such, we have created advanced tools to enable Organizations to be alerted as early as possible to issues and current events, such as the Election, where the possible fallout could have an impact on their employees and assets.

Monitoring Election Threats in Real-Time Using Signal OSINT

Using Signal security teams can learn of events as they are happening or even before they happen, allowing effective response plans to be enacted, effectively neutralising potential threats. 

To do this users can create custom searches using Boolean Logic to filter intel from key web sources such as social media, the open web, and the dark web. Intel from these sources often acts as an early indicator alerting Signal customer to potential issues in real-time. The data can also be reviewed by our emotional analysis solution for increased data analysis efficiency.

Signal has real-time SMS and email alerting for high-risk threats so that companies can maximise available response time. Once alerted to potential risks the security team can form a final judgement on the threat level and decide whether action needs to be taken.

Final Words on Threat Monitoring with Signal

Threat monitoring isn’t just for events such as a contentious election. COVID-19, earthquakes, storms and other extreme weather events, and even threats of violence against specific executives, can all affect an organization. Signal OSINT software enables security teams to scan a vast number of surface, deep, and dark web channels and sources to gain real-time data on a broad array of emerging threats. 

Anonymous social media forums like 4chan or dark web forums are often where threat actors go to communicate and organize. And social media is often where you can learn of current events as they unfold. So whether it’s customer data for sale online, or an active shooter situation in-store, security teams armed with OSINT can quickly assess and respond appropriately to mitigate risks and damages.

Only when an organisation has a complete picture that incorporates the variety of potential risks and has invested in specific responses and contingency plans can it adapt as needed to mitigate the impact of extreme events.

As threat actors continuously challenge the cyber defences of organizations, companies are increasingly forced to focus on improving cybersecurity practices. However, even the best cybersecurity teams with the largest budgets find it hard to stay ahead of the evolving threat landscape. And with more technology in use, a growing reliance on cloud storage and the Internet of Things (IoT), there is a growing potential for sensitive data to be exposed to threats. 

As such it’s unsurprising that data breaches, in spite of increased cybersecurity spending, are becoming more common and more expensive to deal with. Employees need intelligent security practices and cyber habits and companies need to be armed with the latest technology and tools for early data breach detection to gain the upper hand when combatting this ever-changing threat.

Data Breaches Need to be Caught Early

The average cost of a data breach in 2020 according to the IBM / Ponemon Institute report was $3.86 million. However, there are plenty of examples where the costs have vastly exceeded this average, escalating into the hundreds of millions or even billions. For example, the Equifax data breach in 2017 cost Equifax $1.7 billion in the end. Another high profile example, Facebook eventually settled on a fine of $5 billion after it’s ‘privacy misstep’ involving Cambridge Analytica. This bill doesn’t include the additional costs and expenses that Facebook has accrued in the development and expansion of their cybersecurity and privacy departments nor does it account for the reputational damage it suffered.

While costs of these extremes are rare, data breaches in general are not. The IBM report goes on to analyse particular subsets of the data noting that the worst impacted is healthcare with an average data breach cost exceeding $7 million. And that the average time taken for an organization to identify and contain a data breach, was an astonishing 280 days, over 9 months. This is in spite of significant evidence that the speed of containment has a significant impact on the overall data beach cost, which if left unchecked can linger for years after the incident. 

How to Prevent Data Breaches

As with many of these things prevention is often the best policy. 

Data Breach Prevention #1: Have Clear Security Protocols 

Every employee should know, understand and be able to abide by strict security protocols to keep company data secure and thwart social engineering tactics. Having protocols is one of the best ways to help prevent data theft by ensuring unauthorized personnel do not have access to data. 

Data Breach Prevention #2: Safeguard Against Human Error

Many data breaches are the result of an employee error. This could be anything from downloading a document off of an illegitimate website, social engineering tactics or even outright blackmail. Employees should only have access to the information that is vital to their particular roles within the company. Those with higher level access should accordingly have higher levels of cyber security training and understanding.

Data Breach Prevention #3: Improved Password Protection

Having strong unique passwords is the first line of defence against any cyberattack. However, nobody, whether they are a high level executive not, is going to be able to remember a dozen or more 12 character passwords that use special characters, letters and numbers. Make sure that 2FA is enabled on all logins, and use a password manager (with 2FA enabled) to auto generate and save complex passwords and ensure the highest levels of password security are enabled.

Data Breach Prevention #4: Update Security Software Regularly

Companies should utilize a high quality antivirus software, anti-spyware program and firewall. Additionally, these programs should be regularly updated to keep them free from vulnerabilities. 

Data Breach Prevention #5:OSINT for Dark Web Forums

By monitoring dark web forums and other chat rooms you can learn of planned attacks, potential exploits and even find exploit kits being sold online. This will give you a good indication of the access methods which have been discovered allowing you to implement a patch quickly to prevent it.

The Tools for Early Detection of Data Breaches: LERTR

Having the right tools is vital if an organization wants to prevent or mitigate the threat of data breaches. Using an OSINT platform like Signal allows security teams to efficiently monitor the surface, deep, and dark web for details or indications of potential and past data beaches. For example, you might find exploit kits targeting a vulnerability specific to your company. This would allow you to prepare a patch for this vulnerability before it was exploited. 

Additionally, hackers might discuss strategies or plans around an upcoming data breach attempt on a dark web forum. Forewarned, you have a better chance of catching and preventing the attempt. However, prevention isn’t always possible. For those scenarios where you do face a data breach you want to discover it as quickly as possible to mitigate the potential damage and limit the costs.

To this end we have integrated with Webhose to advance our early data breach detection capabilities. Additionally, we have launched LERTR, a cyber specific OSINT platform. aa

Final Words

Data breaches are increasingly common and expensive. Effective preventative measures need to be put in place and maintained to limit threats. However, even the best defences can fall to a determined threat actor. As such organizations needs to ensure they have all the tools to not only prevent, but also to detect early and contain data breaches quickly should one occur.

Signal is a powerful OSINT tool which allows users to create searches using boolean logic enhanced with NLP, with which security teams can efficiently monitor online activity to detect threats as or even before they emerge.

What is 4chan?

4chan is one of the largest English language based image boards on the open web. They have over 900k new posts per day and some 27 million active monthly users.

What makes it a unique social platform is that users can choose to remain anonymous. They don’t even need to create an account to access and engage with content on the platform. As an added security measures, posts time-out after a period so they can’t, unless found and archived by an independent data gathering source, be checked and referenced by security teams, users, or law enforcement at later date.

There is a wide range of topics hosted on the platform, from Japanese culture, to politics, to adult content. Because of the anonymity allowed, as well as a very limited moderation by the site owners, 4chan has a large amount of illicit content and activity. This activity includes cyberbullying, child pornography, harassment, violent threats, racism and extremist ideologies. 

Despite this, it’s important to note that there is nothing inherently bad about the platform, just as there is nothing inherently bad about the dark web, and many of the users use it for legitimate purposes such as for its original intent which is the exploration and discussion of the Japanese film and television animation style, anime. In fact, like Reddit, many influential memes have originated from the platform such as ‘lolcats’ and ‘chocolate rain’. As such it has historically been an important driving force behind the development of internet culture.

Bottom line: 4chan is a forum, the original purpose was for the discussion of anime and Japanese culture. It’s a forum where users don’t need to have an account or sign up with a name, there is little moderation, and posts are deleted from the server after a period, as such there are few consequences. With this format, people can and do say just about anything on the platform.

How can 4chan benefit your organization as a data source?

The anonymity offered by the channel means users feel comfortable talking openly and they do so around a wide range of subject matters and people. For example, under the political forum /pol/ you can find examples of alt-right groups, threats of violence against a person, organization or group, and racist behaviour.

The range of topics discussed and the freedom with which individuals and groups openly discuss them can give security teams and law enforcement an idea of emerging trends as well as be one of the first places that death threats or threats of violence against individuals and organizations can be found. In the past, terrorist manifestos have also been posted on the channel. These discussions can indicate when an event is going to evolve into a tangible threat and give security teams a heads up to prepare and mitigate the potential threat.

Additionally, there are groups and individuals on the channel, such as the members of Anonymous who have turned their online attention, for right or wrong, to intelligence gathering on people and organizations. Often, 4chan is one of the first places they share their findings. For example, they might uncover and share personal details about a CEO such as their address, medical records and details of their family.

Why use Signal for monitoring 4chan?

One of the key problems with any form of online intelligence reconnaissance is the quantities of data you need to assess to get even the smallest tidbits of potentially useful information. 4chan has this problem in spades with over 3.5 billion posts. And these posts are transient, with the more R rated the post being the shorter it’s existence. This means relevant security intelligence on the 4chan platform might only be public for a couple of days. To gain real insights into the channel you need to be constantly and efficiently monitoring with real-time alerts.

4chan is just one of the data sources you can monitor using Signal though. You can simultaneously monitor the open, deep, and dark web including forums like Reddit and chatrooms like Telegram. Our system allows you to create tailored keyword-driven searches with boolean logic which is assisted by our machine learning and language processing AI to efficiently gain intel on hyper-relevant, new and emerging threats.

An emergency incident can happen at any time, often with very little warning. If an organization wants to prepare an effective response to an evolving threat landscape and better protect both their assets and employees they need to have efficient mitigation and response measures in place. 

Data and intelligence form a pivotal role in emergency management. They allow security and event management teams to discover threats and accurately assess the associated risk levels. With this knowledge, they can enact an appropriate response to remove employees from harm’s way and prevent potential damages to the organization.

Data Performs a Vital Role in Emergency Management 

Some of the ways data and intelligence gathered using Signal OSINT can be used include:

• Better Situational Awareness. Save time and lives by rounding out your situational awareness with commentary, photos and videos posted online by the public and media.

• Misinformation Management. Catch and manage the spread of misinformation in real-time before it spreads to the public and puts lives at risk, wasting precious time and resource.

• Improved Agency Collaboration. Get a better view of what other agencies are doing during an emergency to ensure you allocate people effectively.

• Geo-targeted Risk Assessment. Keep an eye on areas of interest, such as near a location of an event you’re hosting, and watch for disruptions such as extreme weather or terrorist threats near your offices.

Threats, Hazards, and Risks.

There are three main types of threats and hazards. First, natural hazards. This includes extreme weather such as hurricanes, earthquakes, and wildfires. These can cause extensive disruptions to a business. Such events are often seasonal and organizations should monitor for them during high risk months. 

Secondly, technological hazards. These include power outages and infrastructure failures. For example, your business might be affected by your internet provider going down temporarily, or transport links might be disrupted meaning employees are unable to get to work. 

And thirdly, man-made hazards. These include cyber-attacks and data breaches, terrorist threats or threats against assets or executives. These can happen at any time, however, often you can find indications on data sources such as darknet forums before the event.

The Importance of Assessing Risks Appropriately

The more data and information you have the more accurately you can assess the risk level of an emerging threat. For example, you might use Signal to set up real-time alerts on an evolving threat like spreading wildfires. This allows you to continually reassess and determine in a timely manner when or if you need to take action to ensure your staff are removed from harms way. However, there is a fine balance between under and over protection. 

The Risk of Over-protection

Over-protection is when you initiate responses either too early or too extreme. Erring on the side of caution is always a good idea when it come to protecting employees, however, it can be costly and inefficient. 

Over-protection is often caused by the following:

• Personal interpretation of the threat level.

• Not having enough data to form an accurate assessment.

• Not having enough alert levels to allow a staged escalation of measures appropriate for the evolving risk level.

The Risk of Under-protection

Just as with over-protection, under-protection will inhibit the effectiveness of your emergency management response. This can place employees unnecessarily in harms way and means you will be unable to appropriately respond to a threat. The end result of under-protection is invariably higher than necessary associated costs.

To prevent under-protection there are several things that an organization can do:

• Provide clear guidance on risk levels of certain threats and make the response increase easy to implement.

• Continually assess and reassess the evolving threat landscape and update your alert level guidance accordingly.

Other Emergency Risk Management Considerations

We have already mentioned alert levels a couple of times in this article. This is because having clear guidelines and properly gradated alert levels will allow you to respond effectively and efficiently to crises. 

Additionally, your employees should be aware of your response plans, especially to common threats. For example, if your officers are located in an earthquake prone area, have regular earthquake drills. 

Finally, should an emergency happen you need an efficient way to communicate the danger to your employees and instigate the appropriate response.

Signal and Emergency Management

Signal provides hyper-relevant intelligence on evolving threats as or even before they happen. This allows security teams to maximize warning times and enact mitigating measures.

Immediately, this means better protection for staff. This also has additional longer term upsides. For example, it might allow a security team to detect negative sentiment around the brand which allows them to identify and monitor potential threat actors and prevent a threat from evolving. Or, it could allow for a team to have early detection of a data breach, which according to IBM could save an organisation over $600,000. 

What is Threat Intelligence?

Those very same technologies that have allowed globalization, which have brought us all closer together and enabled organizations and brands to achieve the current growth and success they enjoy today, have simultaneously brought with them increased risks. These risks come in the form of increased vulnerabilities and exploitable attack vectors for cyber attackers. Threat intelligence is all about gathering data and knowledge to combat and mitigate these threats. 

Threat intelligence provides organizations with information and context required to effectively predict and even prevent cyberattacks. Additionally, it helps inform security teams of the best practice for both preventative measures and response measures to ensure if there is a cyberattack the resulting costs are minimal. 

In short, threat intelligence is the gathering of evidence-based knowledge to inform action-oriented preventative and reactionary responses to an ever-evolving cyber threat landscape.

The Importance of Threat Intelligence

Threat actors are increasingly persistent, and their persistence pays off. Even the most dedicated professionals can’t help but struggle to keep abreast of every new cybersecurity development. New exploits are constantly being discovered or developed and strategies such as social engineering are increasing in complexity. Security teams need up to date data and intelligence on evolving threats if they are going to be able to develop effective responses.

Additionally, within the corporate world one of the key buzzwords of the last two decades has been “accessibility”. Accessibility to data means organizations have necessarily become reliant on digital processes and almost everything is stored on the cloud. Unfortunately, while accessibility is essential to developing efficient processes, and effectively using big data, it also increases the number of threat vectors that attackers can exploit. According to the IBM 2020 data breach report the longer a data breach goes undetected the more expensive it ends up being for the organization. Primarily then, threat intelligence gathered using tools like Signal OSINT can help organizations detect data breaches earlier, mitigating the eventual costs both reputational and monetary.

The final reason that threat intelligence plays such a pivotal role in today’s security is the distinct lack of skilled cybersecurity professionals. Threat intelligence is a time-consuming business that requires a skilled deft hand to manage. The best threat intelligence solutions use machine learning to automate data collection, then filter and structure data from disparate sources to present only hyper-relevant information to a skilled security team for final analysis. The security team can then use this data to create effective actionable plans based on evidential knowledge. This approach optimizes the performance of both the cybersecurity professional and the intelligence tools being used.

Threat intelligence is actionable — it’s timely, provides context, and is able to be understood by the people in charge of making decisions.

Use Case Examples for Threat Intelligence 

Threat intelligence can be used in a diverse range of strategies which makes it an essential tool for security teams in any organization. It’s most immediate value is in helping prevent an attack by gathering intel on threats in real-time, however, it’s also useful for a broad scope of activities such as managing vulnerabilities, informing decision making, and responding to attacks as or after they happen.

Related: The Role of Threat Intelligence and Cybersecurity in Retail

Prevent an attack

From the time that a vulnerability is found to the time an exploit targeting that vulnerability is available for threat actors is shortening. Security professionals need to know about the vulnerability fast so that they can implement a patch and prevent it from being exploited.

Respond to a Data Breach

Data breaches are costly and often go unnoticed. With the right threat intelligence tools you can determine when a data breach happens fast and take suitable actions to mitigate the costs of any following repercussions.

Manage a Vulnerability

The approach of “patch everything, all the time” is impractical and will likely see organizations fall behind - leaving more serious vulnerabilities open for longer. Threat intelligence can help security teams effectively manage vulnerabilities by giving the salient data to allow them to prioritize patches based on actual risk. 

Risk Analysis

This leads on nicely from the last point. Threat intelligence can help security teams determine the actual risks associated with potential vulnerabilities or attacks by providing additional contextual information. For example, threat intelligence can help security professionals  answer the following questions:

• Which threat actors are using this attack, and do they target our industry?

• How often has this specific attack been observed recently by enterprises like ours?

• Which vulnerabilities does this attack exploit, and are those vulnerabilities present in our enterprise?

• What kind of damage, technical and financial, has this attack caused in enterprises like ours?

Fraud Prevention

Fraud can encompass anything from a fraudulent use of your brand, data, or even impersonation of your employees. For example, an individual might impersonate a doctor and sell fake versions of your prescription medication online.

Incident Response

Having the ability to gather and filter through threat intelligence from across the surface, deep, and dark web in real-time allows security teams to effectively and appropriately respond to incidents as they are happening.

How can Signal threat intelligence improve your organization’s security?

Signal allows our customers to analyze emerging global trends, detect threats in real-time, and then form appropriate security strategies to counter these potential threats as or even before they fully reveal themselves.

One of the key issues that security teams and analysts face is the sheer amount of noise that might surround their brand. Invariably much of this noise is irrelevant to their purposes, however, some of it will be bad. This is why Signal assists with advanced filters with boolean logic as well as features such as our emotional analysis tool.