Thinking Outside the Dox: What IT Security Can Learn From Doxing

October 6, 2020
| |
4 min read

Doxing is rightfully regarded as a dangerous threat, potentially exposing personal information where it shouldn’t be. But, defenses derived from doxing may strengthen corporate cybersecurity at scale. 

Doxing is the dark side to widespread data dispersal and discovery. Data is leveraged to harm individuals or organizations, often as retaliation for real or perceived slights. As a result, both the Department of Homeland Security (DHS) and the Center for Internet Security (CIS) have issued recommendations around reduced data sharing to limit overall risk.

Here’s how companies can think outside the dox — and may be able to repurpose this aggressive attack avenue as an IT security double agent. Much like the hacker uptake of attacker efforts around zero-day vulnerabilities and advanced email compromise, IT teams can benefit from self-doxing programs designed to discover defensive gaps before attackers can exploit them.

What is Doxing?

Doxing (also spelled doxxing) started in the 1990s long before digital social sharing was commonplace. While online identities were created and cultivated by users, their personal privacy remained sacrosanct. Anonymity was highly valued and generally respected until tensions between skilled users reached a boiling point.

These digital disagreements culminated in the search for documentation that revealed the legal name of key rivals, at which point attackers would “drop docs” into online forums that exposed protected data. Over time, the “drop” disappeared, the “docs” was shortened to “dox” and the term expanded to cover the release of names and addresses to financial data or corporate correspondence  — any data that could potentially embarrass enemies or make the victim look bad.

Potential Doxing Damage

While privacy was paramount in the early days of widespread online activity, social media sharing of personal data is now common.

According to recent data from the New York Times Customer Insight Group, 73% of survey respondents who share a significant amount of information online said they do so “because it helps them connect with others who share their interests.”

Companies are similarly engaged with social media, cites the Digital Marketing Institute. Successful media strategies now rely on businesses sharing relevant information and regularly engaging with their customer base across social media channels.

This creates the ideal opening for doxxers. By combining publicly-available data with basic attack techniques, such as phishing campaigns or credential compromise, malicious actors can uncover massive amounts of supposedly secure data. For consumers, exposed information could lead to identity theft or public shame. Meanwhile, companies face the prospect of large-scale reputation damage or lost revenue if proprietary project briefs or intellectual properties are leaked to the public.

Becoming IT Security’s Double Agent

The intent behind doxing is a threat by nature. Collecting massive amounts of data about a person or group gives threat actors in-depth knowledge of their strengths and weaknesses, making it easier to cause damage.

But the framework is ingenious — in effect, doxing takes the form of aggressive, open-source intelligence gathering that provides an actionable map of potential weak points. By decoupling action from intention, it’s possible to repurpose doxing as a form of infosec attacker reconnaissance, reverse engineering the same tactics as the foundation for improved cybersecurity best practices.

The Self-Doxing Solution

In practice, this self-doxing solution offers four key benefits. First, it encourages attack surface mapping. As enterprises embrace mobile and cloud solutions at scale, attack surfaces rapidly expand. The self-serve nature of many IT services and applications further complicates this situation. Despite best efforts, IT teams often lack the attack surface transparency required to effectively defend emerging endpoints. Dox-driven intelligence gathering can help fill in the blanks by revealing the scale and source of potential data leaks, in turn creating a complete risk roadmap.

Second, it is a blueprint for distributed resource defense. Cloud computing offers groups the ability to scale resources on-demand by removing the need for physical, on-premises hardware. But, this introduces a potential security problem.

Cloud services may not appear as potential weak points when security teams conduct in-house assessments. By taking an information-first approach that prioritizes data output regardless of its location or origin, companies are better able to identify where they’re most at risk.

Third, it adds to improved threat modeling. Attackers aren’t picky — they’ll throw anything they have at corporate networks and use whatever sticks. This creates a challenge for many IT teams using automatic detection frameworks. As alerts pour in, it’s hard to separate the wheat from the chaff. Self-doxing offers the ability to discover available data (both public and supposedly protected) and use this data to capture and correct for the most likely threat vectors used by malicious actors.

Lastly, it creates actionable staff insight. Humans remain the weakest link in the security chain. In most cases, malice isn’t the problem or the intent when someone lets a threat actor in. Instead, employees overshare personal data on corporate platforms by accident or use insecure third-party applications that expose critical company data. In both cases, however, tracking the long tail of these potential compromises is difficult when IT teams start from the side of defenders. By flipping the script — looking for the end results of exposed information rather than trying to follow its path throughout the organization — companies can spot key areas of concern and develop staff training programs against them.

Playing Both Sides

Doxing represents a major risk to individuals and organizations alike. But, the discovery-driven structure of these attacks means enterprises can play both sides. By using dox-like approaches to intelligence gathering across the IT stack, teams can create accurate attack surface maps, improve the defense of distributed resources, enhance threat modeling and deliver actionable staff insight to reduce overall risk.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more