Flare Executive and VIP Monitoring
The following documentation will help your team to understand the best way to build Identifiers that allow you to monitor for threat exposures impacting senior executives and other VIPs affiliated with your organization.
Oftentimes when an identifier is created for an entire organization’s domain, it can be easy to miss certain emails that are related to more high priority accounts such as a CEO, CFO, COO or CTO. Additionally, senior executives often have several email addresses - personal, other business affiliations, or otherwise- that are valuable to monitor. To fix this, we recommend setting an Identifier for an executive’s exact credential and setting an alert for this. This can be done by choosing an Email Identifier and setting an Alert to your preferred method of communication. To reduce noise, it is recommended that you only select the Leaked Credentials and Infected Device categories.
Threat Actors, Trolls, and Com Kids are notorious for an activity known as doxing. Doxing is taking all personal information about an individual and personal information about their family members to post on a website for everyone to see. A dox can be malicious and create potential physical threats to an individual and their family members.
To better help monitor for potential dox information, you can utilize Flare by adding your personal information which we can monitor for popular doxing sources. You can use the Keyword or Query Identifier and enter in any of the following information:
- Address
- Social Insurance Number
- Family Member Names
- Social Media Account Handles or URLs
- BIN Numbers
- If using a query, it is imperative to add “ ” around your query in this instance. For example “1234567” for a SIN or “143 Fun Street”.
- If configuring PII as an identifier in the Flare platform is a privacy concern, you can use partial information. For example, the last few digits of a social security number or a portion of an address.
- When using partial information, it will reduce noise by using a query that includes a first and last name as well as so “first last name” AND “fun street”
Searching for just a name across various sources can sometimes yield broad or unrelated results, particularly if the name is common. To better identify relevant events, such as potential threats or violent mentions directed at you, consider combining your name with specific keywords. Using a query identifier can help structure these searches effectively. Below are examples of query types you can use:
- Direct Violence or Threats
- "FIRST name LAST name" AND "COMPANY_NAME" AND ("murder" OR "attack" OR "shoot" OR "stab" OR "hurt")
- Weapons or Tools of Violence
- "FIRST LAST" AND "COMPANY_NAME" AND ("Gun" OR "Knife" OR "Bomb" OR "Explosive" OR "Bullet")
- Aggressive Phrasing or Ideation
- "FIRST LAST" AND "COMPANY_NAME" AND ("die" OR "death" OR "terminate" OR "end life")
- Mental States or Indicators
- "FIRST LAST" AND "COMPANY_NAME" AND ("revenge" OR "payback" OR "retaliate")
- Online Behavior Indicators
- "FIRST LAST" AND "COMPANY_NAME" AND ("dox" OR "swat" OR "manifesto" OR "kidnap")
- Communication Cues
- "FIRST LAST" AND "COMPANY_NAME" AND ("You’re dead" OR "Coming for you" OR "Next victim")
When configuring identifiers for executive and VIP protection, consider emerging sources categories in addition to Flare’s primary exposure categories. The Flare research and collection teams are constantly adding certain datasets and sources previously not covered by the Flare platform, addressing visibility gaps, and enhancing data coverage. See here for more information.