A multinational corporation received reports that specific systems had been breached. However specific evidence was not available, and the information that was available was vague at best. The corporation operates in a number of high profile areas and faces multiple potential threat actors.
A multi-faceted approach was taken by the client in dealing with this issue. One component was an investigation into whether the targeted systems were being discussed by threat actors across various mediums. Also, there was a suspicion that access may be available for purchase to the targeted systems.
Uncovering information online is akin to finding needles in needle-stacks. Forums can easily be spun up for private discussion and a variety of messaging platforms can be used. Data can be hidden in websites in various ways, only known to the initiated. This is one reason why the majority of “threat intelligence” is nothing of the sort.
Budgets for investigations such as these are limited so any work undertaken had to be targeted and cost effective.