BLOG

Fight Back Against External Threats With Adversary Disruption

7 minute read

As we enter into a new year, new threats continue to emerge and expand across the public attack surface. Threat actors are ramping up phishing attacks and impersonations online, and are adapting and evolving threat tactics in their quest to exploit cybersecurity, infiltrate protected systems and steal valuable user data. The illegal transaction of stolen user and corporate data harvested from breaches and data leak exposures is big business – and business is booming. According to ZeroFox’s Evolving Cyber Threat Landscape for Q3, 2021, “cybercriminal underground networks endured a quarter rife with data leak advertisements, sale of cybercrime tools, and more groups operating ransomware data leak and digital extortion websites – including the discovery of the Colossus ransomware through ZeroFox research efforts.”

Modern cyber attacks do not exist in vacuums. Today’s threat actors build sophisticated, multi-layered attack campaigns that leverage many vectors to maximize reach and impact potentially hundreds of thousands of potential victims. They utilize complex infrastructures made up of multiple elements such as ISPs, DNS, host and cloud providers, link shorteners, CDNs, etc., that all work to target, exploit and defraud your executives, brands, and customers.

Traditionally, submitting requests for takedowns with the relevant provider has been one of the only real weapons security teams have had to leverage against these types of cyber attacks. “Takedowns” refer to the removal of domains/sites, social media accounts, posts or content that violates applicable law, infringes intellectual property rights or otherwise violates the provider’s terms, rules or policies. 

Removal of malicious or impersonating content is a critical component of the threat remediation process (ZeroFox has been a leading provider of takedown services for years), however, it simply isn’t enough. Relying strictly on traditional takedowns presents many challenges and limitations when facing today’s sophisticated attack campaigns.

Challenges and Limitations of Traditional Takedowns

  • Takedowns Can Be Complex and Costly – While traditional takedowns are crucial, they present some of their own unique issues such as involving disparate and complex processes across various provider networks. Without the right platform for automating and managing takedown processes, security teams may be left spending inordinate amounts of budget and resources on outsourcing takedowns or managing them internally.
  • Slow Provider Response – Providers are often backlogged with managing the ever-increasing volume of takedown requests, slowing down response. As a result, it can take a long time (ie. days to weeks) to successfully remove a malicious website or threatening piece of content.
  • Threat Exposure Gaps Persist –  During the period while a takedown is processing, victims (such as executives and customers) are left exposed to threats and fraudulent content like phishing sites and impersonations. Traditional takedowns can sometimes take weeks to prosecute, and do not factor in an interim solution for reducing these threat exposure gaps.
  • Volume of Attacks Outpace Provider Response – The scale and speed of external cyber attacks present a challenge for security response teams to keep pace. Like a game of “whack-a-mole,” when one threat is removed, another appears. Adversaries often deploy attack tactics with takedowns in mind, building their infrastructures to withstand counter-measures and launch new attacks at a rapid pace.
  • Attack Infrastructure is Left Intact – Traditional takedowns are effective at removing an imminent threat, however, they fail to disable the core infrastructure used to launch and facilitate attacks, encouraging repeat attempts in the future.

Solution: Disrupt and Dismantle Adversary Attack Campaigns

Security teams need to go above and beyond traditional takedown processes to block and dismantle adversary attacks at the source, and limit their ability to quickly pivot onto other targets. Adversary Disruption is a comprehensive approach to remediation that not only removes identified threats, but renders the threat actors’ entire weaponized infrastructure (ie. the killchain) moot; thus preventing subsequent cyber attacks across vectors. 

As we’ve written previously, an effective and comprehensive disruption strategy should include the following key elements: the identification of threats using integrated attack campaign correlation, remediating threats using unlimited takedowns and dismantling adversary infrastructure. With that in mind, how does adversary disruption work in a real-world scenario?

Consider a typical phishing campaign. These often revolve around an impersonating phishing website, which may use a combination of stolen branding, deceiving URL structures, plus a false sense of urgency (such as prompting a password reset) as a means to defraud users, steal private information or distribute malware. These malicious domains don’t work in isolation. Threat actors often make use of various digital channels to increase the reach and scope of their attack campaigns. Common methods include: impersonating social media accounts, rogue mobile applications, email, messaging services, etc. 

Traditional takedowns work on an individual, case-by-case basis. Security teams typically set up alerts and automation to identify these threats as they’re deployed; working directly with the providers to remove the content. However, behind the scenes, threat actors deploy many pieces of attack infrastructure to stand up these threats and launch attacks at a wide scale. This can include multiple phishing domains, social media profiles, phishing kits, mobile applications and bot accounts.

Example Attack Infrastructure showing difference between standard takedown and adversary disruption
Example of an attacker infrastructure at a glance

Because traditional takedowns leave this infrastructure intact, organizations and their customers are often left vulnerable to subsequent attacks. Adversary Disruption works by going directly to the network providers to block access to various pieces of attack infrastructure across the killchain, effectively disabling it, and preventing further attacks. 

For example, an Internet Service Provider (ISP) can take swift action to block a malicious IP; rendering all active associated attack content useless into the future. Additionally, disruption actions go further to include reporting to common security block lists (such as Google Safe Browsing) and ingestion of malicious content on endpoint security blacklists.

Advantages of Adversary Disruption

  • Speed Time to Disruption – Because remediation isn’t solely based on takedown provider response times, organizations can significantly speed time to disruption of attack campaigns via actions such as blocking of critical infrastructure across the killchain.
  • Proactively Thwart Attacks – By disrupting and disabling attacker infrastructure, subsequent threats like malicious posts, phishing domains, and impersonations become inconsequential. And by blocking vector paths, attacks are proactively prevented from reaching their targets. 
  • Close Threat Exposure Gaps – Adversary Disruption provides an effective interim solution to close the exposure gaps that exist during the time it takes to pursue and prosecute site and content takedowns.

The ZeroFox Approach to Adversary Disruption

So how can we disrupt attacks at the scale and speed needed to keep pace with sophisticated attack campaigns? ZeroFox leverages a combination of our Global Disruption Network (GDN) and scalable takedown automation to quickly block active and emerging threats. 

ZeroFox's Adversary Disruption Dashboard

The Disruption Dashboard provides clear visibility over all disruption actions taken for every validated alert in the ZeroFox Platform.

The Global Disruption Network incorporates hundreds of thousands of proactive disruption actions weekly via the collective intelligence of network providers, partners and a diverse base of customers. By pivoting on attack indicators collected across thousands of validated threats, and automatically distributing them to hundreds of third-party providers (such as ISPs, Telcos, CDNs, DNS registrars, deny lists, endpoint security platforms, etc.), ZeroFox can quickly block access to harmful attack infrastructure, rendering malicious content deployed in attack campaigns useless while takedowns are being processed. 

Additionally, ZeroFox Adversary Disruption can block and remediate threats in minutes rather than hours or days, saving security teams valuable time and resources and reducing the window of exposure. Combine these disruption actions with automated takedown processes managed by ZeroFox expert analysts and operational playbooks for hundreds of networks, and organizations can more effectively scale remediation efforts for all of their most critical business assets.

Conclusion

Adversary Disruption should be a key solution component to support your external threat remediation strategy. By leveraging a combination of automated takedown processes and a Global Disruption Network, ZeroFox can help you to take swift action to remove fraud and disrupt external cyberattacks at the source — once and for all. 

Want to learn more about Adversary Disruption? Check out our press release.

Get
Started

Subscribe to our Blog

Best practices, the latest research, and breaking news, delivered right to your inbox.