What is UpGuard Breach Risk's Threat Monitoring?

Learn about the Threat Monitoring feature in UpGuard Breach Risk and how it can protect your organization by proactively identifying compromised credentials, exposed sensitive data, and emerging threats tied to your organization.

Overview

Breach Risk Threat Monitoring is a powerful feature that enables organizations to detect and respond to third-party data breaches, brand and reputational threats, data leaks, and identity exposure on the dark web and elsewhere. This guide explains how to effectively use Threat Monitoring to safeguard your organization from emerging cyber threats.

Accessing Threat Monitoring

Log in to Breach Risk – Navigate to the Breach Risk menu using your UpGuard account credentials.
Go to the Threat Monitoring Section – Click on the ‘Threat Monitoring’ tab in the main navigation menu. This requires Threat Monitoring to be activated for your organization and the correct permissions to be established for your user account, so please get in touch with your UpGuard administrator or support if needed.

Define Your Monitoring Scope

Keyword Review - During the onboarding flow, you will be shown the currently monitored keywords. By default, your Organization will be configured to monitor your company name and primary domain.
Keyword addition -Administrators may add new keywords at any stage by using the Keywords & Settings button at the top of the Threat Monitoring feed.

Within the Keywords page, use the +Add Keyword button to create a new keyword.
1. Type - Choose the appropriate keyword type. Below is a description of each keyword type.
  1. Domain - Look for references to your domains in stolen or leaked datasets, identity breaches affecting your employees or customers, and mentions of your domain in chatter.
  2. Email address - Look for references to your executives' or VIPs' private email addresses to detect identity breaches or leaked data. Work email addresses are best tracked using the "Domain" keyword type.
  3. Free text - Look for references to your company name, brand, vendors, or in-use products.
  4. IP address - Look for references to your IP addresses to detect suspicious mentions of your external attack surface.
  5. Phone Number - Look for references to your executives' or VIPs' work or personal phone numbers to detect identity breaches or leaked data.
2. Service Criticality - Assign criticality levels to monitored keywords to influence the severity of events that UpGuard assigns to a detected threat. This can improve the triage and prioritization of detected events and ensure threats against high-priority assets are prioritised above low-priority ones.
Review and Confirmation - Once you have defined the Keyword type, text, and service criticality, click the Next -> button to trigger a search. UpGuard will match the Keyword against its results and give you the number of matches found in the prior 12 months. This can guide you to avoid noisy keywords and those without matches and help refine them to broaden or narrow them down accordingly.

Review Open Threat Events

The Open queue will display any detected threat events that have yet to be processed. UpGuard recommends you apply an Inbox Zero mindset. Events should be triaged as soon as possible to determine what immediate action to take - mark them for remediation and begin corrective action, dismiss them as a false positive, or mark them for further investigation. See the section below titled Workflow Events for more details on how to use our inbuilt workflow.
The Open queue contains a powerful search filter capability to allow you to focus in on different events based on the detected date, matched keyword, severity, threat type, or source, and the ability to include or exclude based on included text.
Each event will be displayed as a separate card to provide an at-a-glance overview.

You can see the high-level metadata about the threat event and, where relevant, a snippet of the content.
Quick actions can be found in the top right of the card to flag the event for investigation, indicate it requires remediation or to dismiss it (see Workflow Events for more details), and you can click the > or the event title (i.e. Telegram group: 'Mt103wiretransfers') to expand into the full screen view.
The expanded threat details view shows more context about the event. The top left-hand side of the Details panel shows consistent metadata about the threat event, whilst the top right-hand side varies by event type and source.
Buttons along the top of the panel may be used to access the inbuilt workflow, whilst there is also a facility to add comments to an event to support this workflow.
The bottom half of the screen contains a searchable snippet showing the detected threat's context. Mentions of the detected keyword are highlighted. However, the text can be set to other values as necessary.
There is a feature to enable quick navigation between events along the bottom of the page.

Event Workflow

If an event is deemed a false threat, use the Dismiss action to close it without further action. This will mark the event as Dismissed and move it to the Closed queue.
If the nature of the event is unclear or requires consultation with others to verify its threat level, use the Add to Investigating action. This will update the event status to Investigating and move it to the Investigating queue. By default, the event will be assigned to you, but you can reassign it to the appropriate person, who will receive an email notification.
If remediation is straightforward and can be resolved quickly, select Address Threat > Close Threat to update the event status to Remediated and move it to the Closed queue.
If remediation is complex, time-consuming, or requires action from another person, choose Address Threat > Request Remediation. Once the Remediation Request is created, the designated individuals will receive an email notification. After the request is marked as closed, the event status will update to Remediated and move to the Closed queue.