5 Things You Should Know About ZeroFox’s Global Disruption Network

7 minute read

Phishing, data stealing, and impersonation attacks targeting your brands, executives, and external digital assets are nothing new in the cybersecurity space. The term “phishing” can be traced back to the mid-90s, when threat actors would impersonate AOL admins to deceive and defraud users of their login credentials. This was a simple, yet effective tactic in a burgeoning world of digital connectivity.

These days, not much has seemingly changed. Threat actors still target unsuspecting users via phony accounts and malicious links. However, the scale and maturity of modern attack campaigns have evolved light years beyond the days of dial-up internet. Today’s adversaries employ highly sophisticated tactics and leverage complex attack infrastructure to maximize the reach of their campaigns and potentially impact hundreds of thousands of victims. For example, a typical phishing or spear-phishing campaign may utilize multiple fake accounts, dozens of impersonating domains and subdomains, massive volumes of fraudulent emails and SMS messages, link shorteners, botnets, etc. 

Behind many of these campaigns is a well-organized underground economy with the resources and infrastructure in place to facilitate new attack strategies leveraging tools including phishing kits, malware, and stolen data that is disseminated across the deep and dark web. And this activity shows no signs of slowing down. 

According to the ZeroFox Q2 2022 Quarterly Threat Landscape Report, “Social engineering remained one of the most frequently reported intrusion tactics in Q2, and this will almost certainly remain the case for the foreseeable future. As long as campaigns prove effective and highly cost-efficient, threat actors have little incentive to change tactics. Threat actors successfully targeted employees, customers, and members of the public with phishing emails, smishing, and vishing.”

Ways to disrupt digital adversaries 

In order to fight back against this ever-evolving threat, security teams must evolve as well. Traditionally, the best way to stop a phishing campaign is through an effective takedown strategy (ie. the removal of malicious or violating content) that works to remove the phishing domains and impersonating social accounts that promote them. Takedowns, while still a critical component of external threat remediation, present their own set of challenges and limitations such as complex and costly processes across use cases, exposure gaps to threats during the time while a takedown is processing, the volume of attacks outpacing provider response (which is often backlogged), and others.

ZeroFox, while considered a market leader of managed takedown service providers, has long recognized that relying solely on takedowns isn’t enough to effectively thwart today’s most advanced attack campaigns. When it comes to remediation, takedowns are only part of the comprehensive ZeroFox Adversary Disruption solution. Another component is the Global Disruption Network (GDN), ZeroFox’s collective of customers and third-party network providers that work together to share attack indicators and execute quick blocking actions on malicious sites and content. The result is a unique, community-driven approach that not only removes external threats, but disrupts attack campaigns at key points across the killchain.    

Let’s examine the five most important things you should know about the ZeroFox Global Disruption Network.

1. The Global Disruption Network augments the traditional takedown process

First and foremost, the Global Disruption Network is not a replacement solution for pursuing takedowns via traditional means. Reporting an identified violating threat to a host, registrar or social network provider is still a necessary and highly critical step in the remediation process. However, ZeroFox goes beyond reporting the threat to a single network provider. For each qualified threat submitted for takedown, ZeroFox automatically correlates and distributes attack indicators to GDN partner providers for review via both email and/or direct API integration. 

The GDN is made up of a collective of service and web infrastructure providers (ISPs, Telcos, CDNs, DNs, Cloud, etc.), web hosts and registrars, web and threat intelligence security outfits, industry block lists, and link redirect services; all of which can take disruption actions correlated to the threat type and intelligence provided. This sharing of indicators helps to augment takedowns by increasing the likelihood of a potentially successful remediation action (ie. blocking user access) beyond the scope of a single executed takedown.

For example, let’s say the ZeroFox Platform has alerted your security team to a phishing domain threat targeting your brand. After the ZeroFox OnWatch Alert team validates and reviews the threat, it is submitted for takedown with the domain host and registrar. Meanwhile, indicators of the threat (such as the source, URL, fully qualified domain name, IPv4 address, threat type, etc.) are packaged up and automatically distributed to the GDN for review. From there, top web and browser risk organizations will receive evidence of a security risk (in this case a phishing domain) and block users from accessing the domain from various web browsers, devices, services, and applications.

2. The GDN reduces threat exposure gaps

One of the biggest challenges with relying solely on traditional takedowns can be the time it takes for a network provider to respond. All providers are different, and depending on a variety of factors outside of your control (such as review process requirements, increasing volume of requests, content moderation infrastructure, etc.) it can take days or even weeks for the successful removal of an offending site or account. During the time of processing, the threat is still actively targeting your customers, employees and/or corporate assets. This period of time is known as the “threat exposure gap” and begins from the moment a takedown is requested and lasts until the content is removed. 

The GDN takes an active role in reducing this gap by working fast to block user access at various levels. After indicators of the threat are shared amongst the community, GDN partners can potentially take quick blocking actions (sometimes in minutes) at various levels of infrastructure and points of access, thus rendering critical points of the attack campaign useless. This can range from an ISP blocking their users’ connection attempts to websites and content where malicious files are present to link redirect services simply removing redirect links used in phishing emails or on social media posts.  

3. The GDN takes a proactive approach

Another challenge when relying on takedowns alone is the fact that it’s inherently a reactive defense mechanism – a threat is detected, a takedown request is made and processed, and the content is removed. Modern threat actors have prepared for this and have built sophisticated, multi-channel attack campaigns that enable them to quickly scale and spread malicious sites and content across various channels. This means security organizations often find themselves stuck in a game of “whack-a-mole.” When one malicious domain is removed, more soon emerge. It’s almost impossible for these reactive remediation efforts to keep up with the volume of attacks being pushed out by well-resourced adversaries.

ZeroFox has recognized the need for defensive efforts that not only work to expediently remove detected threats, but to proactively thwart entire attack campaigns at scale. By taking quick actions to block various vector paths exploited by a threat actor’s attack infrastructure, the GDN proactively prevents threats from reaching subsequent targets and hinders the effectiveness of an attacker’s entire campaign.    

4. The GDN benefits everyone in the cybersecurity community

The Global Disruption Network is a mutually shared benefit among ZeroFox’s customer-base, partners and the cybersecurity community at large. Today’s threat actors are well-organized and thrive off an underground community that shares resources, plans attack tactics and disseminates information. In order to combat this, it takes a similar type of community effort of organizations committed to fighting the adversary.  

ZeroFox leverages collective intelligence by aggregating and distributing thousands of attack indicators correlated across customer alerts to a diverse set of partner providers and security organizations. This allows ZeroFox to simultaneously increase the effectiveness of disruption efforts for all its users (including those who may also be targeted in an attack campaign) while raising awareness of emerging threats across the wider cybersecurity community.

5. The GDN is continuously improving

Just as adversaries evolve and adapt their malicious attack tactics, ZeroFox evolves its disruption efforts to combat and defend against them. This Global Disruption Network is a constantly evolving initiative that is continuously adding new partners, new direct integrations and sharing more threat indicators with each passing day. This innovation extends to product enhancements as well. Customers are now immediately notified in the ZeroFox Platform when some disruption actions occur on their submitted threat (such as a blocking event). The future is bright for this initiative, and ZeroFox aims to make the Global Disruption Network bigger and more impactful in the fight against modern adversaries.

Go beyond takedowns with ZeroFox

It’s important to have a well-rounded remediation strategy in place that extends beyond just takedowns. The Global Disruption Network gives you a leg up on modern adversaries, and uses the power of a like-minded community to enhance disruption efforts, neutralize attack campaigns and safeguard your customers and employees. 

Learn more about the ZeroFox Global Disruption Network and Adversary Disruption.

See ZeroFox in action