400 Security Practitioners Gave These 7 Insights into Their Cybercrime Monitoring

The cybercrime underground is complex and dynamic, and cybercrime threats that emerge from it pose a significant risk to organizations. What organizations know and refer to as the cybercrime underground is changing within the hour. Unfortunately, many organizations underestimate that risk or may believe that cybercrime monitoring and threat detection doesn’t apply to their organization. Even the organizations that do understand the threat it presents are often underprepared with their tools, processes, and expertise to proactively protect their environments.

KELA’s mission is to make the complex world of the cybercrime underground simple and accessible to security teams so that they can leverage intelligence from cybercrime underground sources to keep their organizations safe. In order to better understand how they approach their cybercrime monitoring, we recently surveyed 400 security practitioners to see if they have the tools and training to protect their organization effectively, as well as gain insights into their successes, challenges, and current needs.

Here are seven key insights from our “State of Cybercrime Threat Intelligence 2022” report about the state of cybercrime threat intelligence today.


The most needed capability is training and proficiency in cybercrime investigations

In looking at the responses in our survey, it became obvious that what would be most beneficial to their organization is additional training and proficiency in cybercrime investigations — especially with one of the top challenges being a lack of expertise. Security practitioners are also looking for a way to access the cybercrime underground quickly in a secure and non-attributional manner.


The majority of security practitioners are concerned that their organization’s data will be released or sold on cybercrime forums

Cybercrime threat intelligence starts with awareness of the threat the cybercrime underground presents. The majority of security practitioners (69%) are aware of the threat posed by the cybercriminal underground — and a healthy concern for the threats lurking out there means evaluating and acting on what needs to be changed or updated in their security approach to prevent attacks or breaches from the cybercrime underground.


Many don’t have a way to detect if their data has been released or sold on cybercrime forums

An organization has been breached, and its data exfiltrated and released on the cybercrime underground and other cybercrime sources — and that organization should have a way to find out if their private data is now public. Yet only 38% of security practitioners say they have the tools, processes, and knowledge to detect that information.

However, the remainder doesn’t have approaches in place to detect released data. 32% believe that they’re only somewhat likely to detect it if released, and 30% believe they’re not very likely to detect it at all — leaving nearly one-third of organizations in the dark as to whether their private information is out there or not.


Many have no documented cybercrime threat intelligence policy

Contributing to the inability to detect their information on the cybercrime underground is likely a lack of a documented cybercrime threat intelligence policy in place. In order to properly execute a threat intelligence plan, security teams need to know how to go about conducting threat intelligence, what to look for, remediation actions, rules of engagement, and more. While half (52%) of organizations do have a policy in place, the other half (48%) don’t — leaving cybercrime threat intelligence to chance, or leaving it non-existent.


Less than half of security practitioners believe their current security program is very effective

As the responses told us so far, some security teams are taking threats from the cybercrime underground seriously, have the right tools for monitoring, and have the right processes for intelligence gathering and response. However, it’s a somewhat small number, as only 41% believe their current security program is very effective.

28% believe their cybercrime threat intelligence is only somewhat effective at protecting their organization, and 31% say their approach is not very effective at all. While organizations likely have a number of tools and processes in place to monitor the clear web, many organizations are at great risk by not having the right tools and processes to monitor cybercrime underground sources.


Their biggest challenge is not having an isolated system or browser to use for cybercrime monitoring

The biggest challenge security practitioners face when monitoring the cybercrime underground, is not having system or browser isolation, which can put them at risk if they try to tap into cybercrime sources from their own network. Another challenge they face is a lack of training or expertise among their ranks who can conduct knowledgeable and efficient cybercrime monitoring.


They are not satisfied with their visibility into the cybercrime underground

For half of the respondents, the tools they use today just aren’t giving them the visibility into the cybercrime underground that they desire in order to conduct thorough threat assessments. However, of the 51% who were satisfied with their visibility into the cybercrime underground, they still didn’t have the processes or expertise to leverage that visibility, as 39% were still unable to prevent an attack.


Illuminating the Cybercrime Underground

While many security teams are taking action against the threats posed by the cybercrime underground and other cybercrime sources, many teams lack the access and training to have a robust cybercrime threat intelligence program in place. However, with the right hardware for access, the right tools to collect, analyze, and alert about emerging threats, and the right training on cybercrime investigations, security teams can shed light on the cybercrime underground and reduce its threat going forward.