What is doxing? This term may be unfamiliar to some and all too familiar to others. Doxing is when attackers collect extensive amounts of personal information about targets and then use that information to embarrass or possibly harm them.

In Hollywood, the word is detested. Criminals made the word well-known after using doxing methodologies to access and publicly post nude photographs of celebrities. Most people associate doxing with a negative connotation, as it implies a methodology used by threat actors against individuals and organizations alike. Doxing tactics, however, can also be useful for defenders when testing cloud environments.

What Does Doxing Have to Do With Cloud Security?

The cloud has created an environment where there is no physical place to attack, yet many companies apply the same controls and processes to cloud security as they do to on-premises security. That strategy works in some cases. For example, application penetration testing can be a transferable service from on-premises to cloud environments. Applications should be tested before and after deployment to uncover and fix exploitable vulnerabilities, and since many organizations use containerization nowadays and host their applications in the cloud, the testing can take place there as well.

Other forms of on-premises penetration testing such as network testing, however, do not apply when it comes to the cloud. That is because there is no network. Whereas a serverless application can be tested in the same way as on-premises applications, for network testing, you need IP addresses.

So which cloud defense mechanism should be swapped with network testing? Enter attacker reconnaissance, which incorporates a simulation of doxing tactics.

How Can Pen Testers Use Doxing to Secure the Cloud?

To shed more light on this topic, I spoke with X-Force Red’s hacking chief technology officer (CTO) and leading cloud tester, Steve Ocepek.

Question: Steve, thank you for speaking with me today. First, for readers who do not know what the tactic entails, what is doxing?

Ocepek: Doxing is aggressive open-source intelligence gathering about a person to collect personally identifiable information (PII). It may include researching their social media presence, looking at websites and performing open searches — pretty much anything that an external attacker can access to find out information about a target.

Attackers then use that information to publicly embarrass or harm their target. In many cases, doxing can entail the exposure of a target’s personal information, photos, addresses, emails, communication contents and other details online, publicly and without that person’s consent.

Why does doxing have such a negative connotation? Is it because doxing is mainly used by criminals instead of offensive security teams?

Ocepek: Yes. Doxing is an edgy word. To a potential victim, it can imply, “I am going to get you. I will find out the sweet spots and take advantage of them.” Criminals use doxing to inflict harm on individuals, abuse their rights to privacy and, in some cases, extort them. It is typically not associated with anything positive.

So how does doxing relate to cloud security?

Ocepek: Attacker reconnaissance could be the new external penetration test for serverless cloud environments. The service can identify publicly available information and human security flaws that, if used nefariously, can significantly harm a company. Attacker reconnaissance uses the same open-source intelligence sources that attackers use when doxing. It simulates doxing tactics to paint a picture of what attackers can learn about your organization.

Today’s cloud providers are creating their own customized suite of technologies for developers to use to write and run application code hosted on the cloud provider’s infrastructure. Developers have typically not had to worry about being a target of attackers. Their main concerns have been to complete projects on time.

Since many cloud services don’t have a specific set of IP addresses, however, attackers are shifting their focus to the people who have the most significant level of access: the developers who built the applications. Looking at this from an offensive security viewpoint, I do not consider it hard to find out, often through social media, who develops a company’s cloud applications. Through some public forums, I can also see if they are using, for example, Node.js, x libraries and y technology stacks. Attackers could then potentially send them a spear phishing email to get keys into their cloud environment. In that sense, developers are the new targets for cloud-based attacks and from a criminal’s perspective, attacker reconnaissance is a good way to glean information about targeted developers.

So, if the bad guys are using doxing to shame and hurt their targets, the good guys could incorporate those same tactics to protect targets. Offensive security teams should include attacker reconnaissance in their testing programs to see what information they can find about a target and how they can use it. They can then help companies remediate human security mistakes, like preventing employees from posting information on social media, that could be used to compromise their employer.

I am sure you can learn all kinds of things about people and companies by looking on social media alone.

Ocepek: Yes, and when you find the right information, the consequences can be detrimental. When it comes to cloud security, attackers are only one credential set away from compromising a company’s entire environment. From an attacker’s perspective, if they could get a secret key and the user ID of a cloud developer, they could potentially log in as that person. Attackers could then impersonate that developer and, if successful, access every piece of information in their cloud environment and possibly go unnoticed for an indefinite amount of time.

For companies looking to improve their cloud security posture, do you recommend attacker reconnaissance and application testing? Anything else?

Ocepek: When it comes to cloud security, two of the best strategies in my opinion are attacker reconnaissance and application testing. With no specific IP address space, network testing makes no sense. Swap in attacker reconnaissance instead. When some security experts talk about the cloud, they say the same on-premises processes should also be used to protect cloud environments. In some cases, like with Amazon Elastic Compute Cloud (EC2), that strategy works because it’s essentially virtual hardware. The same flaws may exist on a regular Windows box in a data center.

On the cloud front, however, if your team is spinning up a bucket on S3 or using AWS Lambda to run code, there is no server or network. While application testing is necessary for cloud applications, even those that are serverless, there is still application logic, deployment processes and other avenues for abuse. Attacker reconnaissance can help uncover vulnerabilities across those avenues.

Learn More About Cloud Security at AWS Re:Inforce

X-Force Red is at the AWS Re:Inforce conference taking place this week. We welcome you to stop by the IBM Security booth (#719) to chat with Steve about top threats and vulnerabilities exposing cloud environments.

Learn more about X-Force Red’s cloud testing services

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…