Doxing is rightfully regarded as a dangerous threat, potentially exposing personal information where it shouldn’t be. But, defenses derived from doxing may strengthen corporate cybersecurity at scale. 

Doxing is the dark side to widespread data dispersal and discovery. Data is leveraged to harm individuals or organizations, often as retaliation for real or perceived slights. As a result, both the Department of Homeland Security (DHS) and the Center for Internet Security (CIS) have issued recommendations around reduced data sharing to limit overall risk.

Here’s how companies can think outside the dox — and may be able to repurpose this aggressive attack avenue as an IT security double agent. Much like the hacker uptake of attacker efforts around zero-day vulnerabilities and advanced email compromise, IT teams can benefit from self-doxing programs designed to discover defensive gaps before attackers can exploit them.

What is Doxing?

Doxing (also spelled doxxing) started in the 1990s long before digital social sharing was commonplace. While online identities were created and cultivated by users, their personal privacy remained sacrosanct. Anonymity was highly valued and generally respected until tensions between skilled users reached a boiling point.

These digital disagreements culminated in the search for documentation that revealed the legal name of key rivals, at which point attackers would “drop docs” into online forums that exposed protected data. Over time, the “drop” disappeared, the “docs” was shortened to “dox” and the term expanded to cover the release of names and addresses to financial data or corporate correspondence  — any data that could potentially embarrass enemies or make the victim look bad.

Potential Doxing Damage

While privacy was paramount in the early days of widespread online activity, social media sharing of personal data is now common.

According to recent data from the New York Times Customer Insight Group, 73% of survey respondents who share a significant amount of information online said they do so “because it helps them connect with others who share their interests.”

Companies are similarly engaged with social media, cites the Digital Marketing Institute. Successful media strategies now rely on businesses sharing relevant information and regularly engaging with their customer base across social media channels.

This creates the ideal opening for doxxers. By combining publicly-available data with basic attack techniques, such as phishing campaigns or credential compromise, malicious actors can uncover massive amounts of supposedly secure data. For consumers, exposed information could lead to identity theft or public shame. Meanwhile, companies face the prospect of large-scale reputation damage or lost revenue if proprietary project briefs or intellectual properties are leaked to the public.

Becoming IT Security’s Double Agent

The intent behind doxing is a threat by nature. Collecting massive amounts of data about a person or group gives threat actors in-depth knowledge of their strengths and weaknesses, making it easier to cause damage.

But the framework is ingenious — in effect, doxing takes the form of aggressive, open-source intelligence gathering that provides an actionable map of potential weak points. By decoupling action from intention, it’s possible to repurpose doxing as a form of infosec attacker reconnaissance, reverse engineering the same tactics as the foundation for improved cybersecurity best practices.

The Self-Doxing Solution

In practice, this self-doxing solution offers four key benefits. First, it encourages attack surface mapping. As enterprises embrace mobile and cloud solutions at scale, attack surfaces rapidly expand. The self-serve nature of many IT services and applications further complicates this situation. Despite best efforts, IT teams often lack the attack surface transparency required to effectively defend emerging endpoints. Dox-driven intelligence gathering can help fill in the blanks by revealing the scale and source of potential data leaks, in turn creating a complete risk roadmap.

Second, it is a blueprint for distributed resource defense. Cloud computing offers groups the ability to scale resources on-demand by removing the need for physical, on-premises hardware. But, this introduces a potential security problem.

Cloud services may not appear as potential weak points when security teams conduct in-house assessments. By taking an information-first approach that prioritizes data output regardless of its location or origin, companies are better able to identify where they’re most at risk.

Third, it adds to improved threat modeling. Attackers aren’t picky — they’ll throw anything they have at corporate networks and use whatever sticks. This creates a challenge for many IT teams using automatic detection frameworks. As alerts pour in, it’s hard to separate the wheat from the chaff. Self-doxing offers the ability to discover available data (both public and supposedly protected) and use this data to capture and correct for the most likely threat vectors used by malicious actors.

Lastly, it creates actionable staff insight. Humans remain the weakest link in the security chain. In most cases, malice isn’t the problem or the intent when someone lets a threat actor in. Instead, employees overshare personal data on corporate platforms by accident or use insecure third-party applications that expose critical company data. In both cases, however, tracking the long tail of these potential compromises is difficult when IT teams start from the side of defenders. By flipping the script — looking for the end results of exposed information rather than trying to follow its path throughout the organization — companies can spot key areas of concern and develop staff training programs against them.

Playing Both Sides

Doxing represents a major risk to individuals and organizations alike. But, the discovery-driven structure of these attacks means enterprises can play both sides. By using dox-like approaches to intelligence gathering across the IT stack, teams can create accurate attack surface maps, improve the defense of distributed resources, enhance threat modeling and deliver actionable staff insight to reduce overall risk.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…