Threat Intelligence that Works: Offensive vs Defensive Cybersecurity Strategies

4 minute read

What Are You Waiting For? 

Congratulations, you’ve contracted with a variety of Threat Intelligence (TI) providers and are likely now receiving more alerts than you can manage.  What now?  How in the world do we triage this content and, once we do have something to action, how do we execute an action against it? In most cases, the highest volume of tactical IOCs will be directed to your SOC team for refinement in a SIEM or SOAR platform which will then engage some form of block list at the firewall.  Much of this sort of content is already baked into perimeter security solutions by higher end providers.  Similarly, CVEs, assuming they are relevant to your assets, will be directed to a vulnerability management team for patch deployment through a similar process.  That said, let’s turn our attention to more bespoke, targeted alerts that reflect impending threats of attack against your team and organization.  How do you manage this, investigate and then deploy. What will your approach be?  What is your posture?  Will you leverage offensive vs defensive cybersecurity strategies? Do you want to disrupt the attack before it occurs or do you want to secure the perimeter, reinforce your IT security procedures, alert your people to be on-guard and monitor the actor related activities?  

Offensive vs Defensive Cybersecurity Strategies: Do You Have to Choose?

Presuming truly preemptive intelligence, offensive vs defensive cybersecurity strategies do not need to be mutually exclusive. In fact, both approaches may present different opportunities to gain exceptional insights, bolster your security posture and dramatically change the paradigm that most organizations assume: the adage that “it is not if, but when an attack will occur”, simply characterizes you as a helpless victim.  Why are you waiting to become the next front page headline, saddled with multi-million dollar remediation and, incidentally, looking for a new job?  

Given the nature of external threat intelligence (pre-emptive indicators of attack outside of your secure perimeter) and threat actor engagement, there are many potential approaches. A thorough understanding of the threat vector and broad access to the threat actors targeting the organization are critical components in approaching an offensive engagement.

Offensive Threat Intelligence Strategies 

If the decision is made to preemptively disrupt an attack, a variety of considerations need to be made. From an Operational Security perspective, how well positioned is the team?  What is their skill set and are they prepared for any potential backlash that may occur?  To that end, leveraging a multi-layered VPN/proxied approach will create some level of obfuscation.  If malware is involved, sandboxing and quarantine/isolation should always be considered.  

Depending on the use case, the best approach may actually be to leverage a third party team that can support the effort.  This could be as simple as redirecting efforts, deploying and maintaining honeypots, and/or sink-holing an intruder. Or it could get very complex, with monitoring, surveillance and infiltration techniques being planned and executed.  

When considering espionage/counter-espionage-esque activities, geographical considerations, international law and engagement with LEA may also be advised.  Even answering the basic question of whether or not your organization is willing to prosecute a threat actor, if they can be brought to justice, is a good one to answer.  Some organizations simply don’t want the publicity, regardless of the outcome.

I would be remiss if we did not touch on the idea of “hacking back”, or, more appropriately, hitting first. Many relish the idea of hitting a threat actor group with a taste of their own medicine.  However, I do want to caution that, although I have seen some interesting disruptions, outside of major botnet takedowns, which are highly coordinated multi-LEA engagements, taking a swing at the hornets nest almost always has a negative impact and the blow back from such activities can be severe.  Further, from an ethical perspective, you must determine what side you want to be on. It is always my recommendation that you follow all legal guidance and engage LEA if there is any question.  That having been qualified, we are here to help.

ZeroFox’s Offensive Approach to Threat Intelligence

The ZeroFox disruption team tackles a wide range of approaches with its global reach and ability.  From takedown services to malware reverse engineering, actor engagement and attribution to more extensive covert activities, our team has the experience to consult with your team, assess the risk/reward and assist in deployment of the best strategic and tactical approach to achieving the desired outcome.  Our objective is to extend the reach of your security operations team.  With a highly skilled and experienced Operative team that resides within the underground economy, we create a level of insulation for your organization and deliver a very unique advanced service experience for our clients.

Partnering with hundreds of hosts, registrars and external platforms, ZeroFox works with a Global Disruption Network to ensure attacker infrastructure is dismantled to address any active threats and prevent future attacks.

So, let’s summarize. A significant part of a truly effective threat intelligence approach is defining the playbooks and action plans that will be enacted from an operational standpoint.  Deciding how you wish to address actioning threat intelligence will, and should, be a multi-disciplined approach. Offensive and defensive approaches can be launched in parallel.  Engaging a third-party operational threat intelligence service team for actor engagement is always recommended, for a variety of strong reasons.  Finally, ZeroFox, with its unique disruption capabilities, delivering a wide range of automated and human intelligence products and services, is your primary partner in this effort.  Let’s shift your security posture in a meaningful way, enable your team to be as effective as possible and give you control over your security destiny.


Subscribe to our Blog

Best practices, the latest research, and breaking news, delivered right to your inbox.