What is Doxing?

The term itself originates from the phrase “dropping docs” and was later shortened to “docs” and then “dox”. As the original term suggests, doxing is when someone collects and then shares information about another person or organization.

There are numerous reasons someone might dox someone else or be the victim of doxing. It could be for revenge or a personal grudge, a disgruntled ex-employee might target their previous employer, for example. In 2014, Sony was the victim of a doxing attack backed by, experts believe, the North Korean government after they released a film which made fun of their leader. Other motivations include harassment and cyber-bullying, vigilante justice (for example, exposing neo-Nazi’s), and doxing for financial gain. 

Organizational doxing is on the rise and can be immensely damaging, exposing company secrets and customer data, or more directly exposing executives to new levels of threats.

Doxing Strategies and Goals

Traditionally doxing started with an online argument escalating to one person digging out information on their adversary and sharing it online. More recently though, doxing has become more of a cultural tool with hackers taking down people or groups with opposing ideologies. When it comes to organizations, threat actors have been known to both target an organizations reputation and to use information gained through a doxing attack to leverage financial reward.

For example, in one scenario an employee at a bank was blackmailed after a doxing attack into using his position in the bank to steal over $100,000 from customers for his blackmailers. 

The fallout is generally reputational with the victim suffering from online abuse such as death threats to them and their family in lieu of the new information shared. However, on occasion, the fallout can be significantly worse. There have been examples of mobs dishing out physical vigilante justice after a person's information, such as an address, was shared online.

There are numerous ways you can be identified online. By following ‘breadcrumbs’ of information a dedicated doxxer can assemble an accurate picture of a person - even if they were using an alias. The kind of details they might look for include, full name, current address, email address, phone number etc. Additionally, some doxxers might buy information from data brokers.

IP/ ISP Dox

There are various methods that can be used to locate your IP address, which is linked to your location. With just your IP address a doxxer could then use social engineering tactics against your Internet Service Provider (ISP) to discover the information they have on file such as:

• Your full name

• Email address

• Phone number

• ISP account number

• Date of birth

• Exact physical address

• Social security number

This requires the doxxer to go through a dedicated process, which may not even work, however, it’s just one strategy they can employ, and even if they are unable to gather further information through a gullible ISP worker they still have the first parts of the puzzle - your IP address and a rough location.

Doxing with Social Media

If your social media accounts are public then anyone can view them. Often things a threat actor can find out include your location, place of work, your friends, your photos, some of your likes and dislikes, places you’ve been, names of family members, names of pets, names of schools you attended, and more.

With this kind of information, they can then find out even more about you, or even discover the answer to your security questions helping them break into other accounts such as your online banking.

As such it’s recommended to keep your social media profiles private, and if you use multiple online forums to use a different name and password for each to help prevent doxxers from compiling information from across multiple online forums and social media sites. 

Data Gathered through Brokers

Data brokers on the internet collect information from publicly available sources and then sell the data for profit. Generally speaking, they sell this data to advertisers - if you’ve ever found yourself randomly receiving emails from companies you’ve never heard of before, this is why. However, for a doxxer it could be an easy way to start building a detailed profile of their target.

How Might Doxing be Used Against Your Organization?

For organizations to be successful with their media strategies they necessarily need to share relevant information and regularly engage with their customers through social media channels. This provides a substantial opportunity for doxxers.

By combining publicly-available data with basic attack techniques, such as phishing campaigns or credential stuffing, malicious actors can uncover large quantities of supposedly secure data. For consumers, exposed information could lead to identity theft or public shame. Meanwhile, companies face the prospect of large-scale reputation damage or lost revenue if proprietary project briefs or intellectual properties are leaked to the public.

Additionally, doxing can be used as an incentive to expedite the resolution of ransomware attacks. This is where the cyber attacker threatens to release documents or information to the public should their target not pay the ransomware fee promptly. This adds to already serious financial implications.

How Can you Prevent Doxing?

Unfortunately, it's nearly impossible to completely remove personally-identifying information from the internet, especially parts which are part of public records. Still, there are some tips to reduce your attack surface.

Keep your profiles private 

People and organizations do have a lot of say as to what gets published on the internet. Make sure to practice general data privacy best practices.

• Avoid posting identifying information

• Keep all social media settings at the most private level, and don't accept friend requests from people you don't know

• Change the settings on Office and your phone's photo app so personal info isn't embedded in those files

• Use a "burner" email address for signing up for accounts when possible.

• Set the ‘whois’ records on any domains you own to private

• Ask Google to remove personally available information about you, and request the same from data broker sites

Implement Safe Browsing Measures

These steps are good internet hygiene in any case, but can also prevent a breach that can lead to your info being exposed to a potential doxxer:

• Use a VPN, especially when using insecure public Wi-Fi networks

• Switch to a secure email system with built-in encryption

• Vary your usernames and passwords

Self-Doxing

Humans remain the weakest link in the security chain. In most cases, malice isn’t the problem or the intent when someone lets a threat actor in. Instead, employees overshare personal data on corporate platforms by accident or use insecure third-party applications. In both cases, however, following the breach and identifying the potential compromises is difficult when IT teams start from the side of defenders. 

By flipping the script and looking at your organization from the view of potential doxxer it becomes easier for IT and security teams to spot key areas of weakness. They can then develop strategies and staff training programs to protect against them.

Final Words

Doxing represents a growing threat to organizations and individuals. However, by self-doxing with security intelligence gathering strategies, security teams can create accurate attack surface maps. With this intelligence, they can then enhance threat modelling and deliver actionable insights to staff to reduce overall risks.

Using OSINT software like Signal you can learn about potential threats as or before they occur, learn about potential exploits targeting your organization, and self-dox to help identify weaknesses and shore-up defences.

People are increasingly aware of how their data is accessed and used, whether this is the security of their private conversations, their online browsing history, or even Personal Identifiable Information (PII). With this increase in consciousness for data privacy, chat applications have had to promise better encryption and anonymity if they are to compete.

As such, over the last few years new chat apps, with a primary USP of better privacy have hit the market. This includes the likes of Telegram and Discord. The anonymity and data security offered by these apps have quickly made them popular with both legitimate users and criminals. On Telegram, you don’t have to look too hard to uncover conversations around the sale of illicit goods, examples of extremist views and hate speech, the trading of PII, and more. It’s also worth noting that many marketplaces and forums on the dark web also have chat groups on Telegram.

Many of the groups and channels on apps like Telegram are open to the public, allowing users to easily reach a large potential market relatively risk-free. Not all groups though are open to the public making it substantially harder for security professionals and law enforcement to monitor these channels successfully.  

However, with a tool like Signal, you can view and monitor data from many of these closed communities and hard to access groups easily and efficiently.

About Telegram

Telegram is a messaging app that was launched in 2013. It focuses on supplying a fast, free and above all, secure messaging service. The chat app has end-to-end encryption and several other features which add to it’s perceived security. These features include “secret chats” which store data locally, a timer on messages to self-destruct after a specified time, notifications of screenshots, and messages in secret chats can’t be forwarded. Their main USP is to provide a service where data is protected from thirds parties, including any curious government or security agencies.

Unlike other chat apps, Telegram promotes itself as providing its users with full anonymity, including the ability to set up a unique username and make your phone number to private. It’s because of these security features as well as the offered anonymity that the application quickly became a popular choice for criminal communications.

How Can You Leverage Data from Telegram for OSINT?

There are various channels and groups on the Telegram app in which illicit and criminal activity is discussed or undertaken. This ranges from the sale of illegal goods, stolen data, to planning physical attacks on an organization or individual.

For example, on the group “Carders” on Telegram, a group which has over 5,000 members you can find stolen credit card details including full numbers and CVV codes. This chat group is linked to an online shop getbette.biz (which was taken down in early 2020). Most of the conversations in this group revolve around some form of financial fraud, whether that’s leaked card details or the sale of PII.

On other Telegram groups, you can find details for hacked personal accounts like Netflix, Disney Plus, Amazon Prime etc. These logins might be sold for a variety of reasons, such as credential stuffing, or for personal use.

It’s not just dealing in illegally obtained data though. Telegram is used for a broad variety of purposes. A particularly popular one is the sale of drugs. Narcotic Express DE is one such group. With close to 1,000 members, this German group is a closed group which focuses on the purchasing, sale and distribution of drugs. 

Closed groups cannot be found in a search within the app or in the dedicated Telegram search engine, instead, you have to be invited and sent a link by another user in the group. In addition, users can only see posts, not post themselves into the group.

Other examples of leveraging Telegram as a data source include monitoring for:

• Hate speech and death threats,

• Hacking services for sale,

• Exploit kits,

• Data breaches,

• Hate groups.

Using Telegram as an OSINT Source

As outlined above, are plenty of conversations of interest that happen through the Telegram app and its various groups. These groups can offer insight into criminal activity and better enable organizations to protect their assets and staff from emerging threats. For example, you might find information on a recent data breach through the app. Having this early knowledge of the breach is essential for mitigating costs.

However, as with any potential data source, it’s not a case of simply downloading the app. Efficiently scanning and monitoring the platform for potentially relevant or information of interest requires the right tools.

First, groups like Narcotic Express DE are closed groups, meaning locating and gaining access to them is a challenge in itself. Secondly, with features such as message self-destruct constant surveillance is necessary. These challenges mean time and resource need to be devoted to this specific channel, time and resource that might be better spent elsewhere.

Using an OSINT tool gives users the ability to access and utilize hard to reach data sources like Telegram. Data from Telegram is gathered by our data provider Webhose, who scrape the publicly available data from both open and harder to access closed groups continuously. Signal users can set up searches with Boolean logic, selecting Telegram as one of the data source options available. 

Ransomware is a form of malware which is installed on a victims device or devices with the main objective of seizing and/or locking away sensitive data. As the name suggests in order for a victim to regain access to their data and systems they need to pay a ransom. More often than not, the two options a victim is presented with when they succumb to a ransomware attack is to either rebuild their systems from scratch and potentially have the attacker leak the data online - or pay up.

As such, it’s unsurprising that, in our increasingly digital age with more and more data on the cloud, that the number of attacks and the success of ransomware attacks is on the rise. Approximately 58% of ransomware victims paid in 2020, compared to 39% in 2017.

Ransoms for these kinds of attacks range from a few hundred dollars to thousands or even millions of dollars payable in cryptocurrency such as Bitcoin. In return for the payout, the attackers will release a decryption key allowing the organization to return to business. Certain industries, such as government organizations and hospitals are more susceptible to ransomware attacks due to the nature of the work that they do often being time-sensitive. For example, a ransomware attack crippled a hospital in Germany, leading directly to one patient’s death.  

There are numerous strategies that ransomware attackers employ to gain access to a victims database. One of the most common though is through social engineering tactics, such as phishing emails. Cybercriminals can make these emails look exactly like trustworthy emails from official sources, tricking victims into downloading compromised software onto their device. 

Because of the nature of social engineering tactics, and the evolving cyber threat landscape no organization can ever be fully secure from malware threats. Below we outline 12 of the biggest ransomware attacks that occurred in 2020.

12 Ransomware Attacks that Happened in 2020

1. ISS World 

Estimated cost: $74 million 

In February of 2020 ISS world, a Denmark based company went down due to a ransomware attack. Thousands of employees were left without access to their systems and emails. This cost them an estimated $74 million which includes regaining control of the affected IT systems and re-launching critical business systems. 

2. Cognizant

Estimated cost: $50 million

A ransomware attack on the organization Cognizant in April of 2020 is said to have cost the company over $50 million, potentially as much as $70 million, including legal and consultation costs and data recovery costs, along with the financial loss reflected in their second-quarter earning in 2020.

3. Sopra Steria 

Estimated cost: $50 million

The company Sopra Steria revealed that they were hit by hackers using a new version of the Ryuk ransomware in October.

They estimate that the fallout, including dealing with the various systems that went out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

4. Redcar and Cleveland Council 

Estimated cost: $14 million

Redcar and Cleveland Council in the UK suffered an attack on their systems in February of 2020 costing the council an estimated $14 million.  The ransomware attack is said to have disrupted the company’s network, tablets, computers, and mobile devices for 3 full weeks. The council announced that in March, that it could take months for a full recovery and estimated the overall costs to be between $14 - $21 million.

5. Software AG

Estimated cost: $20 million

Software AG is the second-largest software vendor in Germany. They were reportedly hit with the Clop ransomware in an attack in October of 2020. The company disclosed that the ransomware attack disrupted a part of its internal network but didn’t affect customer services. The cybercriminal group responsible demanded a $23 million ransom.

7. Travelex

Estimated cost: $2.3 million

It was reported that Travelex the money exchange firm was hit with a file-encrypting malware attack which shut down its internal networks, website and apps for several weeks. Reportedly Travelex paid a ransom of $2.3 million in BTC to the dark actors to regain access to their data and restore services.

8. University of California San Francisco (UCSF)

Estimated cost: $1.14 million

UCSF was targeted by a malware attack which encrypted servers used by the school of medicine impacting students in June of 2020. The ransomware was prevented from travelling to the core UCSF network and causing more damage. The authorities negotiated with the cybercriminals and UCSF ended up paying approximately $1.14 million in ransom of the $3 million demanded. 

9. Shirbit Insurance 

Estimated cost: $1million

After a cyberattack on the Israeli Insurance provider Shirbit in December of 2020 the attackers demanded roughly $1 million in Bitcoin. In order to pressure the company into paying they demanded immediate payment or an increase in the ransom cost, doubling after 24 hours. Additionally, to show they weren’t empty threats they dumped the first 300 records online, again threatening to dump additional records every 24 hours until they received payment.

10. Communications and Power industries 

Estimated cost: $500,000

California-based Communications & Power Industries (CPI) makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology. The company counts the U.S. Department of Defense and its advanced research unit DARPA as customers. Reportedly, CPI paid $500,000 to obtain the decryption key to unlock their servers and return services.

11. Grubman Shire Meiselas & Sacks 

Estimated cost: $365,000

Grubman Shire Meiselas & Sacks is a law firm that specializes in law for those in the media and entertainment industry. Their clients consist of a range of A-list celebrities and, with such high profile individuals on the line, the stakes for them were extremely high. They were targeted and files encrypted by REvil ransomware. The firm agreed to pay an estimated $365,000, however, the attackers started demanding more afterwards and the company has since kept quiet on what it has or is willing to pay.

12. Tillamook County 

Estimated cost: $300,000

Tillamook county in the US was attacked by cyber attackers in January. The attack interrupted their email network, phone systems and website. After exhausting alternative options, they estimated the costs to restore service would cost well over $1 million and take several years and opted instead to pay the $300,000 ransom. 

Keeping your data and organization secure

1. Never click on suspicious links or any links attached in unsolicited emails. 

2. Back up systems and data continuously. Create a separate data-backup in an external hard drive that is not connected to your computer, so that you don’t have to pay the ransom if a ransomware attack happens.

3. Never disclose personal information over the phone or over email. 

4. Educate employees of cybersecurity best practices and social engineering tactics that may be used against them.

5. Limit employee access to sensitive data to reduce attack surfaces.

OSINT Tools and Mitigating Costly Ransomware Attacks

Early warning of data beaches through OSINT tools can help you predict and prevent cyber attacks as well as enable organizations to take mitigating actions faster. While open-source intelligence tools can’t prevent ransomware, they can help organizations reduce the risks and potential damages. 

OSINT tools can be used by organizations to monitor their supply chains, allowing them to learn of potential disruptions in real-time and enabling them to implement contingency plans fast. 

Additionally, organizations can use tools like Signal to monitor for ransomware and malware currently being used. This can help security teams determine emerging threats being used against other organizations in their industry to better inform ongoing cybersecurity best practices.

Ultimately, by using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.

Dark web marketplaces are online marketplaces where people can buy and sell illicit goods and services under the protection of the anonymity of the dark web. The goods and services on offer range from leaked credit card details, exploit kits and hackers for hire, to advertisements for hitmen services.

Because of the range of goods and services found for sale, as well as the conversations that occur around these sales, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are normally under intense scrutiny from law enforcement and security professionals alike.

5 Dark Web Marketplaces

People have been organizing illicit trades via the internet since the 1970s. Those early examples though were through closed networks and the actual exchanges of money and goods generally had to take place in person. With the advent of crypto-currencies, it became not only possible to complete trades online without leaving a money trail, but easy. As such, the trading of illegal goods online has become more commonplace and vast dark web marketplaces have been created. 

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road. Silk Road was created by Ross Ulbricht in February 2011. Over the next two years, the Silk Road set the standard for darknet marketplaces. By the time it was shut down in October 2013, and Ross Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.  

ToRReZ

ToRReZ Market is a wallet-less market; which means you only send funds when making an order. The market currently supports four cryptocurrencies: Bitcoin, Monero, Litecoin, and Zcash. Both physical goods such as drugs, and digital goods such as software and credit cards, are sold on ToRReZ Market.

Tor2door

Tor2door is a darknet marketplace that launched in June 2020. The market is built from scratch and has a unique design. Tor2door claims that security and usability are its main priorities. This market is one of the easiest to use and is very simple for inexperienced dark-net users.

Hydra

Hydra is the largest marketplace in the darknet and most popular darknet marketplace in the Russian-speaking sphere. According to the Project news outlet, it is responsible for 64.7 billion rubles ($1 billion) in sales through its 5,000 shops between 2016 and 2019. Although a wide range of illicit goods and services are sold, the site also has a few rules, which are perhaps one of the reasons for its longevity and success. These rules include no fentanyl, no weapons, no sale of hitmen services, viruses, or porn.

Versus Project

Established in 2019, Versus quickly gained a reputation for a user-friendly UI and intuitive search options. It has gained a lot of users and become a popular marketplace due to its focus on security. Buyers can purchase a range of digital goods and services which include illicit drugs, software and malware, and services related to fraud. The marketplace has over 8,400 listings and 500 vendors who communicate in English and accept Bitcoin for transactions.

White House Marketplace (WHM)

White House Market is a dark web marketplace that enforces the use of PGP (Pretty Good Privacy) encryption to just browse the site. The site goes into detail about its security on the About page and explains that it does not store Monero private keys on their servers, which can ease the mind of its users. Although White House Market is a smaller marketplace than the others on this list, it is possible that its ultra-security features and simple, easy-to-use UI will quickly attract more vendors.

Other markets include Icarus market, Dark0de Reborn, Canada HQ, Monopoly Market, and more.

How to Keep Track of Evolving Darknet Marketplaces

There are various active dark web marketplaces. According to Webhose, one of our data providers, there are approximately 20 active leading dark web marketplaces and there are dozens of smaller additional marketplaces. 

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons, for example, law enforcement might close them down, or perhaps to help avoid this fate they frequently change their domain address. It could even be because the admin implemented an exit scam, which is what happened with Empire Market, where the admin team is estimated to have made off with some $30 million worth of Bitcoin in August 2020. 

Because of this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found, as such there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find the forums and marketplaces where the important and relevant is you will need to know what you’re looking for and how to look for it.  

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to effectively gather usable intelligence. Doing this manually requires vast amounts of resources, however, you also can’t simply scrape the website as such activity can quickly get you banned from a site. 

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The Role of OSINT tools when Monitoring the Dark Web

OSINT tools allow security professionals to effectively and efficiently monitor the surface deep, and dark web. Using Signal you can create targeted searches with Boolean logic, and then run the results through intelligent filters powered by our advanced AI. This process can be automated with real-time SMS and email alerting. 

This reduces the need for skilled professionals to spend all their time manually monitoring the entirety of the web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted on without ever actually having to go onto the dark web or painstakingly gaining access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on auto-pilot, reducing costs while simultaneously increasing efficacy. As cyber-criminals embrace new technologies it’s becoming increasingly necessary for security professionals to do the same in order to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in realtime.

There are numerous threats that could evolve to seriously impact an organization, from natural disasters, to acts of terror, to targeted attacks on executives. Currently though, tensions around the US election are high on both ends of the political spectrum. There has been an increase in polarization of political views and even militarization of the public in recent months, and many Signal customers have expressed concern.

For many American’s this is seen as the most important election of their lives so far. Fears of voter fraud and voter suppression are rife, which is reflected by an unprecedented number of early votes being cast with more than 90 million votes already cast a week before the election, more than two-thirds of all the votes cast in 2016.

This, paired with a deadly pandemic and a summer of protests, many of which became violent, and one can see the potential for civil unrest around a contentious presidency. To mitigate this risk organizations need relevant intelligence as events unfold to ensure they take the necessary precautions to protect their employees and assets.

As such, we have created advanced tools to enable Organizations to be alerted as early as possible to issues and current events, such as the Election, where the possible fallout could have an impact on their employees and assets.

Monitoring Election Threats in Real-Time Using Signal OSINT

Using Signal security teams can learn of events as they are happening or even before they happen, allowing effective response plans to be enacted, effectively neutralising potential threats. 

To do this users can create custom searches using Boolean Logic to filter intel from key web sources such as social media, the open web, and the dark web. Intel from these sources often acts as an early indicator alerting Signal customer to potential issues in real-time. The data can also be reviewed by our emotional analysis solution for increased data analysis efficiency.

Signal has real-time SMS and email alerting for high-risk threats so that companies can maximise available response time. Once alerted to potential risks the security team can form a final judgement on the threat level and decide whether action needs to be taken.

Final Words on Threat Monitoring with Signal

Threat monitoring isn’t just for events such as a contentious election. COVID-19, earthquakes, storms and other extreme weather events, and even threats of violence against specific executives, can all affect an organization. Signal OSINT software enables security teams to scan a vast number of surface, deep, and dark web channels and sources to gain real-time data on a broad array of emerging threats. 

Anonymous social media forums like 4chan or dark web forums are often where threat actors go to communicate and organize. And social media is often where you can learn of current events as they unfold. So whether it’s customer data for sale online, or an active shooter situation in-store, security teams armed with OSINT can quickly assess and respond appropriately to mitigate risks and damages.

Only when an organisation has a complete picture that incorporates the variety of potential risks and has invested in specific responses and contingency plans can it adapt as needed to mitigate the impact of extreme events.

An emergency incident can happen at any time, often with very little warning. If an organization wants to prepare an effective response to an evolving threat landscape and better protect both their assets and employees they need to have efficient mitigation and response measures in place. 

Data and intelligence form a pivotal role in emergency management. They allow security and event management teams to discover threats and accurately assess the associated risk levels. With this knowledge, they can enact an appropriate response to remove employees from harm’s way and prevent potential damages to the organization.

Data Performs a Vital Role in Emergency Management 

Some of the ways data and intelligence gathered using Signal OSINT can be used include:

• Better Situational Awareness. Save time and lives by rounding out your situational awareness with commentary, photos and videos posted online by the public and media.

• Misinformation Management. Catch and manage the spread of misinformation in real-time before it spreads to the public and puts lives at risk, wasting precious time and resource.

• Improved Agency Collaboration. Get a better view of what other agencies are doing during an emergency to ensure you allocate people effectively.

• Geo-targeted Risk Assessment. Keep an eye on areas of interest, such as near a location of an event you’re hosting, and watch for disruptions such as extreme weather or terrorist threats near your offices.

Threats, Hazards, and Risks.

There are three main types of threats and hazards. First, natural hazards. This includes extreme weather such as hurricanes, earthquakes, and wildfires. These can cause extensive disruptions to a business. Such events are often seasonal and organizations should monitor for them during high risk months. 

Secondly, technological hazards. These include power outages and infrastructure failures. For example, your business might be affected by your internet provider going down temporarily, or transport links might be disrupted meaning employees are unable to get to work. 

And thirdly, man-made hazards. These include cyber-attacks and data breaches, terrorist threats or threats against assets or executives. These can happen at any time, however, often you can find indications on data sources such as darknet forums before the event.

The Importance of Assessing Risks Appropriately

The more data and information you have the more accurately you can assess the risk level of an emerging threat. For example, you might use Signal to set up real-time alerts on an evolving threat like spreading wildfires. This allows you to continually reassess and determine in a timely manner when or if you need to take action to ensure your staff are removed from harms way. However, there is a fine balance between under and over protection. 

The Risk of Over-protection

Over-protection is when you initiate responses either too early or too extreme. Erring on the side of caution is always a good idea when it come to protecting employees, however, it can be costly and inefficient. 

Over-protection is often caused by the following:

• Personal interpretation of the threat level.

• Not having enough data to form an accurate assessment.

• Not having enough alert levels to allow a staged escalation of measures appropriate for the evolving risk level.

The Risk of Under-protection

Just as with over-protection, under-protection will inhibit the effectiveness of your emergency management response. This can place employees unnecessarily in harms way and means you will be unable to appropriately respond to a threat. The end result of under-protection is invariably higher than necessary associated costs.

To prevent under-protection there are several things that an organization can do:

• Provide clear guidance on risk levels of certain threats and make the response increase easy to implement.

• Continually assess and reassess the evolving threat landscape and update your alert level guidance accordingly.

Other Emergency Risk Management Considerations

We have already mentioned alert levels a couple of times in this article. This is because having clear guidelines and properly gradated alert levels will allow you to respond effectively and efficiently to crises. 

Additionally, your employees should be aware of your response plans, especially to common threats. For example, if your officers are located in an earthquake prone area, have regular earthquake drills. 

Finally, should an emergency happen you need an efficient way to communicate the danger to your employees and instigate the appropriate response.

Signal and Emergency Management

Signal provides hyper-relevant intelligence on evolving threats as or even before they happen. This allows security teams to maximize warning times and enact mitigating measures.

Immediately, this means better protection for staff. This also has additional longer term upsides. For example, it might allow a security team to detect negative sentiment around the brand which allows them to identify and monitor potential threat actors and prevent a threat from evolving. Or, it could allow for a team to have early detection of a data breach, which according to IBM could save an organisation over $600,000. 

High profile executives and VIPs are more likely to receive threats of violence, be at the centre of negative online noise, and to be the target for both cyber and physical attacks. This, when paired with their busy schedules (which often involve travel), makes staying ahead of potential threats a particular challenge for their security teams. 

Attackers have a variety of reasons and goals for targeting executives and VIPs. It could be anything ranging from a reaction to company layoffs, to kidnapping for ransom. Whatever the reason though, security teams need to be able to spot the threats, understand the motives, and implement an effective response in a timely fashion.

In this article, we take a look at 6 key ways Signal OSINT is used today by customers to advance protection measures for high profile executives.

How Can Signal OSINT Improve your Executive Security?

Discover private information published online

There are several reasons that an individual might publish private information online. Often, it is in anger or as some form of revenge. The kind of information that has been found published online includes: names, email addresses and logins, physical address, details about an executives families, passport details, medical information, credit card and bank details, and SSN’s.

Having such information leaks opens up an executive to a wide range of potential threats. As a security professional, it is vital to know if and when there is a data breach so that the threat can be neutralized. The longer data is available online the more risk there is. For example, if card details are discovered online the bank can be contacted and the card cancelled.

Read: Detecting and Mitigating the Risks of Data Breaches 

Identify direct threats

Sometimes threat actors are more direct in the way they threaten executives. This could, for example, be a direct threat of violence through an email, instant messaging service or public forum like social media. While the majority of such threats come from so-called “keyboard warriors” there are some which will require further attention and action. 

For example, discussions might be uncovered on the dark web forum with details of a planned attack on an executive. With the prior knowledge of the attack action can be taken to reduce the associated risks.

One way to differentiate between someone that is simply venting their anger on a public forum and someone who genuinely might take action is to look for repetition of negative sentiment.

Emotional analysis

Emotional analysis gives data extra context which allows it to be better understood enabling a more effective and accurate response to the potential risks. 

It also allows you to differentiate between when a negative comment is simply that, a negative comment, or when it needs more serious attention, for example, it’s evolving into a physical threat.

Read: When Does Negative Sentiment Become a Threat? 

Misinformation is spreading about an executive

The spread of disinformation is problematic on a number of levels. For example, throughout COVID-19 misinformation has been spread regarding the virus, it’s root causes and best prevention practices. This has harmed efforts to curtail and control it. Another recent example is the role of misinformation in the 2016 US election. 

There are numerous reasons that individuals and organizations spread misinformation, it could be part of a phishing campaign or an international political assault, for example. Whatever the reason the results are almost always harmful. When an individual spreads misinformation around a CEO or other executive there are real ramifications for brand and reputation which need to be managed.

To combat misinformation organizations need to be equipped with the right tools and understand both what they’re looking for, and the reasons for spreading misinformation.

Disruptive events are planned which could prove a threat to executives.

Events such as protests planned at or near an office or manufacturing location could present logistical problems and delays as well as potentially devolve into riots which would represent a physical threat. Having intelligence on the events and any salient information regarding individuals or groups looking to create trouble will allow you to take appropriate precautionary measures and prevent a threat from escalating.

Travel risks

All travel comes with some inherent risk. However, it is more pronounced for executives who are at increased risk due to the regularity of their travel and high profile.

Additionally, events like extreme weather or terrorist action may make a destination unsafe. As such, having an OSINT solution such as Signal offering an early warning of any particular dangers will enable you to plan alternative routes and otherwise avoid high risk scenarios.

Read: 4 Aspects of Effective Executive Travel Risk Management 

Early warnings with real-time data

Using Signal you can create customized alerts filtered via specific keywords, phrases or even locations. We also have a built-in translation tool so that data can be searched across languages and automatically translated into your default language.

Additionally, you can run alerts through our emotional analysis tool to determine how much of a threat any particular alert is. Finally, get our optional Sapphire bolt-on and utilise our skilled data analysts to further refine your results. 

This approach allows your leave your intelligence gathering on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. All of this allows you to gather actionable intel in realtime.

Find out more about Executive Protect with Signal…

There are good reasons why the fictional characters like Varys (Game of Thrones) are so influential in their respective worlds. The more information you have the more you can tailor and optimise strategies for your preferred outcome. However, whereas Varys has to contend with political scheming, assassination attempts and dragons, the modern (and real) world has a much broader plethora of potential attack vectors, many of which were unimaginable just 20 years ago.

Thankfully for security professionals, the broadening net of threats exists in a symbiotic relationship with intelligence sources and security tools. What this means is that while, yes, there are now more threats to contend with, there are also more solutions and tools. For example, artificial intelligence (AI) enables Centaur approaches that far exceed human or machine only results. 

In this article, we take a look at how Open Source Intelligence (OSINT) can be and is being used to arm security teams with the ability to gather and analyse vast quantities of data and then enact effective plans to mitigate damage and even prevent threats. 

What is OSINT?

OSINT, as the name suggests, is data gathered from all publicly (openly) available data sources. These data sources could be anything from government records or archives, online discussion forums, blogs, social media posts, or the comments on those posts. 

OSINT allows you to collect data from all of those sources at once, and because of the sheer amount of information that is shared and discussed continuously on every fathomable topic, it is an incredibly powerful tool. There are billions of historical records and millions more being posted every day. You can use OSINT to identify physical threat made against your organization or executives, discover data breaches, uncover terrorist plots and even get breaking news as it is happening.

In many situations, expert data analysts with OSINT tools can identify malicious actors and discover relationships, information which can be used to enhance a privacy and security plan.

How Organizations use OSINT

The need for organizations to employ OSINT as part of their corporate security processes is becoming increasingly more evident. Interestingly though the use of OSINT has been neither formalised nor widely adopted. It often takes a particular scenario to unfold before they even consider it. 

A common example is a data breach. According to the Ponemon Institute’s 2018 Cost of a Data Breach Study, the average amount of time for a company to detect a data breach was 197 days. More often than not, the organization was not the first to know either. Utilising OSINT allows you to learn of data breaches as soon as discussions begin online, for example, the hacker offers up your data for sale.

This is just one way in which OSINT is used by businesses. The use of intelligence is immensely versatile. You can detect physical threats to assets or staff, determine travel risks, discover brand hazards, secure your social media channels and cybersecurity and more.

Despite the versatility of applications for OSINT tools it still often takes a worst-case scenario for an organization to decide to finally employ OSINT solutions.  

Applications of OSINT as Cyber Intelligence

Most people freely share a large amount of data about themselves. In fact, in this day and age, it’s hard not to share your data. For example, almost everyone has a phone number, this phone number is likely connected with your name, address, date of birth, and email address. It might even be linked with your broadband connection and subsequently your IP address. 

As an example, in 2019 T-mobile had a significant data breach. Thankfully, it appears they spotted and responded quickly, but not before some 1 million records were exposed. They were able to mitigate the damage but not prevent it. Other companies have historically been less quick to respond such as TerraCom and YourTel America who had to pay out $3.5 million USD collectively in damages in 2015 after their data breaches. Organizations also need to remember how everyday activities expose other forms of data such as shopping habits through credit card usage and location through fitness apps. 

Intelligence isn’t just important for detecting breaches or hacks. It is also vital if organizations want to protect their staff from physical threats or from being exploited via phishing scams. For example, a company’s employees will likely all have social media accounts such as a LinkedIn account which details their roles and responsibilities. This information can be paired with information from other social profiles or information shared online and can, when used properly, become valuable intelligence on how an organization runs, who’s responsible for what, and even who a malicious actor should target.

Because of the various methods that security teams can use intelligence to protect a businesses interests having a dedicated team, armed with powerful OSINT tools like Signal, could save them from serious reputational and financial damages.

Examples of threats that Signal OSINT can detect and help protect against

• Counterfeit or stolen property listed online - for example, counterfeit drugs.

• Employee conduct, threats and harassment on social media.

• Frustrated, angry or threatening customer correspondence.

• Merger, acquisition & organizational partnership discussions - this could be important for ensuring smooth operation of the supply chain, for example.

• Sensitive information publicly disclosed – accidentally or intentionally.

• Inaccurate, harmful or out of date information.

• Presence of fake websites, fake invoices or scams targeting customers, staff or the organization - for example, a phishing website made to look like a banking institutes website and designed to encourage users to enter their password combination. 

• Credentials from data breach & compromised accounts belonging the organization.

• Unsavoury relationships, membership or pending court action related to the organization.

The Results of Employing Powerful OSINT Tools

Experienced hackers and cybercriminals will understand the public nature of the channels and as such are likely to attempt to avoid actions that expose their intentions. However, OSINT doesn’t stop at the surface web, tools like Signal can give analysts and security teams access to data from sources such as the dark and deep web and even private dark web forums as well as more obscure surface websites. 

The purpose of OSINT research is to provide teams with a thorough foundation of knowledge. Teams can subsequently use these insights to develop actionable plans to either prevent a threat from fully emerging, or minimise the damages of a current or recent attack.

One of the key issues that security teams and analysts face is the sheer amount of noise which might surround their brand. Invariably much of this noise is irrelevant to their purposes, however, some of it will be bad. This is why Signal assists with advanced filters applying boolean logic as well as features such as our emotional analysis tool.

A supply chain risk can vary broadly, from volatile global politics to natural disasters, from terrorism to DDoS attacks or data breaches. A disruption anywhere along the supply chain could have serious ramifications for business continuity potentially costing an organisation millions. Additionally, the size and scale of operations means that there are often numerous vulnerabilities. 

Open Source Intelligence (OSINT) is an invaluable tool for both security teams and supply chain managers. It allows them to gain oversight over often vast and complex supply chains, monitor risks and threats, and gather real-time data that is essential for coordinating an effective response. 

Many supply chain risks and threats are in association with fears around break downs within logistics operations or supplier disruptions. Additional concerns also relate to financial and legal exposures, uneven market demand for product, mounting competition, and natural disasters.

Protecting Business Continuity from Supply Chain Risks

Even as product complexity expands supply chains continue to stretch into developing countries where labour and natural resources are plenty, but the infrastructure is undeveloped or insufficient. Meanwhile, advanced planning and sourcing practices which aim to maximize efficiency and minimize costs, stretch operations to a point of fragility. 

Any disruption can result in organizations and consumers worldwide feeling the impact via loss of suppliers, delayed or destroyed goods, product release delays, and ultimately, customer dissatisfaction and brand damage.

To mitigate the damage of potential threats, both physical and cyber, specific resources need to be designated with the goal of maintaining business continuity in the face of disruptions. One of the most essential resources for security teams and supply chain managers alike is relevant insights and intelligence to assist in assessing potential supply pitfalls. 

Key Supply Chain Disruptions to Monitor with OSINT

Traffic

Even something as seemingly mundane as traffic can cause havoc with supply chain management as supply chains are heavily reliant on good transportation networks. Security professionals and supply chain managers need to know fast if key transportation networks are endangered.

For example, if a freight hub such as Hong Kong International Airport which sees nearly 3.7 million tons of freight through its gates each year were to encounter a serious disruption the ramifications would be far reaching. It’s not just physical disruptions though that teams need to monitor as cyber attacks can have equally far-reaching consequences.

Weather

It’s hard to predict where and when a tornado, hurricane, severe thunderstorm, or debilitating snowstorm will hit. However, in certain parts of the world such as Southeast Asia, these severe weather events occur more seasonally. 

For example, in 2015, the top 4 typhoon events in Southeast Asia caused an aggregate of over $33.5B in damages, more than 138 days of recovery time, and impacted nearly 7,000 supplier sites. In response to the increased risk of extreme weather events organizations must confront the complexity of their operations and improve visibility to go beyond just their immediate vendors. 

Only when an organisation has a complete picture that incorporates the variety of potential risks and has invested in specific responses and contingency plans can it adapt as needed to mitigate the impact of extreme weather events and maintain strength in the marketplace.

Mergers and acquisitions

A single organisation may work with hundreds of independent suppliers from all over the globe. It’s important to have clear oversight of their operational capabilities as well as retaining an awareness of how global events such as extreme weather or in this scenario a merger or acquisition might affect their output. 

What organisations cannot do is assume the best case scenario. Like other threats mentioned in this article, this supply chain risk is exacerbated by the scope of the operation. A single delayed part, for example, could bring assembly lines to a halt causing a build-up of undelivered orders ultimately resulting in dissatisfied customers and a long-term loss of revenue. 

With potentially hundreds of suppliers and thousands of parts it’s not practical to maintain frequent communications with every single supplier, nor is it possible to manually oversee the entirety of the supply chain. 

Fire and the Unexpected Physical Disruptions

While some events can be predicted and planned against, others can’t. A fire in a warehouse for example. Or as we have seen recently COVID-19 which has caused havoc across supply lines with factories either temporarily shutting down or reducing the scale of their operations with limited workforces.

Such unexpected crises can have a big impact causing costly delays. Organisations need up to date and real-time information on all their respective suppliers if they are to react fast and mitigate the potential financial impact of these supply chain risks.

Cyber Threats

There are multiple threat vectors that cyber attackers could target. And as operations get more complex and they focus increasingly on utilising technology for increased efficiency, these vulnerabilities become progressively more concerning. Attacks could take the form of anything from customer data breach, to leaked information pertaining to sensitive company data or even as in the case of Maersk, a rogue malware completely taking down an organisations IT systems.

Related: Securing the Supply Chain: The Role of OSINT in Logistics

Conclusion

New demands and pressures are constantly stretching supply chains and forcing supply chain managers and security teams to adapt. The stakes are high and security is a critical factor. Major concerns such as an unstable global economy, aggressive market competition, extreme weather conditions, demand volatility, and production failures place revenue growth, reputation and overall business operations at great risk. 

Understanding the nature of potential vulnerabilities and keeping current on disturbances that can impact processes can help teams better handle and mitigate problems related to global supplier concerns, brand protection, and financial risks.

Open Source Intelligence monitoring solutions like Signal enables teams to gain a clear oversight of the entirety of their logistical operations. This means they have details of potential disruptions or cyber-attacks before, or as, they are happening, allowing security teams and supply chain managers to implement their contingency plans in a timely fashion and prevent unnecessary financial losses.

Supply chain operations can be vast and while globalisation and digital technologies are making the world a smaller place in many ways, they are simultaneously increasing the number of potential vulnerabilities that security teams and supply chain managers need to monitor. Current threats to the logistics sector range from piracy, which has been experiencing a resurgence in recent years, to terrorism, to DDoS attacks, malware or data breaches.

The range of potential threats is exacerbated by the particular vulnerabilities of the supply chain and the sheer size and scope of the operations involved. For example, around 90% of the entirety of global trade flows through only 39 bottleneck regions. An effective attack on any of these 39 traffic heavy logistics hubs would have far-reaching and knock-on consequences impacting billions of dollars worth of trade. 

One example is the Hong Kong - Shenzhen freight cluster where nearly 15% of both container and air freight traffic moves through. Additionally, there is a selection of geographic chokepoints such as the Panama Canal or the Strait of Malacca where a successful attack could effectively halt a vast amount of freight.

If this wasn’t enough digitisation has increased the number of threat vectors that logistics companies need to consider. This increase in vulnerability needs to be addressed with effective security measures such as real-time data collected through Open Source Intelligence (OSINT) software.

How Can Transport and Logistics Companies Secure their Supply Chains?

Ensuring secure passage 

One of the key concerns, and one of the oldest, that logistics and transport companies have to contend with are the tangible and physical security threats; terrorism and piracy being the obvious examples. Organisations need real-time information to carefully and continuously assess the threat level, implications, and risks surrounding these physical security concerns.

Using these analyses organisations can then determine strategies to mitigate these threats as well as determine contingency plans for worst-case scenarios. They will need to be able to adapt and respond quickly to events as risk levels change. Supply chain managers across all industries will need to take into account higher transport costs, longer travel times, and potential problems meeting schedules when alternative transport routes are used

Fundamentally these risk management strategies hinge on having all of the information available on emerging and current threats. To be able to respond in a timely fashion it is absolutely necessary for supply chain managers and security teams to have the most up to date data. Being caught unawares could have far-reaching and even devastating consequences. And in some cases, business models based on time-critical deliveries may be squeezed out of the market. 

Keeping cyber space safe 

Cyber security is a secondary consideration for many logistics and transport companies. However, it is a security concern that should be receiving increasing levels of attention as “cyber criminals are evolving their tradecraft with new innovations and increasingly automating their attacks”, according to the 2020 Global Threat Intelligence Report (GTIR) by NTT Ltd. 

You only have to look back to 2017 for a clear example of what can happen should a logistics operator be caught unaware by malware. In this scenario the shipping giant Maersk had their IT systems taken out by a vicious malware called NotPetya. With roughly one container shipping into port every 15 minutes you can imagine the logistical nightmare that ensued as the company was forced to turn to manual processes to keep things moving. It was estimated that the delayed operations, lost revenue, and the process of completely rebuilding their IT systems cost Maersk upwards of $300 million.

NotPetya, developed by the Russian military, was targeting businesses in Ukraine – but the malware quickly got out of hand. Soon it was spreading around the world, taking down networks and causing billions of dollars in damage and lost revenue. Meaning, in this scenario, Maersk was simply collateral damage.

Despite this, according to The State of Logistics Technology Report 2019 by EFT, “the logistics industry is still not seeing security as a primary part of business operations” even with clear examples of what can happen. In this report, researchers surveyed more than 500 industry professionals with questions relating to cybersecurity and found: 

• Only 35% of solutions/service providers have a Chief Information Security Officer (CISO) in place;

• Only 43% of shipping companies have a CISO;

• Only 21% of logistics companies believe they even need a CISO.

Transportation is already heavily reliant on Information Communication Technology (ICT), and virtual threats are growing in frequency and complexity. For this reason, cyber threats are an increasingly worrisome problem across multiple industries. Additionally, for transportation and logistics cyber attacks as part of an attack designed to induce physical damage is an additional attack vector of increasing commonality.

OSINT Software for a More Secure Future

Some organisations operate with hundreds of individual suppliers. Disruption to any of these suppliers anywhere along the supply chain could have costly ramifications. Maersk is just one example of this, operations weren’t returned to normal for nearly two weeks, and even with employees across the company going above and beyond to maintain operational efficiencies, losses for customers and themselves quickly climbed into the millions.

Security investments provide a payback not only in terms of loss prevention but also by enhancing supply chain performance. When it comes to security and supply chain management, it’s especially important to look at future scenarios and manage security proactively. Reacting to crisis situations is not enough. Companies have to find the right combination of preventive and reactive measures to achieve the optimal level of supply chain security. 

Executives should keep an eye on so-called wildcard events too. That means looking at the possible financial impact, the relative vulnerability of their business model and their company’s ability to react to low-probability, high-impact events. 

How Signal is Already Helping Secure Logistics Supply Chains

Signal Open Source Intelligence software allows you to gather hyper-relevant real-time data giving users a clear oversight of their often vast supply chain operations. 

This means they will have details of potential disruptions or cyber-attacks before, or as, they are happening allowing them to implement their contingency plans in a timely fashion and prevent unnecessary financial losses.