FAQs

ScoutCloud - Account Takeover Prevention

Frequently Asked Questions

ScoutCloud FAQs

How are domains I add to my watchlist handled in your service?

Assuming you own the domain 'acmeinc.com', we'll monitor for ALL email addresses that match against it (john@acmeinc.com, jane@acmeinc.com, etc.), regardless of the number we find.

What if I need to upgrade at a later date to add more domains/emails/etc?

No problem, you can upgrade at any time. Just contact us at info@wintellisys.com and our accounts team will get you set up.

What if I'm a service provider and want to monitor for credential reuse among my customers?

Many of our large service provider customers are not only interested in monitoring for breaches from within their organization. They also want to be proactive detecting fraud and identity theft for their customer's accounts, especially if they've been compromised in a botnet or from a third party breach. Please get in touch at info@wintellisys.com to discuss our API and pricing if this applies to your organization.

What are "personal" email addresses in the watchlist?

Many of us often use a personal email for professional services at work (e.g. Dropbox, LinkedIn, etc.). In the unfortunate situation that one of these services is breached, it's fairly common for hackers to try and reuse the same username/password on other sites (including your company's sites).

Your Gmail, Hotmail, Yahoo, etc. addresses are typically those that should be added to the 'Personal Email Watchlist'. We provide monitoring for a limited number of these non-corporate email addresses for your executive team and other high profile employees.

Personal email addresses are typically considered those that do not match any of the domains in your Domain Watchlist. Since we monitor all email addresses associated with the domains in your Domain Watchlist, it is not necessary to add your work emails in the Personal Email Watchlist, we've already got them covered.

Is there a downside to adding my corporate email to the personal email watchlist?

In the case we're already monitoring your corporate domain (e.g. example.com) and you add your work email (john@example.com), you might get two notifications when your email pops up on our radar in a new breach.

If you don't actually have authorization to monitor all of example.com, then adding your work email is a simple way for you to keep tabs on breaches affecting you at work.

How do I verify a domain after adding it to the Domain Watchlist?

Because of the sensitive nature of breach details, we need to ensure that only authorized representatives from a company are able to see ALL records for their particular domain.

We will verify ownership of domains as you add them. Most people ask us to manually verify the domains (which is mentioned below), but there are other automated options available.

After adding a domain to the Domain Watchlist:

  1. Click on "Actions" next to the domain that you entered
  2. Select "Verify"
  3. Use one of the 5 methods to verify the domain.
  4. If you do not have rights to perform 2-5, then simply click on the info@wintellisys.com in step one and we will gladly verify your domain manually.
  5. When using one of the techniques listed 2-5, only one of the techniques is necessary to verify ownership. Please do not perform all these steps. Perform the action requested and then click on "Verify Now" at the bottom right of this screen. We will automatically verify ownership in the background. If you are not ready to click "Verify Now", close the window, perform the actions, and return to the window when the actions are complete.

How do you monitor for my assets?

We have a world-class team of intelligence analysts that finds stolen credentials and other assets primarily through human intelligence tradecraft. We acquire hundreds of millions of records every month from dark corners around the world. These records impact individuals and organizations globally. We validate and ingest these records into a central database. We then analyze and match which assets match items in your watchlist. When we find a match, we notify you immediately so you can limit further damage.

What's different about ScoutCloud?

We created ScoutCloud to identify and stop breaches that occur outside of your network. You don't need to install any software; simply give us which domains you use, your personal email addresses, and any other information you would like us to monitor and we will inform you when your assets are exposed. We are laser focused on our core competency - cybercrime. We do not spend time in other intelligence domains (such as nation-state, physical security, etc.). Because of this, we find artifacts related to cybercrime at a massive scale, mostly from private sources and the results are immediately useful and specific to our customers.

What types of information can you find?

Here's an example of the type of information we find by scanning for your domain (partial list):

  • Internal and external systems infected with a keylogger that are logging into your servers.
  • Corporate computers infected while being used for personal use.
  • Intellectual property that was stolen and being advertised in the Underground
  • Any compromised credentials (username and password) associated with a domain login
  • Backdoors on your corporate servers used by hackers

Examples of the type of information we find by scanning your personal email addresses (partial list):

  • Compromised credentials from private (you won't read about many of these in the press) and public data breaches.
  • Cloud login credentials
  • Personally identifiable information (PII) that is easily associated to your email.

How often should I expect to receive an alert from ScoutCloud?

We load hundreds of new breached databases (mostly from private sources) into our system every month. Each of these databases contains potentially millions of compromised records. On a busy month, we can exceed a billion stolen artifacts in a single month. Given our rate of collection, for large enterprises, it is common to receive a handful of alerts each month. Small companies should expect to receive an alert every few months.

Do you work with law enforcement, ISACs and CERTs?

Given our tradecraft, we run into artifacts that fall outside of our area of focus. We work with law enforcement in these situations. We work with in-country CERTs, ISACs and other information sharing communities often to reach breached victims. If the victim is a customer, they will receive the breach notice immediately directly from ScoutCloud. If they are not a customer, our outreach is manual in nature, best effort and will be subject to the normal time it takes to find the right contact and exchange the information.

Which dates are used to plot points on my timeline?

We track 3 dates for every breach (all are included in the export to CSV):

  • The date of the actual breach
  • The date we acquired the information
  • The date the breach was made known publicly (if it was made public)

The dates we use for the timeline are:

  • For private breaches, the acquisition date (when we acquired the data)
  • For public breaches, the date the breach was made public

What happens if breach data from a private source eventually becomes public?

Since we found the information in advance of it becoming known publicly, we keep the private marking even after it is known publicly. This way our customers can see the date that the information was available in the underground (the date that they were exposed) vs. when the public learned about the breach.

How do I act on the information you share with me?

We include remediation advice for the various types of breaches that we find. Remediation advice can be seen from the detailed view of each breach (in the portal). If you have any questions about a breach or need further remediation advice, please feel free to contact our support info@wintellisys.com.

How do I get started and get the most out of the system?

Please watch our guided tour and tutorial video for a detailed walk through.

In summary, to get the most out of the system:

  • Add all the domains that your company owns to the watchlist (you must own a domain to add it).
  • Add all the personal email addresses of key employees and executives to the Personal Email Watchlist. The owner of the email will receive a verification message. Once the owner of the mailbox clicks the verification button in the message, it will immediately be added to monitoring.
  • Add your contact information to the Notification Preferences so you will receive real-time automated alerts when new information is found.
  • Add the credit card information for any cards that you would like to protect (coming soon)
  • Add the IP address ranges that your company uses (coming soon)

Once these steps have been taken, we will notify you moving forward when we find your exposed assets. You do not need to login to the portal to recognize the value, we will contact you as needed.

Why should I trust ScoutCloud with my email address?

All our employees go through background checks and have been in the intelligence community for many years. They are proven, trusted individuals that have built their careers around handling sensitive information appropriately. In addition, we go to great lengths to secure the information that you add to the system:

  • Even though it can easily be found in the public, we treat any information that you share with us as confidential (TLP:RED).
  • We encrypt all the data in our system, including your watchlist items.
  • We use many operational security techniques (which we do not share publicly) to ensure that your data is safe.

What is the difference between a Private and a Public breach data source?

Private Data Source - We often gain access to stolen information by interacting with criminals on forums that are not available to the general public. Using private forums, data thieves may trade or sell their information on the underground. Private information is typically not available for purchase by legal entities. Information from these sources is typically urgent or critical in nature.

Public Data Source - Public sources include sites that anybody on the Internet can easily visit to download or purchase a list of leaked records. This data includes pastebin links, public leak forums, and direct downloads on file sharing networks.

How is severity determined?

  • Critical Severity- Infected Users
  • High Severity - Credential with plaintext or crackable password
  • Informational - Credential with password that is not crackable, or credential without a password.

What two-factor authentication apps do you support?

We support most common two-factor apps such as Authy, Duo Mobile, Google Authenticator, and Microsoft Authenticator.