Is Monitoring Telegram for Dark Web Data Worth It?

A new place for threat actors

When considering the need to look for client data, credentials, OSINT data, and more, the next place threat actors are operating and interfacing with others is Telegram. Threat actors are drawn to Telegram due to several factors. Telegram offers several enticing features, including end‑to‑end encryption, the ability to create groups with invite approval capabilities, ease of website navigation to find illicit channels, and offers more anonymity than other platforms such as WhatsApp.

The data itself on Telegram is raw, unprocessed, and sometimes no longer relevant. It may be worth it for an individual to search for their own data, but what about MSPs that would be monitoring for not just their own employees’ data, but their entire client base? What if there was a tool that scanned thousands of illicit Telegram channels for client-specific data? Is there demand for this type of thing?

Risk management is everyone’s responsibility

For the data found in Telegram to be useful, it must be pulled into a service that presents the risk data to the affected end user automatically, not through more IT effort or more IT subscription costs. Furthermore, it would need to be able to filter to show only data for valid, active accounts. If alerts include data for company accounts that no longer exist, the dataset is perceived to be filled with noise and loses efficacy.

If credential and information exposure is going to be actionable, it cannot be a process that resides solely in IT. It must be distributed and shown to the relevant personnel with adequate filtering to only show relevant information. Without filtering, we have seen client managers become overwhelmed by the data and believe there was nothing that could possibly be done about the data on the dark web.

If the company uses a platform that does not integrate dark web data in a way that directly presents it in an actionable way to the affected end users, then the system is ineffective and inferior. I cannot express strongly enough why every organization needs to have a highly competent CISO or CTO deeply involved in their operations or the organization will likely be using ineffective technologies or using the technology that they have in ineffective ways. That is like lighting money on fire. It wastes the organization’s hard currency as well as inventory (employee time).

These kinds of datasets must be delivered to the end users in a targeted, specific fashion coupled with curated, standardized ways to deliver actionable guidance to the end users. Information security risk management (ISRM) is EVERYONE’s responsibility.

Is it worth it to chase this data?

In regard to chasing data on Telegram that may or may not be relevant anymore, is it worth the time investment? Without tools to automatically pull data into a platform like the company cyber awareness platform or the company password manager, is digging through the unfiltered data worth your time? What is the return on security investment (ROSI)?

If secure configuration management is done properly, the compromised credentials are irrelevant. Either the threat actors cannot get into the system from where they are at, or there is another form or multiple forms of multifactor authentication (MFA) or two-factor authentication (TFA). MFA/TFA is an additional layer of security used to verify a user’s identity before they can access a resource.

Different MFA methods are:

  • Something you are (fingerprint, facial verification, biometrics)
  • Somewhere you are (physical location)
  • Something you know (a password or memorized PIN)
  • Something you have (smartphone or physical key, such as a Yubikey)

Conditional access and authentication monitoring are important and effective. Putting in systems that provide a higher level of security, such as automatic password rotation or the use of self-destruct temporary passwords, is a better use of time than chasing uncorrelated data.

Business executives are inundated with the noise of adding more and more software subscriptions and fees into the technology stack. IT personnel have a tendency to keep adding more tools. Typically, organizations only identify correct human and cost-effective strategies when they have a designated brain surgeon. This person is the master security architect for the organization. Anyone less than a CISO or CTO would not be qualified to fill that role. It is imperative that the person who identifies the technical solution includes a full workflow for how the human desired outcomes will be achieved as well. Without that, technology solutions are rarely successful.

QPC CISO recommendations

The credential management system that QPC offers to clients handles compromised credentials well using the correct workflow. The vault knows the contents of the current password for an account. It combines that with AI lookups from dark web data. That data is presented directly to the end user to action. If there is some password that was compromised 3 years ago, but that is not the password in effect now, why alert the end user? The remediation steps have already been completed by changing the password and enforcing MFA.

The limitation here is that if all staff have not been adhering to the company training on credential management, then the end user’s current password for an account is unknown to the AI inspection mechanism. The result is that the end user would never be notified if the credential is currently compromised. This is another reason why it is imperative that a qualified CISO be the individual driving change, setting policy, and be given the authority to mandate adherence to policy across an entire organization including holding personnel managers accountable. Note that this is not an IT support function and is not appropriate for IT managers or IT directors to do. This is an executive function.

Credential manager product admins are able to generate reports and get live data on statistics for follow-up with intransigent users who need to take action. Generally, this is not required when the staff and managers are trained properly. End user compliance with ISRM is an HR enforcement item, not IT. It is all about the tone and culture that the personnel managers set.

The cyber awareness platform which QPC offers to clients also presents this kind of data to end users and managers directly and follows the correct workflow. Dark web data findings trigger user‑specific training events and reduce risk to the company through additional end user remediation and policy acceptance. Both efforts drive behavioral change and accountability.

Other tools and services that could be used for open-source intelligence gathering are expensive, complicated to use, and require extensive training to be useful. Having a tool that only checked Telegram would only solve a small subsection of the problem for a limited time while Telegram is popular.

Better alternatives

QPC Security handles business email compromises as part of our converged NOC/SOC offering to clients that has been in place since 2009. QPC has also handled the compromise of an entire IT credentialing system database. Monitoring dark web data would not have been of value in either scenario UNLESS the data was fully integrated as an AI data feed into the source system that had the authoritative data. Only then does the operator know that the data in the hands of the threat actors is correlated with the currently in effect password. Without this in place, the burden rate for chasing this data down is too high and the security protections in place are effective. It is more worthwhile to put effort into secure configuration management which just outright excludes threat actors whether they know the password or not.

Management interfaces for devices such as firewall IPs and privileged access workstations (PAWs) should be tightly restricted already. Some workflows provide a dedicated, hardened, restricted system for accounting, banking, and finance functions. There are times when a finance person will have the equivalent of a PAW. These are called compensating controls. In terms of risk management, it is a lot simpler to convince the finance team to use secure PAWs compared to being concerned about an uncorrelated dark web data feed. The costs are lower and the ROSI is higher.

Auditing vendor remote access has higher value than chasing dark web data. There is a long list of things that are higher value than dark web data UNLESS the dark web data can be delivered directly into the end user facing platform which provides them direct self-service intel and training.

Dark web data, how to use it, and how it integrates into viable workflows is an extremely complex subject that is typically only able to be navigated by the brain surgeons of the technology space which are CISOs and CTOs.

What if I still have questions?

For questions/concerns, contact us today at 262-553-6510 or by visiting