Tips & Tricks — Reduce Risk, Avoid Fraud Losses, and Increase Your Team’s Efficiency through Flashpoint’s Alerting Capabilities
By Matt Howell
A key component when leveraging intelligence from illicit communities is an ability to proactively monitor and uncover relevant threat-actor conversations and compromised data. Accessing this relevant information in a timely manner can make all the difference for security teams reducing risk, avoiding fraud losses, and saving time while increasing their efficiency.
As we work with security teams to address these challenges, there are a number of capabilities available to match up to teams’ requirements and risk profiles. In this Tips & Tricks guide, I’ll walk through our Alerting Dashboards and how they are being actively used to identify key terms that need calibration, where teams need to broaden their scope, and how to concentrate on the most relevant data source for your use cases.
To provide brief background on these alerting capabilities, Flashpoint offers multiple alerting solutions, including Automated Alerting, Curated Alerting, Industry Alerting, and Data Exposure Alerting. These options provide coverage across a broad range of illicit communities, chat services platforms, open source datasets, public facing infrastructure, and other datasets within Flashpoint collections.
- Automated Alerting
- Matches conversations from illicit online communities with a client’s areas of concern, and automatically provides these matches directly to the user.
- Curated Alerting
- A service to curate alerts for relevance and add context as necessary, creating a easily consumable intelligence alerting experience. These alert patterns are designed and implemented in collaboration with our Customer Success team and curated by our multilingual Tactical Threat Monitoring (TTM) team to reduce false positives, prioritize actionable alerts, and save time for end users.
- Industry Alerting
- Provides customers tactical information derived from conversations from illicit online communities to users in their respective industry. The patterns and alerts are designed, maintained, and curated by the TTM team and delivered to end users, providing actionable information at the industry level, including Financial Services, Retail, Healthcare, and more.
- Data Exposure Alerting
- Identifies customer and company data, source code, or vulnerable systems within open source datasets and public facing infrastructure in order to prevent actors from leveraging exposed data for illicit activity.
To support our end users for alerting on this key information, Flashpoint has an Alerting Overview Dashboard within the Flashpoint Intelligence Platform Alerting panel. The metrics on the dashboard can help identify terms that need calibration, either to broaden their scope if they are not bringing in the signal you’re looking for or to concentrate on the most relevant data sources for your use cases.
- Step 1 Navigate to the Alerting Overview Dashboard by clicking on the Alerting bell and select “Overview”
Image # 1 Navigation panel for accessing the Alerting Overview Dashboard
- Step 2 The Dashboard display contains insights into the terms in your profile. See below an example image from a “Test Customer” account in which you can see the total number of posts Flashpoint has scanned, how many active keywords the account has, and how many hits Flashpoint has matched for the terms.
- There is a histogram of which data sources the hits came from on which days and panels identifying the terms that hit with the most frequency versus the terms that are generating little to no results.
- Image # 2 Overview Dashboard example highlighting results over the last 30 days
- Step 3 Use the dashboard insights to identify terms that might need to have their scope broadened to bring in more results, or narrowed to bring in fewer results and reduce false positives. Simply click on a term in the “most active” or “no hits” list to open the modal window to edit the term.
- Step 4 Click on a data set in the histogram to dial into that data source’s results on a given day. If certain data sets are more signal-rich than others, you can calibrate your terms to selectively match on the most signal-rich data sources.
- Image # 3 An example of the before and after where a set of terms were recalibrated to reduce noise coming from the Boards data set
We’re really excited about the insights our users are gaining, along with the additional capabilities to be proactive in their approach. These options are available to support you and your use cases, for teams large and small. For more information on our alerting capabilities, visit https://www.flashpoint-intel.com/alerting/.