Cybersixgill is a tool that allows you to monitor your organization's exposure to cyber criminals and threats by what I would call scraping Dark Web and underground hacker forum sites.
It's not on-premises. It's a service that's offered by Cybersixgill.
I'm a cyber threat intelligence analyst. This is what I do. The scope of Cybersixgill is about 20 percent of my job. For me, personally, and the organization, there has been immense benefit because it has given me early detection of imminent attacks, but not just against my organization. We have also been able to help other organizations, based on the attacks that are being launched against our vertical, meaning companies and organizations that fit our profile.
It also enables us to do advanced analysis, such as threat-actor profiling. Being able to do advanced threat-actor network analysis allows us to take a higher view of an imminent attack and possible exploitation of vulnerabilities. That's helpful because it informs us about what's about to be exploited—what these criminals are looking for, what the threat-actor might be exploiting against the vertical itself.
In addition, it has reduced our security workload. I was a one-man shop for the first two years. It's hard to put a number on it, as I would have to gain access to the sources and translate the forum. I would have to create a scraper, myself. I would estimate it saves me up to 20 hours a week. They have a good thing going.
One of the most valuable features is the ability to be alerted to any possible imminent attack, or mention of your organization by a possible attacker.
It is also of the highest importance that it runs on a collection of Deep Web, Dark Web, and closed sources. This tool is a must for any organization that has a large footprint. The solution’s approach of using limited open source intelligence and focusing, instead, on the Deep Web and Dark Web is what seals the deal. That is why I like them. I have other tools that I can aggregate all the open source intelligence from. I value Cybersixgill because it provides access to things that no one else does. And the tool is configured to do this in a way that provides advanced analysis. That is one of the main values that it provides. They are not just aggregating open source news and feeds, they're actually gaining access to real intelligence.
The size and scope of the solution's collection are pretty impressive. I am impressed with the ease through which the tool allows you to track threat actors who are likely to target you, on a variety of underground forums which are closed. These are sources that would require a solid effort to infiltrate. The automatic translation of any exchange within the platform makes it the most expedient solution for automated threat intelligence and chatter monitoring.
Cybersixgill has also enabled us to access sources which we have not seen anywhere else. They have access to closed forums that I don't want to mention, but that access is important because it's not available anywhere else.
They're a newer company, so they're working on their UI a lot. Sometimes the UI is a little glitchy. They're working on different things and making efforts, so that's totally forgivable.
But regarding their scraping abilities, things could be solidified. There are definitely improvements that could be made on the specificity for setting certain queries.
Step-by-step videos would be useful, instead of a book of instructions, because they're a new tool. They're now getting to the point where video training would be useful, or even live training. More digestible video instructions or opportunities for training, so that you actually learn hands-on, would help.
I have been using Cybersixgill Investigative Portal for a year and a half.
It's very stable.
Scalability is not really applicable. The only integration that I've found has been with my Anomali Threat Intelligence Platform. I'm not even sure that you would want it to scale.
They could improve, perhaps, some SIEM ingestion and the ability to integrate with other tools carefully. But this is a different tool and that's why I like it. It's not solely a technical intelligence tool. You're essentially spying on exchanges. Perhaps some level of implementation with other security solutions, or some level of automation with other security solutions would be helpful.
We're leveraging it to provide value to the incident response team, to the governance and compliance team, to the access management team, and to the vulnerability assessment team. We're leveraging it for a lot. As for expanding our usage of it, we're planning on trying to find ways to automate some of the inter-group alerting and use of the tool.
Their technical support was responsive, but they have not achieved a solution yet for the problem that I was having. The issue is that I was having goes beyond just tech support.
Before Cybersixgill, I would use open source tools and my own access to Dark Web forums. I would use GitHub tools and my own investigation on Dark Web forums, and it would take an enormous amount of time. Once I found this solution, I saw that I can do it all within one platform, easily.
The initial setup was straightforward. You just upload the IPs, the domains, and the keywords that you want them to look out for, the ones that are indicative of mentions of your organization, and you're ready to go.
Setting up recurring queries and tracking of threat actors can only happen once you see who's going after you, but the initial setup of the tool can be done within hours.
In our company there are two of us who use the solution, both of us in threat intelligence.
I've seen an incredible return on the investment, in the form of time-savings and extremely valuable alerting on infrastructure attacks against us, alerts that I would not have seen if it wasn't for them.
There is also value in our ability to help other organizations that are not as fortunate as we are, organizations that are in our vertical. That has actually put our organization in an extremely good light.
In addition to the reputational, time-savings, and security advantages, there is a cultural advantage, in a way. This is important and is possibly something that we would not think about. It is difficult for large organizations to have patching and addressing of vulnerabilities in an expedited way, when they're dealing with multiple IT departments. But when the threat intelligence team is able to provide the exact time and way in which something is going to be exploited, based on screenshots of forums that detail the targeting, and based on real-life examples of how they do it—the kind of intelligence that we're able to generate because of Sixgill access—it makes patching and addressing of vulnerabilities a lot faster, because it makes them real.
The pricing given to us is excellent.
I looked at Recorded Future. The main difference is that Cybersixgill is doing one thing, and one thing extremely well, and that is access to Dark Web forums.
Recorded Future was too bloated. It had a lot of additional information that was open source. I don't need that. I get that from other places. I needed something that did one thing and that did it extremely well, and that is access to Dark Web, hard-to-find places, and alerting on infrastructure attacks when mentioned in those places. Recorded Future tries to do the job of two tools. I like the fact that Cybersixgill keeps it separate.
And Cybersixgill was incredibly more affordable than them.
Overall, it was better on several levels:
My advice is make sure you schedule a walk-through, and then get it.
I have been very vocal about how much this tool has helped. I'm a big proponent of it. When I talk to people and collaborate with people in other organizations and they say, "Oh my God, how did you know that?" I'll tell them I knew because of this tool. Others don't do it as well as these people do. This tool does it better than anybody else, because they have focused on one very specific thing and they do it well. Their level of infiltration of these closed forums, and the backend engineering that they've provided, are better than any other solution.
In terms of conducting deep and complex investigations it would depend on how you define those terms. We don't just do threat-actor tracking. Sometimes we're tracking infrastructure and this is not the tool to do that. This is more of an alerting tool. But within the realms and the scope of what Sixgill was created for, you can actually create some pretty advanced tracking queries and alerting. The altering is invaluable.
For example, by setting queries to track exfiltration of ransomware gangs that employed the double ransom technique, it can exfiltrate the names of any companies that are being ransomed, before they hit the news. That allows me to cross-reference with our third parties and to tell my CSO that a third party is being compromised. I can tell him that before it even hits the news, and that we need to go into protection mode and assume that there might be potential impact to our organization, based on their compromise and the exfiltration of that data.
