This process is also used by cybercriminals intent on using personal and corporate data to commit cyberattacks, including phishing and business email compromise (BEC). By turning doxxing on its head, an IT team can use the process of self-doxxing to help mitigate cyberattacks and ensure security hygiene is maintained.

What is doxxing? 

Doxxing was led by the Anonymous movement to punish enemies and is a process by which personal data, such as name, address, phone number and more are located and then posted online for all to see. The tactic goes back to the early days of the internet where hackers would post a rival’s information in “docs” which eventually became known as “dox.” Hence, doxxing someone. Doxxing is often associated with harassment and used by internet users to reveal the people behind illegal or extremist groups. Reddit, for example, allows the use of pseudonymous account profiles and the platform can be used to promote extremist views, including misogyny. Doxxing has been used to out Reddit users for such extremist views. Last year, a site known as HK Leaks revealed the details of Hong Kong pro-democracy activists.

Doxxing examples

Back in 2015, Bruce Schneier predicted “companies can be doxed, too,” and pointed to the doxxing of Sony back in 2014, whereby the details of unreleased films were exposed to the world. The New York Times recently described doxxing as a form of online vigilantism when it described the use of doxxing techniques in revealing the true identities of Nazi supporters. The problem with doxxing, as described by The New York Times, is that it sometimes goes wrong and reveals innocent people or is used by authorities to clamp down on protesters. But it is not the ethics of doxxing that are being discussed here. Doxxing places people and organizations at risk of cyberattacks and scams.

Doxxing at the edge of cyber risk

Data is the ultimate goal of the doxxer because data opens up the door to identity theft, blackmail and other scams that rely on data intelligence. This intelligence is known as open-source intelligence (OSINT). OSINT is a process by which user information is tracked, like a series of breadcrumbs, and then used to pull together a picture of a person. The cybersecurity industry puts OSINT techniques to good use by discovering assets on the corporate network and across the surface web into the darknet. The intelligence gathered can then be used to ensure vulnerabilities and security gaps are closed. In the case of scammers, once the big picture of an individual is established, this form of dark OSINT can use it for gains, typically financial, but also as a means to potentially harass a victim.

What is self-doxxing?

The adage, “knowledge is power” is a bell that rings loudly in the practice of cybersecurity risk mitigation. Self-doxxing uses the same techniques that fraudsters use to scam and harass by revealing what data is available on a given individual (or asset).  Because these data are on publicly accessible sites, it only takes time, some readily available tools (such as a search engine or reverse cell phone lookup) and tenacity to locate information. Self-doxxing is analogous to OSINT but related directly to personal data and asset use.

Why use self-doxxing in an organization?

Any organization can use self-doxxing to make employees’ security-aware and to minimize cyber risk. There are five key benefits to using a self-doxxing program at an organization.

Dox for good, one: Know your attack surface

The drive to remote work brought about by the COVID-19 pandemic has created a massive attack surface. This surface includes the use of personal devices for access to corporate resources. Conversely, it also includes the use of corporate passwords for personal account use. The 2020 Secure Consumer Cyber Report found that one-fifth of consumers were using work email or passwords to log in to consumer websites or to use applications including food delivery apps and online shopping sites.  Self-doxxing can ensure that a full view of all associated apps and devices and related login credentials is known. It can also be used to enforce security hygiene policies.

Dox for good, two: Reduce business scams

Scams such as business email compromise (BEC) cost businesses, on average, $75,000 per year. To enact a BEC scam, a fraudster needs to have company details including knowledge of C-level executives, how company payment processes work and other data such as email addresses.  Self-doxxing gives a business the intelligence to know where gaps in business process protection occur and where a scammer may find crucial company business data that can feed the scam.

Dox for good, three: Data for an extended vulnerability assessment

The use of expanded networks, personal devices and multiple cloud apps means that vulnerabilities can be difficult to locate. Having visibility of all the potential endpoints and users within a corporate network can be helped by using a self-doxxing program.  The data generated using the program can be used to feed into a vulnerability assessment.

Dox for good, four: Policy enforcement intelligence

Doxxing by fraudsters and scammers is successful because people tend to overshare personal details on social media and other online services. In the corporate world, employees can also overshare personal data on corporate apps, such as Slack. Sometimes, this can extend to sensitive job-related data or even user credentials.  Using a self-doxxing program allows an organization to have sight of where employees have shared data and helps to train employees on the dangers of oversharing.

Dox for good, five: Data-driven security

By taking a data-driven approach to security using doxxing techniques, an organization can ensure it has a full view of where data is shared and available. Using doxx-generated intelligence, a security team can identify any weak spots in their data policies. These weaknesses can have both security and privacy implications and can help ensure that regulatory compliance is adhered to. Doxxing is a double-edged sword. On the one hand, it can be used for harmful means. But doxxing can be applied to help mitigate attacks that are data-dependent. Whilst the human being continues to be a fault line for attack by fraudsters, knowing where personal data exists can help to close off that intelligence to cybercriminals.  

Sources: 

Doxing as an attack, Bruce Schneier blog How ‘Doxxing’ became a mainstream tool in the Culture Wars, New York Times Doxxed and hacked In Hong Kong, BBC World Service Broadcast 2020 Secure Consumer Cyber Report, Ivanti  Business email compromises (BEC) cost companies an average of $75,000, Cyberscout