DE.CM-4 / DE.DP-4 NIST Cybersecurity Framework v1.1

Do you monitor the dark web / criminal forums for organisation mentions, employee data, or for-sale access?

Demonstrate that the organization actively monitors dark web sources and criminal forums for exposure of organizational assets, employee credentials, and unauthorized access offerings, with documented alerting and response processes.

Description

What this control does

Dark web and criminal forum monitoring involves continuous or periodic surveillance of hidden marketplaces, paste sites, data breach forums, and underground communities where stolen credentials, corporate data, and network access are traded. Organizations deploy specialized threat intelligence tools, engage managed service providers, or subscribe to breach notification services that scan for mentions of company domains, employee email addresses, executive names, leaked credentials, and advertisements for initial access to corporate networks. This control provides early warning of credential compromise, planned attacks, or data exfiltration before attackers exploit the information or sell access to additional threat actors.

Control objective

What auditing this proves

Associated risks

Risks this control addresses

Stolen employee credentials sold on criminal forums are used for initial access before the organization detects the compromise
Corporate data exfiltrated from undetected breaches is traded or leaked publicly, causing reputational and regulatory harm
Initial access brokers advertise and sell network access to ransomware operators before defenders can remediate vulnerabilities
Executive or privileged user credentials exposed in third-party breaches are reused against corporate systems
Source code, intellectual property, or customer databases appear on paste sites or leak forums without organizational awareness
Threat actors discuss planned attacks, vulnerabilities, or reconnaissance findings in underground communities without organizational visibility
Impersonation domains or phishing infrastructure targeting the organization goes undetected until active campaigns launch

Testing procedure

How an auditor verifies this control

Request documentation of the dark web monitoring solution, service provider contract, or internal capability used to scan underground sources
Review the scope configuration to verify monitored keywords include company name variations, primary domains, executive names, and critical brand identifiers
Examine evidence that employee email addresses and corporate domain patterns are included in credential exposure monitoring
Obtain examples of alerts or reports generated by the monitoring service from the past 90 days showing actual findings
Verify that monitoring frequency and sources cover major criminal forums, paste sites, data breach marketplaces, and Telegram channels relevant to the industry
Review the incident response procedure or playbook that defines actions when dark web exposure is detected, including credential reset and threat hunting triggers
Interview the security team to confirm how alerts are triaged, who receives notifications, and typical response timelines
Select two documented dark web findings from the past year and trace them through investigation, containment, and remediation activities to closure

Evidence required Configuration exports or service portal screenshots showing monitored keywords, domains, and email patterns; alert logs or reports from the monitoring platform covering the past 90 days; documented incident response procedures specific to dark web findings; case records or tickets showing investigation and remediation of at least two actual detections; service agreement or capability description for the monitoring solution.

Pass criteria The organization demonstrates active dark web monitoring with documented scope covering organizational identifiers and employee credentials, produces recent alert evidence, and maintains a defined response process with evidence of actual execution when exposures are detected.