How do you proceed with DarkWeb monitoring? Do you monitor it yourself or have you commissioned a service provider?

We've commissioned two service providers and participate in an ISAC which has some amount of sharing of what they find.  We leverage free feeds as well.  We do not engage directly.

I have used self monitoring tools; however, using crowdstrike recon with managed services actually produces meaningful and actionable results. 

We use several free monitoring tools, such as Have I Been Pwned, Google Alerts, Tinfoleak, etc., because we don't have the extra budget and only have 350 people to track. When I worked for Fortune 500 companies, we invested in cybersecurity firms with specialized services, tools, and people to actively monitor us. 

I often see folks buying Dark Web monitoring services because it sounds like a good thing to do. But having done it for a few years now, I should have defined clear goals and objectives upfront to drive the types of services and resources I need to acquire. You want to monitor your critical assets or your 3rd party vendors, or your domain and websites? Why? Improving your response time? Etc.

A couple of things to consider. It’s likely Dark Web Monitoring is prohibited by corporate policy and it’s probably best to get a 3rd party firm to do this for you – as if you don’t know what you’re doing it’s likely you will end up in a dangerous place in the Dark Web – which we really no longer call the dark web as it’s refered to as “hidden services”. There is no real search engine for hidden services so you really do need to know where to look for relevant information so you can develop an intelligence product. Ingesting the various criminal forums found in hidden services and then key word searching it requires an investment in tools (custom scrapers), storage and processing and manual analysis. It’s like looking for a needle with your name on it in a factory which produces needles. Many of the most active cyber-criminal forums require evidence of cyber-criminal activities before access will be granted. Access requires cybercriminal credentials usually from someone with “rep” in the cybercriminal world and of course several BTC wallets for purchases from the underground forums which can’t be traced back to a law enforcement or a corporate entity. If you have no training in online covert operations, it’s likely your success in gaining access to the hidden services forums will be minimal. You could be subject to retaliation as well – doxed and targeted by cyber-criminal enforcers.

Unfortunately, Initial access brokers and other cyber-criminal crews have moved away from the dark web/hidden services and are operating on Telegram channels which have all the safeguards above in place including a need to be invited by an admin into the channel. Many CTI firms have established a presence in these channels and forums (as well as law enforcement) to look for information relevant to their customers. Using a 3rd party for dark web monitoring is likely the safest and most economical way of gaining access to this information.