monitoring-darkweb-sources

# Monitoring Dark Web Sources ## When to Use Use this skill when: - Establishing continuous monitoring for organizational domain names, executive names, and product brands on dark web forums - Investigating a reported data breach claim found on a ransomware leak site or paste site - Enriching an incident investigation with context about stolen credentials or planned attacks **Do not use** this skill without proper operational security measures — dark web browsing without isolation exposes analyst infrastructure to adversary counter-intelligence. ## Prerequisites - Commercial dark web monitoring service (Recorded Future, Flashpoint, Intel 471, or Cybersixgill) - Isolated operational environment: Whonix OS or Tails OS running in a VM with no persistent storage - Keyword watchlist: organization domain, key executive names, product names, IP ranges, known credentials - Legal guidance confirming passive monitoring is authorized in your jurisdiction ## Workflow ### Step 1: Establish Keyword Monitoring via Commercial Services Configure dark web monitoring keywords in your CTI platform (e.g., Recorded Future Exposure module): - Domain variations: `company.com`, `@company.com`, `company[dot]com` - Executive names: CEO, CISO, CFO full names - Product/brand names - Internal codenames or project names (if suspected breach scope is broad) - Known email domains for credential monitoring Most commercial services (Flashpoint, Intel 471, Cybersixgill) crawl forums like XSS, Exploit[....