Monitoring individual threat actors is a critical aspect of cyber threat intelligence, requiring a system akin to a real-world intelligence watchlist.
While our watchlist is simpler than those used by intelligence agencies or cybersecurity firms, the underlying principles are identical.
Based on my experience, threat actors typically fall into three categories:
- Those building a long-term reputation, using a consistent username across multiple forums to maintain their brand, as their business thrives on recognition.
- Those operating multiple handles and accounts, but whose activities remain consistent across them.
- Those using a new handle for each crime or sale, prioritizing profit over fame, making them harder to track.
In this module, we will develop a monitoring system to continuously track user activity such as posts, comments, or both at set intervals. While we won’t yet cross-reference activity across other forums, all threat actor data is exportable as a JSON string, enabling manual cross-referencing with other platforms.
Cross-referencing poses challenges, as tracking a target using the same username across platforms like darkforums.st, x.com, and instagram.com may require a legal warrant for simultaneous monitoring.
Although platforms cannot fully prevent determined researchers from scraping their data, they can pursue legal action. To avoid potential fines, I strongly advise against cross-platform monitoring without proper authorization.