This chapter covers dark web monitoring and threat feeds, two critical components of proactive threat intelligence in the Security Operations domain. For the CS0-003 exam, understanding how to collect, analyze, and apply threat data from the dark web and commercial feeds is essential for detecting emerging threats before they impact your organization. Approximately 10-15% of exam questions touch on threat intelligence sources, including dark web monitoring, with an emphasis on distinguishing between different feed types and their practical applications.
Jump to a section
Imagine a massive underground bazaar that can only be accessed through a secret tunnel system. The entrance to this tunnel is not visible from any main street; you need special directions (Tor browser) and a unique map (onion URL) to find it. Once inside, vendors sell goods and services, but they don't display their real names or storefronts; instead, each stall has a random code and transactions are conducted using untraceable tokens (cryptocurrency). A 'dark web monitoring' service is like hiring a trusted agent who knows how to navigate this bazaar. This agent doesn't buy anything but walks through the aisles, noting which stalls are selling stolen credit card numbers, corporate credentials, or exploit kits. The agent records the stall's code, the price, and any mentions of specific companies. Every day, the agent reports back with a list of new threats relevant to your organization. Just as the agent cannot shut down the bazaar, monitoring services cannot remove illegal content—they can only alert you to what's for sale so you can take defensive actions like rotating credentials or patching vulnerabilities.
What is Dark Web Monitoring?
The dark web is a portion of the internet that is intentionally hidden and accessible only through specialized software like Tor (The Onion Router). Unlike the surface web (indexed by search engines) or the deep web (password-protected pages, databases), the dark web is anonymized and often used for illicit activities. Dark web monitoring refers to the automated or manual process of scanning dark web forums, marketplaces, paste sites, and chat channels for mentions of an organization's data—such as employee credentials, intellectual property, or customer information.
For CS0-003, you need to know that dark web monitoring is a form of threat intelligence collection (Tactical and Operational). It provides early warning of data breaches, credential leaks, and planned attacks. Monitoring can be performed by in-house tools or third-party services that have established access to dark web sources.
How Dark Web Monitoring Works
Accessing the Dark Web: Monitoring services use the Tor network to access .onion sites. Tor routes traffic through multiple relays, encrypting at each layer, to anonymize the user. The monitoring service must maintain a presence on these sites without revealing its identity.
Data Collection: Automated crawlers or human analysts visit known dark web marketplaces (e.g., AlphaBay, Dream Market) and forums (e.g., Dread). They search for keywords related to the client organization: domain names, email addresses, IP ranges, product names, or specific data samples (e.g., hashed passwords).
Parsing and Correlation: Collected data is parsed to extract relevant information. For example, if a paste contains "john.doe@company.com:password123", the service extracts the email and password, hashes the password (if plaintext), and checks it against known breach databases. The service then correlates the finding with the client's asset inventory.
Alerting: When a match is found, the service generates an alert. Alerts are categorized by severity: critical (active credential pairs for privileged accounts), high (credential pairs for regular users), medium (mention of company name in a hacking forum), low (discussion of technology similar to company's stack).
Reporting: Regular reports summarize findings, trends, and recommendations. Some services provide a dashboard with real-time alerts.
Key Components and Defaults
Tor Browser: Version 10+ is commonly used. Circuit timeout default is 10 minutes; new circuit for every site is recommended.
Onion URLs: Typically 56-character alphanumeric strings (e.g., http://3g2upl4pq6kufc4m.onion).
Search Terms: Monitoring services allow Boolean queries. Common operators: AND, OR, NOT, wildcard (*).
Alert Thresholds: Most services allow setting a minimum severity level to reduce noise. Default is often 'medium'.
Retention Policy: Dark web data is ephemeral; marketplaces may disappear quickly. Services typically retain findings for 30-90 days.
What is a Threat Feed?
A threat feed (or threat intelligence feed) is a continuous stream of data about known or potential threats. Feeds provide indicators of compromise (IOCs) such as IP addresses, domain names, URLs, file hashes, and email addresses. They are used to automate detection and blocking in security tools like SIEMs, firewalls, and endpoint protection.
Threat feeds are categorized by source: - Open-source feeds: Free, publicly available (e.g., AlienVault OTX, PhishTank). - Commercial feeds: Paid, curated by security vendors (e.g., Recorded Future, FireEye iSIGHT). - ISAC feeds: Industry-specific, shared among members (e.g., FS-ISAC for financial services). - Government feeds: From agencies like CISA (AIS) or NCSC.
How Threat Feeds Work Internally
Collection: Feeds aggregate IOCs from multiple sources: honeypots, sandbox analysis, dark web monitoring, human intelligence, and partner sharing.
Validation: IOCs are validated to reduce false positives. For example, an IP address may be confirmed as a C2 server by correlating with multiple sensors.
Enrichment: Context is added: geolocation, ASN, threat actor group, malware family, confidence score (0-100).
Distribution: Feeds are delivered via APIs, STIX/TAXII, RSS, or email. Common formats: STIX 2.1 (structured threat information expression), TAXII 2.1 (trusted automated exchange of indicator information), CSV, JSON.
Consumption: Security tools ingest the feed. For example, a SIEM can create correlation rules that trigger when a log event matches a feed IOC. A firewall can block outbound traffic to known C2 IPs.
Configuration and Verification
Example: Configuring a threat feed in a SIEM (Splunk)
# Add threat feed as a lookup table
| inputlookup threat_feed.csv
| eval threat_type="malicious_ip"
| outputlookup threat_feed_lookup.csvVerification commands:
# Check if a feed is properly ingested in Splunk
| search index=threat_feed | stats count by source
# Test a known IOC (e.g., from a feed sample)
| where ip="5.5.5.5" | table ip, confidence, threat_typeExample: Blocking with pfSense
# Download feed and apply to alias
fetch -o /tmp/blocklist.txt https://feeds.example.com/ip_blocklist.txt
# Create alias in pfSense GUI: Firewall > Aliases > Import
# Apply rule: Block outbound to aliasInteraction with Related Technologies
SIEM: Feeds are used to create correlation rules. For example, a rule that alerts when a user logs in from an IP in the threat feed.
SOAR: Playbooks can automatically quarantine endpoints or block IPs when a feed IOC is matched.
Endpoint Detection and Response (EDR): Feeds can be used to hunt for file hashes or process behaviors.
Threat Intelligence Platform (TIP): Centralizes multiple feeds, deduplicates, and enriches before distribution.
RFCs and Standards
STIX 2.1: RFC 9063 (structured threat information expression).
TAXII 2.1: RFC 9064 (trusted automated exchange of indicator information).
CybOX: Cyber Observable Expression (used in STIX).
Default Values and Timers
Feed update interval: Typically 1-24 hours. Commercial feeds may update every 5-15 minutes.
IOC expiration: Many feeds include a 'valid_from' and 'valid_until' timestamp. Default expiration is 30 days.
Confidence threshold: Default 50 (out of 100) for actionable alerts.
Exam-Relevant Details
Tor vs. VPN: Tor is not a VPN; it's an onion-routing network. VPNs encrypt traffic to a single server; Tor encrypts in layers through multiple relays.
Dark web vs. deep web: The deep web includes all non-indexed content (e.g., email inboxes). The dark web is a subset of the deep web that requires special software.
Threat feed types: Open-source (free, less reliable), commercial (paid, curated), ISAC (industry-specific).
STIX/TAXII: Know that STIX defines the format of threat data, and TAXII is the transport protocol.
Identify Monitoring Objectives
Define what data to monitor: employee email domains, privileged account names, intellectual property keywords, or customer data patterns. This step determines the search terms and scope. For example, a financial institution might monitor for 'SWIFT code' or 'credit card dumps'. Objectives should align with the organization's risk profile. The monitoring service will use these to configure crawlers. Without clear objectives, the service may produce excessive noise or miss critical alerts.
Configure Dark Web Access
Set up Tor browser or use a third-party service's pre-configured access. If using in-house tools, ensure the Tor circuit is fresh for each session to avoid correlation. Use SOCKS5 proxy (127.0.0.1:9050) for applications. The monitoring system must authenticate to .onion sites if they require registration. Some forums use CAPTCHAs that require manual solving. Automated tools may use headless browsers like Selenium with Tor.
Deploy Crawlers and Parsers
Deploy automated crawlers to visit target sites at regular intervals (e.g., every 6 hours). Crawlers must respect robots.txt (if present) and avoid aggressive scraping that could get the IP banned. Parsers extract text and metadata from HTML, JSON, or plaintext. Use regular expressions to extract email addresses, hashes, or phone numbers. For example, regex for email: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}. Parsed data is stored in a database for correlation.
Correlate with Asset Inventory
Match extracted data against the organization's asset inventory. For example, if a credential pair is found, check if the email domain matches the company's domain. If the password hash matches a known hash from Active Directory, the alert is escalated. Correlation reduces false positives. The inventory should include employee emails, service accounts, and system identifiers. This step often uses fuzzy matching to account for variations (e.g., 'company.com' vs 'company.co').
Generate and Escalate Alerts
When a match is found, generate an alert with severity based on the sensitivity of the exposed data. Critical alerts (e.g., admin credentials) trigger immediate notification via SMS or email to the security team. Lower severity alerts may be batched in a daily report. The alert should include the source URL, the exposed data snippet, and recommended actions (e.g., force password reset). Escalation procedures should be predefined in the incident response plan.
Integrate with Threat Feeds
Extract IOCs from dark web findings (e.g., IP addresses of C2 servers advertised in forums) and feed them into the organization's threat intelligence platform. This converts dark web monitoring into actionable threat feeds. For example, if a dark web seller offers a remote access Trojan (RAT) that communicates with a specific IP, that IP should be added to blocklists. The integration can be automated via API or STIX/TAXII.
Scenario 1: Financial Institution Monitoring for Credential Leaks
A large bank with 50,000 employees subscribes to a commercial dark web monitoring service. The bank provides its email domains (bank.com, bank.co.uk) and keywords like 'SWIFT', 'ACH', and 'internal network'. The service crawls dark web marketplaces and paste sites daily. One day, it finds a paste containing 200 email-password pairs from bank.com. The passwords are hashed with MD5. The service correlates the hashes with the bank's Active Directory using a rainbow table and finds 15 matches for low-privilege accounts. The bank initiates a forced password reset for those 15 users and audits their recent activity. No breach is found, but the proactive measure prevents potential account takeover. The bank uses the extracted IPs of the paste site as IOCs in its SIEM to block any traffic from those IPs.
Scenario 2: Technology Company Monitoring for Intellectual Property
A tech startup with proprietary source code monitors for mentions of its product name 'DataVault' on dark web forums. The monitoring service finds a post on a hacking forum where a user claims to have stolen 'DataVault source code' and offers it for sale. The service alerts the startup, which then works with law enforcement to take down the listing. The startup also reviews its access logs to identify how the code was exfiltrated—an employee's credentials were phished. The startup implements multi-factor authentication and endpoint detection. Without dark web monitoring, the startup might not have known about the breach until the code appeared on public repositories.
Scenario 3: Healthcare Organization Using ISAC Threat Feeds
A hospital network subscribes to the Health-ISAC threat feed, which provides IOCs specific to healthcare threats. The feed includes IP addresses of ransomware C2 servers targeting hospitals. The hospital's firewall automatically blocks outbound traffic to these IPs. One day, an endpoint tries to connect to a blocked IP; the alert is triggered, and the endpoint is quarantined. The hospital's security team finds that the user clicked a phishing email. The threat feed prevented the ransomware from establishing a C2 channel. The hospital also contributes its own IOCs to the ISAC, sharing information about the phishing campaign with other members.
Common Misconfiguration: Setting the confidence threshold too low (e.g., 10) results in excessive false positives, overwhelming the SOC. Conversely, setting it too high (e.g., 90) may miss valid threats. A balanced threshold of 50-70 is recommended initially, then tuned based on experience.
The CS0-003 exam tests dark web monitoring and threat feeds primarily under Domain 1.0 (Security Operations), Objective 1.1: 'Given a scenario, apply the appropriate threat intelligence source.' The exam expects you to differentiate between open-source, commercial, and ISAC feeds, and to know when to use dark web monitoring.
Most Common Wrong Answers: 1. 'Dark web monitoring can remove stolen data from marketplaces.' This is false; monitoring is passive. Only law enforcement can take down sites. 2. 'Threat feeds always provide 100% accurate IOCs.' Feeds have false positives; validation is necessary. 3. 'Tor is a VPN.' Tor is an onion-routing network, not a VPN. VPNs use a single encrypted tunnel. 4. 'Dark web and deep web are the same.' The deep web includes all non-indexed content; the dark web is a small, encrypted subset.
Specific Numbers and Terms:
Tor uses port 9050 for SOCKS5 proxy by default.
STIX 2.1 and TAXII 2.1 are the current standards.
Common confidence scores are 0-100; 50 is often the default threshold.
The phrase 'Tactical, Operational, Strategic' intelligence levels appear in exam questions.
Edge Cases:
What if a threat feed includes IPs that are also used by legitimate services (e.g., cloud providers)? The exam expects you to know that context (like geolocation and hostname) is needed to avoid blocking legitimate traffic.
What if a dark web monitoring alert is a false positive? The correct action is to investigate and then adjust search terms or whitelist the source if it's benign.
Elimination Strategy: When a question asks about the best source for a specific threat, consider the following:
If the threat is targeted at a specific industry, ISAC feed is best.
If the threat is a known malware variant, commercial feed with enrichment is best.
If the threat involves leaked credentials, dark web monitoring is best.
If budget is a concern, open-source feeds are acceptable but with caveats about reliability.
Exam Tip: Memorize the acronyms STIX, TAXII, and CybOX. Know that STIX is the format, TAXII is the transport, and CybOX is the observable syntax used within STIX.
Dark web monitoring is passive detection, not active removal.
Threat feeds provide IOCs that can be consumed by SIEMs, firewalls, and EDR tools.
STIX is the format for threat intelligence; TAXII is the transport protocol.
Tor uses port 9050 for SOCKS5 proxy by default.
Confidence scores range from 0-100; default threshold is often 50.
ISAC feeds are industry-specific and often free for members.
Dark web monitoring requires clear objectives and search terms to be effective.
These come up on the exam all the time. Here's how to tell them apart.
Open-Source Threat Feeds
Free to use, no subscription cost
Higher false positive rate (up to 30%)
Less timely updates (daily or weekly)
Minimal context (IP, domain only)
Examples: AlienVault OTX, PhishTank
Commercial Threat Feeds
Paid subscription, often expensive
Lower false positive rate (<5%)
Frequent updates (every 5-15 minutes)
Rich context: threat actor, malware family, geolocation
Examples: Recorded Future, FireEye iSIGHT
Mistake
Dark web monitoring can prevent data from being sold.
Correct
Dark web monitoring is passive; it only detects and alerts. It cannot remove content from dark web marketplaces. Only law enforcement actions can potentially remove listings.
Mistake
All threat feeds are equally reliable.
Correct
Open-source feeds have higher false positive rates (up to 30%) due to less curation. Commercial feeds invest in validation and enrichment, achieving false positive rates below 5%.
Mistake
Tor is the same as a VPN.
Correct
Tor routes traffic through multiple relays with layered encryption, while a VPN encrypts traffic to a single server. Tor is slower but provides stronger anonymity. VPNs do not provide access to .onion sites.
Mistake
The deep web and dark web are the same.
Correct
The deep web includes all content not indexed by search engines (e.g., email, databases). The dark web is a small portion of the deep web that requires special software like Tor to access.
Mistake
Threat feeds should be used without validation.
Correct
IOCs from feeds may be outdated or incorrect. Always validate by checking timestamps, confidence scores, and correlating with other sources before taking action.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The deep web includes all content not indexed by search engines, such as private databases, email inboxes, and paywalled sites. The dark web is a small subset of the deep web that requires special software like Tor to access. The dark web is often associated with anonymity and illicit activities.
First, obtain the feed in a supported format (e.g., CSV, STIX). In Splunk, you can import it as a lookup table and create correlation rules. For example, use `| inputlookup threat_feed.csv` to load the data, then write a search that alerts when a source IP matches an IOC in the lookup.
The default SOCKS5 proxy port for Tor is 9050. Applications like browsers can be configured to use 127.0.0.1:9050 to route traffic through Tor.
Not directly. Dark web monitoring can detect discussions about zero-day exploits or advertisements for exploit kits, but it cannot detect unknown vulnerabilities in your systems. It provides early warning of potential threats.
STIX (Structured Threat Information Expression) is a language for describing threat intelligence, including IOCs, campaigns, and threat actors. TAXII (Trusted Automated Exchange of Indicator Information) is a protocol for exchanging STIX data over HTTPS. STIX defines the 'what', TAXII defines the 'how'.
It depends on the feed. Commercial feeds may update every 5-15 minutes, while open-source feeds may update daily. For critical infrastructure, frequent updates are recommended. The update interval should be documented in the feed's service level agreement.
An ISAC (Information Sharing and Analysis Center) is a sector-specific organization that facilitates sharing of threat intelligence among its members. For example, FS-ISAC serves the financial sector. Members submit IOCs and receive curated feeds relevant to their industry.
You've just covered Dark Web Monitoring and Threat Feeds — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?