• German MSSP serving clients that provide essential services across financial services, energy, healthcare, manufacturing, and the consumer packaged goods industries
• Services include continuous threat exposure management (CTEM),  external attack surface management (EASM), vulnerability management, real-time dark web monitoring, penetration testing, and code audit

“With all the European Union and German data protection laws, customers want to have comprehensive coverage and understanding about their external threat exposures. Implementing automated identity intelligence monitoring made sense for our team and our customers.”

– CTO, German MSSP

Ensuring Oversight in Line with Policy

The European Union (EU) has led the charge of data protection and cybersecurity regulation. In 2018, the General Data Protection Regulation (GDPR) created the broad extraterritorial jurisdictional requirements that sought to protect EU citizens, wherever they live, and people residing in the EU, regardless of citizenship status. In 2022, the European Commission updated its Directive on Security of Network and Information Systems (NIS2) and required Member Countries to enact implementing laws to standardize compliance across the EU in 2024. To add to this onslaught of regulations, the European Parliament’s Digital Operational Resilience Act (DORA), specific to financial services, went into effect on January 17, 2025. 

Across these different regulatory compliance requirements, proactive threat detection and risk management is a fundamental commonality. For example, DORA includes a definition for “threat-led penetration testing” as a framework mimicking threat actor tactics, techniques, and procedures (TTPs), information gained from threat intelligence. Meanwhile, NIS2 requires organizations to provide incident reports based on a threat’s severity, including a final report within a month of submitting the notification that contains the type of threat or root cause that triggered the incident. 

As organizations across the EU work to implement the appropriate controls, many found that their previous processes for threat intelligence collection and dark web monitoring lacked comprehensive intelligence and efficiency needed. 

Challenge: Time-Consuming Manual Processes Created Inefficiencies

As a Germany-based MSSP, our customer works with organizations across multiple highly regulated industries that fall within the definition of critical infrastructure, such as financial services, energy, healthcare, and manufacturing. These customers need to comply with European-wide data laws as well as Germany’s IT Security Act 2.0 which expanded the third-party audit requirements for these customers. Because of these compliance requirements, customers across the German market are very conscious about data privacy and collection. 

Most customers’ leaked or stolen credentials would be found in clear web leaks, dark web forums, or illicit Telegram channels. However, the MSSP struggled with time-consuming, resource intensive manual processes that limited their data scraping to twice per year, taking 1-2 days to complete. The organization found maintaining a current list of Tor addresses, Telegram channels, and dark web forums overwhelming as they continuously change. The security researchers would need to reinvestigate multiple resources before engaging in an actual investigation, meaning the MSSP struggled to gain real-time threat actor insights. 

To provide the proactive monitoring customers wanted and needed, this customer sought out an identity intelligence solution. 

Implementation: Near-Instant Added Visibility

After seeing the Flare solution in action, the MSSP signed up for the free trial that provided unlimited access to the platform, including complete workflow capability. After the easy onboarding process, our customer achieved near instant benefits by swiftly finding numerous previously unknown threats, including identification of compromised devices. 

While the MSSP had access to a large number of dark web sources prior to Flare, it could now engage in real-time monitoring. During the demo phase, the organization gained insights which provided significant benefits including:

• Monitoring typosquatting domains
• Identifying domains registered for deploying targeted phishing attacks against customers
• Confirming data source accuracy

The MSSP’s penetration testing teams dramatically accelerated their information gathering by using Flare’s automation capability and substantial data feeds, enabling them to conduct more sophisticated attacks. In true pentester fashion, the customer has shared its past resources with Flare, which have contributed to improvements in the Flare platform. This customer’s offensive security expertise has promoted a fantastic partnership for both organizations!

Ultimately, this customer chose Flare because of the ease-of-use and straightforward pricing model that offered greater value, as competitors’ packages cost more per identifier.

“Of course the onboarding process was really simple. We appreciated that everything we set up in the free trial and demo  transferred over to production so we could get right into identity intelligence monitoring. In some other demo experiences we lost everything from the demo and had to start over.”

– CTO, German MSSP

Benefits: Scaling Business, Generating Revenue, and Elevating Security Posture

After setting up the demo environment, our customer was able to transfer all workflows and data from their free trial account to their subscriber account, simplifying the onboarding process. With Flare, this MSSP is able to automate clear & dark web monitoring as well as structure the unstructured data. As a comprehensive API-first platform, the organization was able to build custom tools and solutions around Flare, even during the trial phase. As they expanded these capabilities, they leveraged Flare’s AI features to help them make rapid, informed decisions based on large data volumes. 

As a Flare customer, the MSSP monitors its own domains and trademarks, upleveling its own security program.

Recently, the Flare platform sent a low-priority alert identifying an open bucket with a file name containing its company name. In the customer’s investigation:

1. They found the alert had identified a company logo image shared with external identities.
2. As the organization explored further, it identified another misconfigured S3 bucket containing sensitive data from a new supplier. 
3. The company reported the issue to the supplier and the supplier’s IT team closed the bucket by the end of the day. 

Although the S3 bucket had only been exposed for 2 days, Flare’s real-time monitoring enabled the rapid response that protected the sensitive data. The supplier is also now a happy customer to the MSSP after seeing the value they bring by wielding the Flare platform. 

By integrating Flare into their services, our customer scaled its business, even having customers on an internal waiting list for the new identity intelligence offering that included dark web monitoring. Using Flare to eliminate manual information gathering processes, the MSSP’s security analysts focus on reviewing alerts to provide customers a zero-false-positives managed EASM to a wider range of customers and provides a standalone dark web monitoring product focused on smaller companies and government institutions.s and provides a standalone dark web monitoring product focused on smaller companies and government institutions.

Looking Ahead

In the future, the MSSP seeks to expand its offerings by focusing on the health and critical infrastructure sectors. The new EU mandates require organizations to provide prompt incident notifications. However, these regulated organizations often struggle to find and retain qualified personnel with specialized sector experience. To meet these needs, our customer plans to leverage Flare’s capabilities with their threat intelligence platform to integrate more automated tasks while escalating critical events to their internal pentest and cyber defense experts.

The post German MSSP Accelerates Ability to Provide Real-Time Identity Intelligence in Line with DORA, NIS2, and IT Security Act 2.0 appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

• European software and services company working with clients mainly in the public sector
• About 250 employees 
• Build digital solutions with the company’s software

“Stealer logs have been the [sources] where we have seen the most actionable intelligence regarding leaked credentials.”

– CISO, Swedish Software & Services Company

Whether working remotely or using a corporate wireless network, user credentials are more valuable than ever. To obtain these credentials, threat actors increasingly deploy infostealer malware, a malicious program that collects and packages up user data stored in:

• Browsers
• Session cookies
• Browser history
• Host data
• Screenshots from the victim’s screen
• Crypto wallet 

Threat actors then sell the stolen data on the dark web or in illicit Telegram channels. When researching 50 companies whose data breaches were publicly available, Flare found that: 

• 90% had previous corporate credentials leaked in a stealer log
• 78% had corporate credentials leaked in a stealer log either six months before or after the identified breach

For software companies, these breaches and the associated credential theft pose several risks:

• Intellectual property theft or modification: Malicious actors targeting software companies can either steal source code or compromise source code stored in development environments. 
• Customer data theft: Malicious actors can steal customer data, like payment details, credentials used to access customer portals, or customer contact information to use for spear phishing campaigns. 
• Reputation: Compromised software or customer records undermine digital brand reputation that can lead to customer churn.

WIth the rising threat of infostealer malware, our customer sought to gain insight into leaked credentials and infected devices that could impact their security, especially mentions of senior leadership. Also by monitoring the dark web and illicit Telegram channels, the security team hoped to understand whether the organization was targeted by hacktivist groups in Europe, which have been targeting commercial organizations. hoped to understand whether the organization was targeted by hacktivist groups in Europe, which have been targeting commercial organizations. 

Challenge: Manual Intelligence Gathering was Costly and Inefficient

In response to these risks, the software company sought to operationalize threat intelligence as part of its cybersecurity and digital risk management strategies. Unfortunately, the manual processes made gathering intelligence time-consuming and cost-prohibitive. The security team’s processes involved:

• Vendor-supplied documents
• Google alerts to monitor clear web chatter
• Limited, ad-hoc dark web monitoring 

The security team spent more time looking for information than acting on the threat intelligence. As our customer began researching threat exposure management technologies, the team knew they needed a solution that would:

• Quickly and easily integrate into their environment
• Provide trustworthy insights and actionable suggestions
• Enable faster and more effective responses

Implementation: Comprehensive and Smooth Free Trial to Proof of Concept Process

The software organization leveraged Flare’s free trial to test the value. Within a week, the customer had a working version of the Flare platform and began to realize value using the indexed data. During this time, the organization identified previous breaches and took appropriate actions quickly. Flare gave them near immediate insight into the sources, including:

• A combo list dating back to 2014, with credentials that had already been rotated
• Stealer logs, gaining the most actionable intelligence for leaked credentials

Our customer moved through the free trial to the proof of concept (POC) in roughly a month. With the POC, multiple members of the security team evaluated the Flare platform adapted to their organization’s needs. 

Although this organization was in discussions with another vendor, they chose Flare because the platform offered:

• More data sources which further reduced manual monitoring
• Transparency into sources for insight into threat monitoring scope
• Reporting that included email notification which reduced the time spent checking the platform

The security team was able to save time immediately with Flare’s actionable, prioritized alerts and clear threat intelligence scope.

“We’re saving about 20-30 hours per month with threat exposure management and executive reporting. The biggest difference is how great we feel knowing that if our threat level would increase then we would be quickly informed about it and able to take proactive action.”

– CISO, Swedish Software & Services Company

Benefit: Saves 20-30 Hours Per Month with Confidence in Responding to Threats

Flare’s onboarding process and intuitive user interface enables our customer to gain confidence in the alerts and their actionability within 1-2 months. Once they gained access to the platform, they rapidly:

• Leveraged feedback on indicators to identify necessary tuning
• Identified trends in the large dataset to evaluate data’s importance
• Removed data sources from monitoring to improve alert fidelity

Since the client onboarded six months ago, the security team now:

• Saves 20-30 hours per month with threat exposure management and executive reporting
• Has confidence in their ability to identify changes to their threat level
• Clearly understands the threat landscape to make data-driven, educated decisions about security investments

In the next 6-12 months, our customer plans to expand the team’s use of the platform so that they can extend the value further.

The post Swedish Digital Solutions Provider Saves About 600 Hours Per Year with Threat Exposure Management and Executive Reporting appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

• The manufacturing company provides one-on-one, customized, quality engine repair & overhaul services for the Rolls-Royce Model 250 Series of engines & accessories
• In operation for 35 years

“After a ransomware attack, Flare was the last piece of the puzzle of boosting our cybersecurity approach. Instead of manually scouring the dark web and other sources for hours, I can save up to 500 hours per year and have peace of mind with this Threat Exposure Management solution.”

-President and General Manager, Manufacturing Company

For many companies, dark web monitoring remains a time-consuming manual process that requires a specialized skill set. Security analysts need to know how to access the dark web, hide in illicit forums, read foreign languages (and threat actor jargon), and study criminal groups’ patterns. 

Meanwhile, many threat intelligence feeds connect users to incomplete databases of leaked information, providing little context around the data. Without this context, security teams have no way to effectively use it, leaving it disconnected from the rest of their cybersecurity technology stack. 

As attackers move from traditional dark web forums on Tor to newer technologies like illegal Telegram channels, the communications become even more decentralized. In response, organizations seek solutions that give them a single source of contextualized dark web monitoring data that integrates with their cybersecurity monitoring and ticketing tools. 

In addition, the number of ransomware attacks have skyrocketed in the last few years, with data extortion ransomware attacks increasing at an annualized rate of more than 112% in 2023. In our research, we observed that threat actors attacked the Manufacturing, Information Technology, and Professional Services industries the most in 2023.

To monitor illicit sources and stay vigilant for information stolen from a past attack, and to exercise ransomware readiness for the future, our customer implemented Flare into their cybersecurity program.

Challenge: Emotionally and Resource-Exhausting Manual Dark Web Monitoring After Ransomware Attack

Our customer knew that its security program needed to include dark web monitoring. The organization has a two-fold mission: protecting data and maintaining repair operations. Like many companies in aerospace and manufacturing verticals, their technology stack includes traditional IT and technologies with human-machine interfaces for their engine and machine shops.  

Unfortunately, threat actors conducted a ransomware attack, which this manufacturing organization quickly contained, but there was the possibility the ransomware group extracted sensitive information. The President-General Manager spent hours manually scouring the dark web and other relevant sources looking for leaked files stolen in the attack as well as a part of ransomware readiness for any future risks. Additional concerns about manually searching the dark web are stumbling on malicious sites and awful content.

The manual process included looking into the following sources, sometimes until 3:00-5:00 AM in the morning:

• Ransomware websites
• Dark web chatter 
• News events
• Educational resources from cyber practitioners across online communities and YouTube

Implementation: Smooth Transition from Free Trial to Onboarding

The manufacturing company’s President-General Manager ended up finding Flare, Threat Exposure Management (TEM) solution, through an educational video on dark web monitoring, and immediately signed up to access the free trial. He described the transition to using Flare and including it to the rest of their cybersecurity program as “very easy.” In addition, the user interface is straightforward to navigate.

“You’re telling me what I was doing alone manually for hours, you can do it for me automatically?! Now instead of dealing with all my security machines I just look at one feed of my related content with Flare. I kick back and relax, not worry as much, and spend time on other pressing items.”

-President and General Manager, Manufacturing Company

Benefits: Up to 500 Hours Saved per Year 

With Flare, our customer’s security team:

• Saves 5-10 hours of research per week (and thus up to about 500 hours per year) by automating the research process
• Consolidates research into a single feed of related events, eliminating the need to manage various security machines
• Reduces stress related to feeling defenseless and overwhelmed 
• Spends more time focused on other critical security tasks

With Flare’s easy-to-use interface, our customer was able to rapidly transition from manual processes to automated monitoring, enabling a more efficient, informed, and proactive security program. 

The post Manufacturing Company Manages External Risks After Ransomware Attack, Saving Up to 500 Hours Per Year appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

• Over $15B in revenue each year
• Almost 100,000 employees
• Offer popular online grocery retail platform, a loyalty program, and pharmacy services

“Before Flare we struggled to catch up to threat actors causing damage after finding customers’ leaked credentials. With Flare’s Threat Exposure Management (TEM) platform we’re staying on top of stolen accounts with automated monitoring and preventing fraud from happening in the first place.”

– CTI Director, National Grocery Chain

Manually monitoring for stolen credentials is incredibly time consuming and ineffective. Sometimes months can go by before security teams detect leaked information. Also, threat actors can publish then remove information between searches, adding another layer of difficulty tracking this down. The time lag creates an advantage for cybercriminals. 

With Flare’s automated Threat Exposure Management solution, the grocery chain simplified tracking down stolen credentials from their loyalty program eCommerce platform. This shifted their cyber strategy from reactive to proactive: from addressing account takeovers to flagging stolen accounts and addressing the issue before threat actors could abuse the stolen credentials. 

By monitoring high-risk external threats with Flare, the national grocery chain not only monitored and stopped those threats, but also accelerated their mitigation efforts.

Challenge: Threat Actors Target Loyalty Programs

The grocery chain’s security team investigated threat actors targeting the online grocery retail platform accounts for account takeovers. Malicious actors publish threats, hacks, and stolen data across hundreds of illicit sources, which makes manual monitoring too time-consuming. Threat actors target loyalty program accounts often found in retail, hospitality, and travel industries because:

• They typically do not have 2FA/MFA
• They are not perceived as accounts that need a lot of protection like a banking account, even if they include payment information 

The customer’s security team searched for solutions that would reduce account takeovers and protect the brand reputation while increasing customer retention and loyalty.

Benefits: Security Team Secures Stolen Accounts Before Threat Actors Abuse Them

With Flare, the grocery chain regained their customers’ trust by drastically decreasing account takeovers. The security team could find stolen accounts and secure them before threat actors gained access through credential stuffing.

By searching through billions of compromised credentials through Flare’s database, the customer’s security team conducted their searches in one place as opposed to combing through hundreds of illicit attacks.

Their adapted mitigation strategy with Flare has significantly reduced account takeovers and fraud. 

Want to learn more about preventing fraud before it happens? Sign up for our free trial.

The post National Grocery Chain Protects Against Account Takeovers appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

“Even in the initial proof of concept for our pharmaceutical customer, we increased visibility of scale with several escalated alerts and gained knowledge of systems that showed significant risk.”

Challenge: Multinational Pharmaceutical Company Needs Holistic View of their Exposure

A multinational pharmaceutical company had an information security program that lacked a comprehensive view of their exposure on the clear & dark web.  Their goal was to get a better understanding of how an exposure monitoring solution can provide value and security to enforce the organization’s control objectives, as well as how clear & dark web monitoring can provide ongoing visibility into the organizations’ data security objectives. They reached out to our customer who partnered with Flare for the engagement.  

To help manage their goal and better understand the unique needs of the organization, the MSSP’s team utilized Flare to conduct an exposure monitoring proof of value. This proof of value included a feature demonstration and a high level assessment of the organization’s external exposure. When the customer uncovered results indicative of risk using the Flare platform, they used that data to improve monitoring for similar types of risk on a continuous basis. 

With interesting results in hand, the MSSP put on their red-teaming hats to analyze findings as an adversary would to illustrate potential impact and recommendations to resolve or mitigate the risk.

Implementation: MSSP Offers Comprehensive Proof of Value to Client

The Secure Coders team conducted the following efforts.

The table below outlines the process employed by Secure Coders to identify, enrich, prioritize, and remediate threats.

Using its expertise and the Flare platform, the MSSP made the following capabilities available.

• Criminal underground monitoring
  • Access Brokers –  Provide actionable intelligence that saves time spent to detect and remediate attacks or compromised systems for sale on dark web marketplaces.
  • Forum Chatter –  Classify and report on conversations occurring on dark web communication channels relating to brand, product, and operations.
• Intellectual property monitoring
  • Publicly Posted Source Code – Review publicly available source code posted by both internal and external entities to the organization. Source code is analyzed and reported on by experienced software developers.
  • Public Dumps –  Review content posted on channels such as Pastebin that pertains to the organization’s  brand.
  • Public Forum Disclosures – Monitor public forums for discussions which disclose sensitive internal information. 
• Monitor external attack surface
  • Monitor GitHub for Source Code and Secrets leakage – Monitor online code repositories for accidentally leaked information. Run custom regexes and queries that cross public code repositories such as GitHub, BitBucket, and GitLabGit-environments. 
  • Detect Technical Data Leakage – Detect mistakes and secrets being committed about the organization’s environment and send alerts to the security team on accidental commits. 
  • Identify Misconfigured Servers – Enable real time notification of S3 storage, Shodan, and other cloud data that could put the organization at risk.
  • Monitor Anonymous Sharing websites – Monitor password dumps, sensitive technical data, and PII that is posted on Pastebin and other anonymous sharing sites (bin sites).
• Preventing Account Takeover
  • Real-time Credential Monitoring –  Collection of leaked credentials from the dark, deep and clear web, ensuring they can’t be abused the minute they are discovered
  • Automated Workforce Account Monitoring – Integrated credential dump feeds with the organization’s existing processes. 
• Brand Protection
  • Drug Marketplace Monitoring – Continuously monitor product and service postings on dark web marketplaces relating to product sales and counterfeiting. 
  • Dump Monitoring – Monitor dumps advertised pertaining to the organization’s business.
• Detecting Phishing Attacks
  • Subdomain Monitoring – Identify phishing domain names and SSL certificates and detect the registration of new domain names similar to the organization’s domains.
• Preventing Financial Fraud
  • Workforce Protection – Search directory of financial fraud victims, based on leaks on the dark, deep and clear web, as well as on identities for sale on illicit markets. Enable the organization to check if their workforce have been victims of fraud, while ensuring information privacy protection.

Benefit: Escalated Alerts from Exposure Monitoring Provide Valuable Knowledge on Significant Risk

Through the proof of value, we were able to demonstrate the benefits and value of implementing an exposure monitoring solution. With Flare, our customer successfully increased visibility of the organization’s external exposure on the clear & dark web. The following were delivered through the course of the proof of value:

• 1,590 Flare identifiers were created
• Monitor External Attack Surface report with 1 escalated alert
• Intellectual Property report with 9 escalated alerts
• Leaked Credential report with 1 escalated alert
• Monitor External Attack Surface report with 6 escalated alerts
• Preventing Financial Fraud report with 5 escalated alerts

Several of the escalated alerts resulted in the organization gaining knowledge of a system that presented significant risk. The MSSP’s customer requested a follow-on engagement for an advanced persistent threat (APT) style pentest targeting the system, which was performed by the MSSP, utilizing their team of experts, heavily leveraging the Flare system.

The post MSSP Upgrades Threat Exposure Monitoring for Multinational Pharmaceutical Company appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

• E-commerce
• Multinational
• Fortune 100 Company

The Challenges

“It was impossible before to keep track of all developer actions happening in GitHub for distributed multinational developer teams, but with Flare we know for sure that we’re monitoring everything accurately, automatically, and consistently.“

– CTI Analyst

GitHub Leaks

Code hosting platforms like GitHub are invaluable as developers collaborate from distributed locations. About 84% of Fortune 100 companies use GitHub. 

GitHub hosts public repositories (repos) that are accessible to anyone online. Organizations can use public repositories for open-source projects and individual developers can share their own projects and skills. On the other hand, private repositories host code for internal projects. 

Threat actors can steal information by sneaking into private repositories or by finding private repositories that were accidentally made public. A report found that there are roughly two million corporate secrets that are publicly accessible on GitHub. This private information includes login credentials, certificates, and API keys. 

As teams collaborate across distributed teams and remote workers, the potential for sensitive information leaking on clear web platforms such as GitHub can increase dramatically. Our customer, a Fortune 100 company, sought out Flare to monitor sensitive information on their GitHub repositories.

Challenge: Too Difficult to Manually Monitor Developers’ GitHub Work Across Distributed Teams

It was impossible for the multinational e-commerce company’s security team to manually keep track of all the different domains (across multiple countries), and linking each developer to each public asset. 

The security team wanted to gather data on commits, leaked secrets, and email addresses. 

Benefit: Automate Asset Tracking Relations in GitHub

By tracking asset relations between GitHub repositories, users, domains, and emails (in diagram below), Flare enables this security team to understand any issues related with GitHub leaked secrets without cumbersome manual searches.

Through Flare, the CTI team can now easily view:

• All the GitHub repositories in which a sensitive domain asset is mentioned and identify the GitHub users and emails committing into it 
• All the GitHub repositories in which the emails from the organization are committing publicly and order them by number of commits and leaked secrets 
• All the GitHub repositories in which specific monitored actors are committing publicly and identify those containing leaked secrets 

After implementing Flare, the security team monitors the public GitHub event feed, creates documents for every monitored commit, and maps the relationships between different assets and collaborators. 

This allows for the creation of API endpoints that enable exploration of the gathered data, such as listing GitHub repositories with mentions of sensitive domains, listing repositories with commits from a specific domain, or listing email addresses associated with commits in a monitored repository. By implementing this solution, the client stays on top of potential security breaches and keeps sensitive information secure.

Since starting Flare, the security team has caught numerous API key and code leaks. With the comprehensiveness of Flare’s GitHub monitoring, this security team is confident in securing these clear web leaks.

Learn more about source code leak monitoring with our free trial.

The post E-Commerce Giant Radically Simplifies GitHub Leak Monitoring appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

• Portfolio of across multiple industries including financial services, technology, healthcare, consumer goods, and more
• Over $8 billion in assets

“We very likely narrowly avoided a catastrophic network intrusion for our portfolio company. The ROI on Flare’s monitoring is massive, as a strong cybersecurity posture is extremely important throughout the venture cycle.”

– Security Team Director, Private Equity Firm

Threat actors can cause major breaches with initial access obtained through the Genesis Market: a clear web market selling infected computers, offering buyers credentials and cookies belonging to the infected devices’ owners. Threat actors can then use social engineering techniques to elevate their level of access, sometimes all the way up to source code. 

Cybercriminals continue to innovate their methods of attack, and a single stolen string of text or cookie can possibly lead to millions of dollars in costs and potential ransomware attacks. Security teams can become overwhelmed with the sheer amount of information needed to analyze to respond to threats. 

A relatively small piece of stolen sensitive information can cause a massive data breach, which would be disastrous for the future valuation or M&A activities of the private equity firm’s portfolio companies.

Challenge: Private Equity Firm’s External Attack Surface Includes Portfolio Companies

For a private equity firm, their external attack surface spans to include all of their portfolio companies. If the evaluation process for an M&A turns up an infected device, this could greatly impact the valuation of the company and ROI for the private equity firm.

With Flare, this private equity firm prevented a potentially catastrophic network intrusion for one of its portfolio companies. The Flare platform alerted the organization’s security team about an infected device for sale on the Genesis Market that contained cookies for a webmail server located inside the company internal network among other banking and payment application credentials.

“We reduced risk greatly by finding and mitigating a serious threat that could have impacted future valuation or M&A activities.”

– Private Equity Firm

Benefit: Red Teamer Finds Infected Device Before Threat Actors Do

Due to the very specific subdomain shown in the Genesis listing (webmail.companyname.com), the private equity firm’s red team analyst had a high level of confidence that the infected computer belonged to an employee of the portfolio company. 

Following approval from the portfolio company, the security team obtained access to the credential for sale. This provided access to the corporate mailbox of the employee, including:

• a huge amount of attachments
• personal information
• other documents that could easily be leveraged by a malicious actor

Both the investment firm and their portfolio company agreed that this infected computer access, sold on Genesis Market for about $100, could have had disastrous consequences for the firm.

The post Top Private Equity Firm Prevents Possible Breach of Portfolio Company appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

“When a previous employee posted sensitive information, with Flare’s alert we sprang into action and contained the incident in 30 minutes.”

The Customer

Employee errors can lead to leaked credentials, API keys, personally identifiable information (PII), and intellectual property. While there is no malicious intent behind these risks, they can cause just as much damage as a cyberattack and require active mitigation efforts. 

When private repositories are accidentally made public, or threat actors infiltrate repositories that should be restricted, threat actors can steal sensitive information such as login credentials, certificates, and API keys on the clear web. 

The number of different data sources to simultaneously monitor and the rapidity at which new data is posted online poses an enormous challenge to resource constrained security teams. In addition, the reliability of data collection and monitoring, as well as the accuracy of the internal alerting system is key to effective risk management.

The raw data needs to be contextualized to be able to rapidly assess how critical it is. Noise reduction is key since the amount of information collected makes mere collection and aggregation insufficient.

The security team of a major bank struggled to effectively and consistently monitor clear web leaks from human error such as from GitHub. When the security team did find leaks, this would cause a war room response that took hours to resolve because of the lack of visibility into the leak.

Challenge: Increasing Clear Web Surfaces to Monitor

The security team of a leading bank know they should be closely monitoring GitHub and other shared repositories, but it was often skipped due to the content’s complexity. Periodically, a security analyst would manually run searches on GitHub based on the high level queries. The number of results was overwhelming and identifying potential leaks took enormous time investment.

Security analysts or their peers on other teams found multiple data leaks, which would lead to full-blown incident response operations. Generally, this involved a task force of six people including analysts, managers, and directors assembled in a war room for six to seven hours trying to make sense of the data leak by:

• Finding its source
• Identifying potential impacts
• Rotating credentials and API keys
• Contacting additional current and former employees

The bank’s CISO was also personally involved in each incident, as the threat level was always unknown at the beginning of the incident. 

Implementation: Flare Cuts Out Noise Unlike Other Solutions

“Other solutions would present us with thousands of potential leaks which were impossible to work with. Flare was the only one that could successfully filter and prioritize leaks. “

– CTI Director, Leading Bank

The security team tested multiple solutions to improve their monitoring and response capabilities, but the level of noise and false positives made many tools an additional burden for the team. 

Flare was the only solution that combined state of the art data collection systems with robust noise reduction and prioritized alerts that gave them the necessary context to instantly be able to classify each data leaks’ criticality level without hundreds of hours of work. 

The security team was onboarded in a few hours and took advantage of their newfound bandwidth to optimize downstream processes of incident response.

Benefit: Significantly Cut Incident Response Costs

With the combination of Flare and newly built processes, the CTI team now operationalizes and proactively responds to technical data leaks. There’s no more war room required, and the CISO is informed in weekly briefings of any remediation actions that took place, and does not have to be actively involved unless the leak is immediately classified as very high risk. 

Handling an Incident in 30 Minutes with Flare

Flare detected sensitive data that had been posted by a previous employee. The security team promptly identified and notified the former employee’s manager, who contacted the individual in question, asking to remove the content. Less than 30 minutes after the Flare alert, the sensitive information was removed from GitHub and the security team contained the incident.

Flare enables the bank to target harder to detect, complex data leaks that would be difficult to find even for domain experts (for example, an API key leak in a code file in which the organization’s domain name isn’t present). This increases the number of findings while reducing unnecessary noise.

The post Major Bank Streamlines Technical Leaks Monitoring and Significantly Cuts Incident Response Costs appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

“What used to take about 1,500 hours to complete can now be done in 1 week.”

– Senior Security Specialist, North American MSSP

The Customer

• Provides services to organizations in North America, Europe, and Australia  
• Support organizations in variety of sectors including: Energy, Healthcare, Local-State-Federal Governments, Manufacturing, Retail, Technology, and more

Many managed security service providers (MSSP) are looking for ways to expand the variety of services that they can offer to their clients. One potential service that MSSPs can provide is the ability to monitor the dark web. However, MSSPs face two main challenges:

1. Dark Web Monitoring Requires Additional Knowledge

There is a lack of experience in the cybersecurity space when it comes to dark web monitoring. The security professionals in the space don’t always have strong enough knowledge of the cybercriminal underground to keep up with the pace at which new dark web sources pop up. 

2. Dark Web Monitoring Takes Time

MSSP employees who have dark web monitoring experience face the time required to monitor the dark web as an additional challenge. It takes an extended period to manually create accounts (that often get banned), pay fees in Bitcoin to access some sites, and use deprecated search bars on other sites. Additionally various other hurdles make the economics of offering this service to customers hard to justify.

Challenge: Competing Platforms Weren’t Offering Actionable Information

A senior pen tester with the MSSP had been trying out competing products for six months without finding much actionable information. However, it only took a few days of monitoring with Flare for he needed to realize the value Flare could bring to his company. Within a two week free trial with Flare, the pen tester uncovered high fidelity and actionable findings on behalf of his client.

“After 6 months of trying out competitors without finding much actionable information, a 2 week trial with Flare is all I needed to find actionable intelligence for my client.”

– Director, North American MSSP

Benefit: Cover More of the Dark Web in Less Time

The senior pen tester was not only saving time with Flare compared to manual monitoring or with other solutions, but was also covering more of the relevant sections of the dark web.

“Flare allows me to empower junior analysts to do dark web investigations that were previously impossible, hence liberating bandwidth.”

– Senior Security Specialist, North American MSSP

In addition, the ease of use of Flare allows him to now delegate the initial dark web data discovery responsibilities to junior team members with close to no experience with the dark web. Having more staff to support dark web investigation assignments allows this security team to offer dark web assessments and monitoring to an increasing number of their customers. Therefore this generates more revenue for the firm.

Want to learn more about how Flare could help generate more revenue for your organization? Sign up for our free trial here.

The post Managed Security Service Provider Unlocks New Revenue Streams appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.

• Over 7 million customers in North America
• Over $250B in assets
• ~50,000 employees

“Thanks to Flare’s intelligence, we efficiently contained a threat actor who discovered two vulnerabilities in our MFA setup. We were able to act quickly and prevent a potential serious incident.”

–CISO, Leading Bank

Challenge: Need to Stop Fraud but Overwhelmed by Data Volume and Manual Reporting Process

The security team of the major bank was looking to better understand and prevent day-to-day cyber fraud, gain a clearer insight into critical threats, and immediately mitigate and optimize the security team’s time and resources.

Day-to-Day Fraud

The security team needed to identify sources of day-to-day fraud that went unnoticed for too long. Unfortunately, they were only able to build intelligence on a limited subset of cases. A large number of threat actors stole small amounts in each fraud, which generated too much noise for the security team to handle on their own.

Coverage, Time, and Resources

The security team wanted to perform CTI activities without missing any critical information and correlating intelligence found on multiple platforms. The security team struggled to handle the data volume it collected from various sources, which could range in the hundreds of thousands of web pages per week. The security team was also unable to link the activities of malicious actors on multiple platforms or draw on accurate picture of external threats. 

Manual Reporting Process

Compared with other data sources such as IOC feeds, which can be directly integrated within their threat intelligence platform, the manual investigation of just a couple of websites could use up significant resources. The security team knew that monitoring events on dark web platforms was critical in getting additional actionable intelligence reporting. Even though it was already monitoring multiple websites, keeping track of ongoing activity was challenging, mostly because it relied on manual work. The process had to be handled while working with incident response teams, focusing on specific breaches and analyzing threats.

The security team sought out Flare to:

• Enhance dark web monitoring, and expand its coverage through automation
• Gain a comprehensive view of external threats on both the clear & dark web

Benefit: React Faster than Ever Before to External Threats

“Flare enables us to react quickly when threats are publicized. It helps us protect our brand and financial resources from data breaches.”

-CISO, Leading Bank

Analysts onboarded onto Flare in a few hours, and the adoption required no integration. They were able to set up custom alerts in minutes and didn’t have to share any internal or confidential information from customers to receive prioritized actionable alerts to monitor their external threats. The identifier-based alert system delivers notifications in real-time on potential threats. 

Below are the ways the security team enhanced their capabilities with Flare.

Reduce Cyber Threats to Prevent Day-to-Day Fraud

Flare identifies:

• System vulnerabilities exploited by threat actors
• Customer accounts at risk of fraud
• Employee and customer credentials that may be used for account takeover
• Accidental data leaks resulting from human error

With actionable intelligence analyzed from billions of data points, the CTI team optimizes their resources to the most critical issues, reducing the time to detect a security compromise from days to minutes. 

Increase Coverage, Include Relevant Location-Specific Sources

Flare monitors an extensive number of illicit forums and markets on the clear & dark web and Telegram. The security team could not cover this manually on their own. With extensive coverage of certain location-based sources, the security team understands the local criminal underground well. 

Provide Insights into Potential Threats

The ability to correlate data from all cybercrime sources gives the security team deeper insights into the detected threats. The CTI team could track malicious actors’ communication and activities across different platforms, even when they used different usernames to hide their actions. This provides the security team with an improved prioritization process of the most critical external risks. 

Decrease Mean Time to Identify (MTTI) Response Time

The security team gained instant visibility and 24 hour notifications of threats. The mean time to identify security issues plummeted from days to minutes. 

Preventing a Possibly Costly Breach from a Exploited Bug

When a threat actor published an ad selling a method to bypass the security questions used to validate a client’s identity when logging in to the online banking platform, Flare alerted the security team immediately.

The security team identified and fixed the vulnerability exploited by the threat actor to gain access to customers’ accounts. 

Three days later, the same threat actor posted an updated ad with a new working method.

Flare once again alerted the security team, which launched a second round of review to identify and fix the new bug. 

Afterwards, the threat actor removed the ad, and the security team confirmed they fixed the bug.

Through actionable intelligence with Flare, security teams stay ahead of threats, react quickly, and protect their assets better.

Flare enables the security team to be aware of ongoing activities concerning them in illicit communities, establishing a safety net that the security team could rely on for relevant instant notifications. This ensures peace of mind. This automated process is user-friendly.

As a result of automated continuous monitoring of its external threats, the security team identifies and remediates (potential) threats in real time, resulting in boosting their security posture and slashing overall cyber risk. 

Are you interested in learning more about automated actionable intelligence? Check out our free trial. 

The post Leading Bank Responds Swiftly to Prevent Potential Major Breaches appeared first on Flare | Cyber Threat Intel | Digital Risk Protection.