惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Martin Fowler
Martin Fowler
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Troy Hunt's Blog
Latest news
Latest news
Vercel News
Vercel News
S
SegmentFault 最新的问题
V
Vulnerabilities – Threatpost
博客园 - Franky
P
Privacy International News Feed
A
Arctic Wolf
T
The Blog of Author Tim Ferriss
S
Schneier on Security
T
The Exploit Database - CXSecurity.com
P
Palo Alto Networks Blog
T
Tor Project blog
Jina AI
Jina AI
GbyAI
GbyAI
The Hacker News
The Hacker News
博客园 - 叶小钗
Google DeepMind News
Google DeepMind News
T
Threatpost
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
Scott Helme
Scott Helme
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Microsoft Azure Blog
Microsoft Azure Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
博客园 - 司徒正美
A
About on SuperTechFans
Recorded Future
Recorded Future
爱范儿
爱范儿
L
LangChain Blog
V
V2EX
C
Cybersecurity and Infrastructure Security Agency CISA
The Cloudflare Blog
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
Webroot Blog
Webroot Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
D
DataBreaches.Net
宝玉的分享
宝玉的分享
Google Online Security Blog
Google Online Security Blog
C
Cisco Blogs
L
Lohrmann on Cybersecurity
Help Net Security
Help Net Security
AWS News Blog
AWS News Blog
M
MIT News - Artificial intelligence
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
G
GRAHAM CLULEY

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Melting the deep and dark web myth and why we hate the phrase
Intel 471 · 2019-09-11 · via Intel 471 Blog

By Michael DeBolt, VP of Intelligence of Intel 471.

istockphoto 511382812 170667a 245x300

It's not deep. It's not dark. It's not the ominous underside of an iceberg.

The deep and dark web, or simply the “underground,” as we like to call it at Intel 471, is an organized ecosystem of products, services and goods consisting of real life suppliers and consumers who can be mapped, tracked, understood and exposed.

As an industry, we do ourselves a disservice by often mystifying and overhyping otherwise straightforward concepts, such as the “deep and dark web” for the pursuit of catchy sales pitches or taglines. At first glance, this may seem harmless and nitpicky, but the reality is this sensationalization of the underground causes confusion and disorientation, putting our industry at risk of not being able to fully understand and exploit it for intelligence purposes.

So let’s cut through the jargon and look at four essential characteristics of the underground.

The cybercrime underground is...

Accessible

The popular iceberg metaphor often (and overly) used to illustrate the vastness of the deep and dark web is...., well, flat-out wrong. As Recorded Future correctly points out, the deep and dark web actually is a small fraction of the entire web and it’s not as dark and mysterious as we are led to believe.

So, instead of hyping the “clear, deep and dark” buzzwords, we simply break down the different areas of the web in terms of accessibility and the barrier of entry needed to collect and exploit for intelligence purposes.

Open sources

These resources are any content openly indexed by conventional search engines and publicly accessible via conventional means. In other words, you don’t need specialized software or authorization to access it. Think about open-source news articles, public social media posts and open directories.

Closed sources

This is any nonindexed content gated from public view. Access to closed sources depends on the sensitivity of the underlying content and the privilege needed. Some closed sources require standard username and password access, while others require specialized software and vouches by trusted members of the community. We refer to closed sources where cybercriminals operate as simply the “underground,” which consists of forums, marketplaces, instant messaging platforms, private social media groups and more.

Organized

The “deep and dark web” myth would have you believe it is random and chaotic, but that is not so. In fact, the underground is an organized ecosystem of interdependent suppliers, vendors, consumers, facilitators and active participants. Suppliers offer speciality products and services to prop up the cybercriminal marketplace (i.e., malware, infrastructure and more). These actors use carefully constructed public relations and advertising campaigns to promote their offerings. Any successful supplier worth their weight will carry a positive trackable reputation, while fakers and scammers are identified quickly. These observable aspects of the underground let us lower the noise so we can laser focus our intelligence collection efforts on high-value actors.

pasted image 0 10 300x169

Finite

Unlike the popular belief perpetuated by the “deep and dark web” myth, the underground is a finite space that can be mapped and explained. It consists of hundreds of closed sources, such as forums, marketplaces and instant messaging platforms, where real humans plan attacks, share ideas and do business exchanging data and information. Sure, there are millions of actor handles and indicators in the underground, but only a finite number actually are perpetrating and enabling the majority of cybercriminal activity. Our job as intelligence professionals is to understand how the underground is organized so we can locate, prioritize and collect from the sources and actors that matter.

Exposable

The underground is organized, finite and propped up by real people with natural human instincts and motivations. Our job is to understand these motivations — whether it be financial gain, political cause, or personal fame — and exploit them for intelligence purposes using a combination of automated collection and human engagement. Automation is useful to help sift through and bubble up content. But because we are dealing with the nuances of human behavior in vetted, closed sources, relying solely on a fully automated collection capability will only surface a fraction of intelligence available in the underground. Skilled, native-speaking researchers and sensitive, well-placed sources must be used to gain, maintain and elevate access to top-tier actors to elicit valuable information that only can be obtained through human-to-human interaction.

Don’t believe the hype

As our CEO Mark Arena previously outlined in detail, the cybercriminal underground is available for us as intelligence professionals to map and exploit proactively. Actors operating in this environment are not wearing black hoodies or Guy Fawkes masks. These are real people who have natural tendencies, motivations, reputations and brands, who can be categorized and tiered according to their reputation, history and background. When we intimately understand their business models, processes, enablers and pain points, we are ready to take action to counter the threat proactively.