Deep & Dark Web Monitoring

Cyberint continuously discovers the open, deep and dark web to detect all of the external IT assets in a customer’s digital footprint. The process is fully automated and passive so it does not actively validate or test any security controls. The discovery process will not “set off any alarm bells” or give security teams the impression an attack is underway. There is no impact on normal operations.

There is an optional additional feature named active exposure validation, which we detail below that does actively validate.

Using publicly-available data, like DNS records, WHOIS data, and SSL certificates, Cyberint’s Attack Surface Management module is able to map out an organization’s external attack surface. All discovered assets are checked for common security issues. The categories of assets detected are: IP addresses, domains, subdomains, cloud storage, and organizations (i.e. trademarked brands). 

These are the types of security issues we identify: 

1. Certificate Authority issues 
2. Compromised Credentials 
3. Email Security issues 
4. Exploitable Ports 
5. Exposed Cloud Storage 
6. Exposed Web Interfaces 
7. Hijackable Subdomains 
8. Mail Servers In Blocklist 
9. SSL/TLS issues 

About Active Exposure Validation (AEV): Cyberint’s AEV capability goes beyond typical CVE detection to actively test for exploitability. AEV also performs other automated tests to uncover common security issues in your organization’s digital assets that fall outside the scope of a vulnerability database. Alerts are issued in real time so you can quickly identify and remediate your most urgent risks. AEV enables the crucial validation step to be tackled in the CTEM framework.

Yes, as our platform is multi-tenant, we can set up an Attack Surface Management (ASM) instance for each brand and monitor the brands separately. 

Yes. All alerts can be automatically sent to SIEM/SOAR platforms to trigger automated playbooks. We have an API that can integrate our information into existing SIEM/SOAR solutions and corelate with information from other intelligence platforms. We also integrate with Splunk, Azure AD, AWS, JIRA, OKTA, Qradar, XSOAR out of the box.  

We know also have a Threat Intelligence Platform that combines and prioritizes different threat intel feeds and sends to SIEM/SOAR solutions to remediate.

Each source is crawled and scraped according to the allowed policies on it. For example, if a dark web forum is monitored for suspicious scraping activity, we will make sure we collect information at a pace that does not raise any suspicion. We try to keep each source up to date with no longer than a week between each scraping (often much much more). 

We have automated translation mechanisms in place and our the Cyberint team speaks over 22 languages fluently, including Russian, Arabic, English, Chinese, Japanese, Filipino languages like Tagalog, Ilocano and Ilonggo and more. 

Our sources team is constantly looking for and adding more sources. Every request is examined by the team and we are more than happy to add additional sources that can provide value to our customers. The turn-around time for adding a source is relatively short (1-4 weeks usually). 

Check Point has a very experienced research team that tracks global threat events and releases periodic research reports. Every major global event that occurs is covered by the Cyberint/Check Point research team. – For example, we have published report on: Scattered Spider, The Russian – Ukraine war, the Log4shell vulnerability, specific Ransomware groups tracking and more. 

Our research team can create reports on any desired subject, using “investigation hours”. Each customer can purchase these hours and each research is priced based on the number of hours required to complete it. The subjects vary between VIP exposure reports, industry related threats, Incident response, Deep investigations and more