Takedown vs. Disruption: Defining the ZeroFox Difference

5 minute read

In this digital-first world, organizations must realize that their customers operate in a contested environment where cybercriminals have equal access to your customers, employees and digital assets. Threat actors can easily impersonate your organization or your executives to spoof your site, siphon revenues, erode customer loyalty and trust, phish your employees and steal your data. A new approach to security is needed to combat this new breed of public threats centered around protection, intelligence and disruption. This solution requires more than another device in the defense stack or another data source for security operations to analyze. Due to the enormous scale and ever-changing nature of the public attack surface, actionability is critical – it’s not enough to alert on threats, security teams must take action to thwart them.

This post will take a closer look at that actionability and the specific differences between individual takedowns and a comprehensive disruption approach. When sourcing a partner or solution to complete your security stack, it’s essential to know the difference between the two so you can ensure you are receiving the most comprehensive protection and intelligence solution.  

What is a Takedown?

Takedowns involve rapid identification and automated removal of malicious sites and content across the public attack surface, instilling visibility over the entire process. A takedown typically includes social media account and post-remediation, content removal, or domain removal and continuous monitoring. Continuous monitoring is an essential element that is often overlooked. This allows your security team the ability to spot malicious activity proactively, such as catching domains that jump hosting providers. The ZeroFox strategy is to take down and ensure the risk “stays down,” so to speak.

We believe this is such an essential element that we have taken measures to continue to expand solutions in this space. The ROI and related benefits to an organization are innumerable. Save time and reduce the cost of remediation by eliminating manual processes and leveraging streamlined, in-house takedown automation. 

The ZeroFox team has an additional edge to this strategy as well. Positioned as a trusted network partner, ZeroFox has established processes with networks. We know what makes these networks tick, and data is everything; macro trends enable their specific teams to improve and use our data to adjust processes. Every policy violation is handled by a different team, with different incentives and motivations. Being seen as a trusted partner enables our team to submit 50k+ pieces of content for removal each week. We continuously pursue partnerships with networks to benefit our customers and our processes.

“My colleague who predominantly handles the fake account takedowns was spending 3 hours per day on this task, before knowing the true breadth of fake accounts. And while we have so much more coverage now, she is now only spending 30 to 45 minutes on this. ZeroFox is a big-time saver in terms of overseeing the alerts and managing the takedown process.”

Risk Governance Manger, Financial Services

What is Disruption?

Adversary disruption dismantles an attacker’s entire infrastructure, often referred to as the kill chain. If takedowns were compared to whack-a-mole risk reduction tactics, disruption could be compared to complete risk destruction. ZeroFox has inherently evolved our takedown measures to mirror that of a complete disruption model. Disruption should encompass all security efforts in order to remove the offending content and disrupt malicious activity entirely. 

An effective and comprehensive disruption strategy should:

  • Identify using integrated attack campaign correlation;
  • Remediate using unlimited universal takedowns; and,
  • Dismantle adversary infrastructure.

However, it’s important to note that both takedown and disruption involve pushing a resolution through the networks themselves. These networks have felt the same impacts of the unprecedented spikes in cyber attacks over the past year, and they are just as overwhelmed as most security teams are. This has had a negative effect on network ability to monitor and address malicious activity. Even when they are alerted to the risk proactively, sheer volume alone makes it challenging to manage risks in the turnaround demanded. 

Furthermore, these networks are typically massive companies with separate teams for each type of infraction with very different missions. Simply put, security teams must do more to gain traction with overwhelmed networks, navigate within a network’s teams and serve as the glue to ensure everyone is on the same page.

“We can’t give any oxygen to these fake accounts. We have to find and take them down immediately because they threaten our customers. ZeroFox helps us do that.”

Global Marketing Manager, Financial Services

Thinking Bigger: The Value of Disruption Over Takedowns

Organizations can level up takedown strategies by moving into a complete disruption strategy. The benefits to the disruption strategy encompass all that takedowns have to offer with the added element of thinking bigger picture and executing with this in mind. The value of disruption can be broken down into three main drivers with the tactics necessary to execute:

Time and Cost requires:

  • Automated tools as well as 24×7 report submissions by trained, specialized staff
  • Initial research and vetting, submission, and an average of six follow-ups and correspondence with the network before resolution
  • Budget to stand up in-house or outsource to a qualified provider

Data Correlation requires:

  • Access to integrated data sources, proprietary research and decades of data to enable correlations used to disrupt attack infrastructure
  • Leveraging large amounts of data (ZeroFox makes correlations using more than one million disruption actions per year) to understand trends, make continuous process improvements, and influence network behavior

Expertise and Specialization requires:

  • Resources to stay abreast of new networks and learn how they work
  • Ability to pinpoint new contacts and administrators who have the time and resources to remove malicious content
  • Standing up new processes for new networks through continuous training
  • Creation of network profiles with tips and tricks from an insider perspective

The goal here is to reduce time to act on critical threats. This can include the removal of fraudulent accounts, websites and posts, and dismantling attacker infrastructure entirely to thwart future attacks. 

Next Steps

Aside from the clear cost benefits, automating your remediation processes frees your security team of the arduous process of manually remediating a threat. It’s impossible for a security practitioner to manually search for new threats emerging on public platforms, like social media and websites. On top of that, correlating individual threats to address the entire kill chain requires significant time and effort. By using ZeroFox’s team of experts and proven methods, you’ll get that time back – freeing your resources to focus on other security efforts. 

Download our free infographic, “Disrupting the Digital Cyber Kill Chain,” to understand how to build a comprehensive protection, intelligence and disruption solution at every stage of the modern cyber kill chain.

See ZeroFox in action