Module 4 of 4
100% completeModule 4
Dark Web Monitoring & CTI Platforms in Operational Use
What Dark Web Monitoring Actually Is (vs the Marketing Version)
Security vendors sell dark web monitoring as a near-magical capability — continuous scanning of criminal forums, paste sites, and ransomware leak portals to alert organizations when their data appears. The reality is more nuanced: dark web monitoring is genuinely valuable but produces mostly noise unless the team knows what to do with the findings.
The actual workflow: automated monitoring services scan dark web forums, Telegram channels, paste sites, and ransomware leak sites. When a finding matches your keywords (company name, email domain, executive names, IP ranges), an alert is generated. That alert then needs human analysis to determine: is this real, is this current, and does it require action?
Most Dark Web Alerts Are Historical
The majority of dark web monitoring hits are credentials from breaches that happened 1-5 years ago and have been circulating through paste sites and carding forums since. This does not make them irrelevant — compromised credentials are compromised credentials regardless of when the breach happened — but it means the response is password reset and monitoring, not incident response. Reserve immediate escalation for findings that indicate current reconnaissance, active credential testing, or recent company-specific data that was not previously known to be exposed.
Categories of Dark Web Findings and What Each Requires
| Finding Type | What It Means | Response Workflow |
|---|---|---|
| Employee credentials (email + password) on paste site | Employee's credentials were exposed in a third-party breach — they likely reused the password | Force password reset for affected accounts. Check authentication logs for successful logins with these credentials. Enable MFA if not already required |
| Credentials from a breach combo list (millions of entries) | Older, widely distributed breach data — low specificity, high volume | Check if any credentials match current active directory. Reset matched accounts. Do not treat as targeted attack |
| Company-specific internal data (internal hostnames, IP ranges, non-public project names) | Data originates from inside the organization — indicates either a breach, an employee posting publicly, or a prior compromise | Treat as active incident — escalate immediately. Determine origin. Could be current compromise or historical |
| Ransomware group claiming your organization on their leak site | Either actual ransomware compromise underway or a bluff/extortion attempt | Critical escalation — immediately check for ransomware indicators (encrypted files, C2 activity, unusual lateral movement). Do not pay before verifying the claim |
| Your public IP ranges being discussed as targets | Pre-attack reconnaissance — threat actor is evaluating your infrastructure | Inform vulnerability management. Accelerate patching on internet-exposed systems. Increase monitoring on those IPs |
| Executive names combined with personal details (doxxing) | Social engineering preparation or targeted attack precursor | Notify affected executives. Increase monitoring on executive accounts and systems. Potential Business Email Compromise setup |
Credential Exposure Response — The Operational Workflow
Step 1: Triage and Validate the Finding
splunk-spl
# Credential finding from dark web monitoring service:
# Alert: "employee@company.com:password123" found on paste site
# Step 1: Is this credential currently active in Active Directory?
# Query your AD connector or HR system:
| lookup active_users email AS "employee@company.com" OUTPUT
username, department, last_login, account_status, mfa_enabled
# Step 2: Has this credential been used recently?
# Check authentication logs for successful and failed logins:
index=auth
| where username="employee_username" OR email="employee@company.com"
| where _time > relative_time(now(), "-30d")
| stats count, values(src_ip), values(country) by result, _time
| sort -_time
# Step 3: Are there any successful logins from unexpected locations?
index=auth
| where username="employee_username" AND result="success"
| where _time > relative_time(now(), "-30d")
| lookup user_baseline.csv username OUTPUT known_countries
| where NOT country IN (known_countries)
| table _time, src_ip, country, result
# Step 4: Is this password the current active directory password?
# (DO NOT test by attempting login — this may trigger lockout or alerting)
# Instead: check password last changed date vs breach date
# If password was changed after the breach date: risk is lower
# If password was changed before the breach date or never changed: immediate reset requiredStep 2: Scope the Exposure
splunk-spl
# Check if same password was used on other systems (password reuse detection)
# This requires having a mechanism to check hashed passwords — varies by environment
# Check for any VPN or remote access using this account:
index=vpn OR index=remote_access
| where username="employee_username"
| where _time > relative_time(now(), "-90d")
| stats count, values(src_ip), values(country) by result
| sort -_time
# Check for mail forwarding rules (common attacker persistence mechanism after
# gaining access via compromised credentials):
# Query Office 365 / Exchange audit logs:
index=o365 Operation IN ("Set-Mailbox", "New-InboxRule", "Set-InboxRule")
| where UserId="employee@company.com"
| where _time > relative_time(now(), "-90d")
| table _time, Operation, Parameters
# Check for suspicious mail access from unknown clients:
index=o365 Operation="MailItemsAccessed"
| where UserId="employee@company.com"
| where ClientAppId != "known_client_ids"
| where _time > relative_time(now(), "-30d")
| table _time, ClientIPAddress, ClientAppId, MailboxOwnerUPNThreat Intelligence Platforms — What They Do and When You Need One
A Threat Intelligence Platform (TIP) is a system that ingests threat intelligence from multiple sources, normalizes it into a common format, deduplicates and ages out stale indicators, and provides an API for other security tools to query. The question is not whether to use threat intelligence — it is whether to manage it with a TIP or build the same functionality manually in the SIEM.
| Capability | SIEM Lookup Tables (No TIP) | Dedicated TIP |
|---|---|---|
| IOC ingestion | Manual import of CSV feeds — requires scripting and scheduling | Automated ingestion from dozens of sources via STIX/TAXII and native connectors |
| IOC deduplication | Manual — same IP from multiple feeds creates duplicate suppression entries | Automatic — platform deduplicates, scores, and ages out indicators across sources |
| IOC confidence scoring | Manual — all IOCs treated equally regardless of source quality | Automated confidence scoring based on source reliability, recency, and corroboration |
| Threat actor profiles | Manual documentation — not linked to IOCs | Structured actor profiles linked to techniques, campaigns, and indicators |
| IOC sharing | Manual export and sharing | Automated STIX/TAXII sharing with sector partners and ISACs |
| API for SOAR/SIEM enrichment | SIEM lookup tables queried at search time | Real-time API enrichment — always current, not limited by lookup table update frequency |
When a TIP Is Worth the Investment
- Your SOC processes more than 50 alert investigations per day and enrichment time is a bottleneck — a TIP with SIEM API integration automates what analysts do manually
- You consume more than 3-4 threat intelligence feeds and managing them in lookup tables is becoming maintenance burden
- You participate in sector ISAC threat sharing and need to both receive and contribute structured intelligence
- You have a dedicated CTI analyst whose job includes maintaining threat actor profiles and campaign tracking — they need a platform built for that workflow
- Your organization has compliance requirements around threat intelligence retention and provenance
The SIEM-First Approach for Smaller Teams
Organizations with one or two CTI analysts and fewer than 5 threat intelligence feeds do not need a dedicated TIP. A well-maintained SIEM lookup table architecture — IOC feeds imported daily, enriched with source metadata, queried via API by SOAR playbooks — provides most TIP functionality at lower cost and complexity. Invest in TIP after you have outgrown what lookup tables can do, not before.
Integrating CTI Into Daily SOC Operations
CTI that sits in a separate platform and is only consulted during major incidents is CTI as compliance — it exists to say you have it, not to improve security outcomes. Operational CTI integration means every alert, every hunt, and every vulnerability finding is automatically enriched with the best available context before a human makes a decision.
The Operational CTI Stack
| Tool | Role | Integration Point |
|---|---|---|
| Threat Intel Feeds (commercial + open source) | Raw IOC data: IPs, domains, hashes, CVE exploit status | Imported to SIEM lookup tables and/or TIP daily |
| TIP (optional) | Normalization, deduplication, scoring, actor profiles | Provides enrichment API to SOAR and SIEM |
| SOAR Platform | Automated enrichment at alert creation — adds CTI context before analyst sees alert | Queries TIP or SIEM lookup tables for every alert indicator |
| SIEM | Stores all logs, runs detection rules, surfaces correlated alerts | Receives enriched alerts from SOAR, runs CTI-informed detection rules |
| Threat Hunting Platform or SIEM Advanced Search | Hunt execution — queries logs with CTI-informed hypotheses | Uses same CTI data as detection rules, applied proactively not reactively |
| Vulnerability Scanner | Identifies CVEs on assets | CVE findings enriched with CTI data (EPSS, KEV status) before prioritization |
The Weekly CTI Review — What a CTI Analyst Does Every Week
- Review new intelligence reports from subscribed feeds — identify any techniques or actors that match your threat model
- Update threat actor profiles with new campaigns, techniques, and indicators
- Audit IOC feed quality: check the percentage of IOCs from each feed that resulted in true positive alerts in the past 30 days. Drop feeds with less than 1% actionability
- Review vulnerability scan results enriched with CTI — escalate any KEV findings that have not been remediated
- Brief the detection engineering team on new attacker techniques that need detection coverage
- Prepare a weekly intelligence summary for security leadership: active campaigns relevant to your sector, new exploitation of specific vulnerabilities, notable threat actor activity
Course Complete
You have completed Threat Intel Operations. You now understand how threat hunters build and execute hypothesis-driven hunts, how CTI transforms vulnerability management from CVSS scores into actual risk decisions, how to reduce false positives using intelligence-enhanced detection rules, and how dark web monitoring and threat intelligence platforms work in daily SOC operations. These are the skills that distinguish a CTI practitioner from a SOC analyst who reads threat reports — the difference is in how intelligence translates into operational decisions every day.
Previous Module
Course Complete