The Thin Line Between Threat Intelligence And Doxxing


Doxxing. Although the term has been in the cybersecurity news for over a decade, Elon Musk gave it Universal recognition in December 2022 when he, as the owner and CEO of Twitter, suspended the handle @Elonjet.

Reason? Doxxing.

Jack Sweeney, a 19-year-old freshman from the University of Central Florida, started monitoring and sharing information about Elon Musk’s flight paths in June 2020.- The updates were published live on @Elonjet.

Elon Musk reportedly offered Sweeney $5,000 to shut down the Twitter account where he was publishing the information, but Sweeney turned down the offer and requested $50,000 instead.

Despite Musk’s refusal to pay, the account (@Elonjet) gained over 300,000 followers and was later blocked by Twitter in December 2022 due to Musk’s concerns about his personal security.

The fact that Musk’s flight details were publicly available triggered the debate on whether Sweeney’s act constitutes as doxxing, and a larger concern about whether open- source intelligence (OSINT) methods and processes can be considered doxxing.

Collecting and sharing cyber threat intelligence is never doxxing, cybersecurity practitioners told The Cyber Express. However, the thin line of classification between threat intelligence and doxxing remains highly susceptible to interpretation.

Doxxing, Musk, and open source information

Doxxing – short for dropping documents – is the act of curating and publicly announcing Personal Identifying Information (PII) about a person, group of people, or a firm on the internet.

Sweeney’s initial motivation for tracking flights was his hobby, which began with monitoring influential personalities’ jets but expanded as he gained popularity.

At a very young age, his work has brought him unexpected fame and recognition, with a large following on his social media accounts and numerous media articles covering his work.

Reports indicate that Sweeney tracks more than 127 other flights, including those owned by influential individuals such as Bill Gates, Jeff Bezos, Donald Trump, and several Russian oligarchs, including Vladimir Putin.

He also recognized the potential of transforming his hobby into a business due to the significance of the information he had access to. As part of a deal, he agreed to stop tracking Mark Cuban’s jet in exchange for business advice.

After failed negotiations between Musk and Sweeney, tables turned when Musk acquired Twitter.

The @Elonjet account was restricted in December 2022 and subsequently blocked, along with the personal Twitter handle and other flight tracking accounts operated by Sweeney.

The move was part of the larger Twitter account suspensions in December 2022, triggering conspiracy conversations that Musk’s hurried and heated Twitter purchase was for taking these accounts down and silence any conversation that these accounts caused.

Ten journalists, including Keith Olbermann, Steven L. Herman, and Donie O’Sullivan from The New York Times, The Washington Post, CNN, and The Intercept, had their Twitter accounts suspended by the platform on December 15, 2022.

According to Musk, they were in violation of the doxxing policy, announced a day before the ban. At first, it was believed that the suspensions were permanent, but Musk later clarified that access to the accounts would only be restricted for seven days. Some of the accounts were restored earlier.

Twitter did not offer any explanation for the decision initially, but later said that the ban was due to a new rule that prohibited the sharing of real- time flight information of private jets.

All the suspended accounts had one thing in common: they had posts with information attributed to the @ElonJet account or links to it. @ ElonJet and other similar accounts were suspended from Twitter on December 14, 2022, but continued to operate on Facebook, Mastodon, and other social media platforms.

“Any account doxxing real-time location info of anyone will be suspended, as it is a physical safety violation,” Musk tweeted then.

Many of the suspended journalists said they had not violated the rule, and while some had included links to @ElonJet in their articles or reported about the account, it was already suspended at the time of media reports.

Mastodon’s Twitter account was also suspended after linking to @ElonJet. Musk ran two Twitter polls asking followers when the accounts should be restored, and in both cases, a majority of users said it should happen immediately.

Following those polls, Musk reinstated several of the accounts, but others remained suspended, and some journalists were told that their accounts would not be restored unless they deleted certain posts, as outlined in the Twitter enforcement policy.

The suspensions received criticism from various organizations and individuals, who claimed that they undermined Musk’s repeated claims of supporting free speech on Twitter. The suspensions were condemned by representatives of several countries and organizations, including the United Nations and the European Union.

EU officials said the actions may have violated the Digital Services Act, which could result in sanctions or even a ban of Twitter in Europe. The Government Accountability Project filed a complaint with the United States Congress regarding the suspensions.

All the while, Musk had been adamantly citing doxxing as the major reason for suspending all these accounts. Where does open source intelligence turn into doxxing? Can threat intelligence be considered doxxing?

OSINT, threat intelligence, and doxxing

Cyberattacks are a significant threat to organizations, and Cyber Threat Intelligence (CTI) is a crucial tool for preventing, detecting, and responding to these attacks.

Details of vulnerabilities and alerts on data breaches and ransomware attacks also fall under threat intelligence. However, threat intelligence is not the same as doxxing although there are similarities in the methods used to collect the information, cybersecurity practitioners told The Cyber Express.

“The main difference between threat intelligence and doxxing is the intention and purpose behind the collection of information,” Amit Spitzer, Chief Security Officer at Cato Networks, told The Cyber Express.

“Threat intelligence is focused on identifying potential security risks and protecting against them, while doxxing is often done with malicious intent and can be used to harm.”

CTI can be classified into three types: strategic, tactical, and operational. Each type serves a unique purpose, and integrating them provides a comprehensive understanding of the threats an organization faces.

Strategic CTI is long-term planning that identifies broad trends. It assesses an organization’s overall risk posture and helps formulate strategies to mitigate potential risks.

Tactical CTI gathers and analyzes information about potential threats to an organization, with the aim of identifying and mitigating those threats.

Operational CTI provides real- time information that is useful for responding to active threats. It can track adversary movements and take immediate action to thwart an attack. It aids organizations in understanding the motives and capabilities of their adversaries, as well as their likely next steps.

“Threat intelligence is the collection and analysis of information about potential threats to an organisation or individual. This information is typically limited to Tactics, Techniques, Procedures (TTPs) and Indicators of Compromise (IOCs) from threat groups,” explained Brad Freeman, Director of Technology at SenseOn.

“It does not normally extend to personal information about the actors involved in the activity.” All these steps involve data collection about the organization concerned as well as the competitors. Independent cybersecurity companies collect this data from clear, deep, and dark web.

“Threat intelligence focuses on attacks more than attackers. And although threat intelligence might reveal personal information about attackers, doxxing is done with the intent to publicize private information,” Paul Bischoff, consumer privacy advocate at Comparitech, told The Cyber Express.

“Part of an organization’s threat intelligence might involve internally digging up information about employees to see who on staff might be vulnerable to doxxing or other attacks, but that info is not publicized.”

While cybersecurity companies are unanimous in their stand that doxxing is harmful, a crucial factor turns detrimental in determining whether threat intelligence gathering falls under doxxing: the source of the information.

“While the concept of doxxing is decades old, doxxing is still alive and well today — and it can be very dangerous. Once someone’s physical address, job location, phone number, email, or other information is out there, they become an easy target,” read an advisory by cybersecurity company Avast.

The act of doxxing has become simpler than ever in the era of technology. A person can easily search for and find personal information about someone else with just a few clicks.

Typically, this information can be located on various social media platforms, forums, and websites where people voluntarily disclose their personal details.

Doxxing can have serious consequences, including causing victims to go into hiding and face harassment, physical threats, embarrassment, fear, anxiety, and depression. However, the legality of doxxing depends on the laws of the jurisdiction in question.

“It’s usually not a crime to publish already publicly available information about a person. For example, it’s usually not illegal for you to tweet someone’s office phone number that you copied from their website,” said an analysis report by Malwarebytes Labs.

“But it is illegal if you tweet a personal phone number that you stole from a device. In other words, doxxing is generally illegal if the doxer takes the data through illegal activity.”

Take the case of Reddit user Michael Brutsch, who used his online identity violentacrez for trolling. He became known as a troll due to his controversial posts, including subreddits featuring misogyny and sexualized images of underage women.

For a long time, Brutsch successfully kept his real identity secret, but Gawker journalist Adrian Chen was able to dox him by connecting him to violentacrez.

Brutsch’s risky behavior, such as attending Reddit meetups and hosting a podcast with his voice, helped Chen uncover his true identity.

After being doxxed, Brutsch lost his job and faced public shame, exacerbated by a CNN interview he did. There is little information available about what happened to him after this incident, but his notorious history as a Reddit troll remains easily accessible online. Like the ethics of doxxing, the legal view on it is also highly debated, and is subject to the geography of action.

Doxxing and threat intelligence: What does the law say?

The legal landscape surrounding doxxing is still developing, and while not every case may be unlawful, it can be considered unethical. Even if individuals are not prosecuted for doxxing, they may still face consequences such as being banned from social media platforms and websites.

“In the United States, the legality of a doxxing attack depends on how the information was obtained and whether the information was public before it was released. It may also depend on the specific circumstances and wider patterns of behavior surrounding the attack,” read an advisory by cybersecurity business ZeroFox.

“If a digital threat actor gains access to the target’s PII through legal means (e.g. using open source intelligence) then it may be legal to publish that information. However, if the threat actor unlawfully gains access to the target’s information, they could be charged under federal anti- hacking laws.”

The source of the information is detrimental in deciding the legality of the doxxing attempt, US-based law firm Salar Atrizadeh corroborated

“Doxxing is illegal especially if the published information could not be found in the public domain and was illegally obtained by the culprit. It can constitute a violation of state or federal laws if it was intended to threaten, annoy, harass, or intimidate the victim,” explained a blog post by the law firm.

“For example, doxxing a federal government employee (e.g., senator) can be in violation of federal laws. Doxxing can be illegal in some jurisdictions when the victim’s residential address and mobile number are posted on the internet to invite others to blackmail the victim.”

Doxxing is not considered illegal mainly because much of the information that is disclosed is already accessible on the internet. What distinguishes doxxers from others is that they go to greater lengths to unearth personal data than the average person would. The general consensus in the US is that exposing personal information of a famous person is not necessarily a criminal offense, unless it is used to make threats or to commit identity theft or unauthorized access to private email accounts, according to American lawyer David Lindsey.

“According to cyber crimes experts, the line between legal doxxing and criminal doxxing is actually quite clear: any information obtained cannot be used for financial gain, nor can you use the information to impersonate someone,” Lindsey wrote in an explainer.

“And if you accessed the information through illegal means, you’ve committed a crime and all actions that follow are also crimes. Posting personal information, obtained legally, in and of itself is perfectly legal.”

“Doxxing is the act of publicly releasing private or identifying information about someone without their consent. It is often done to harass, intimidate, or harm someone. The information released is likely to include home and work addresses, financial details, and other private information,” noted SenseOn’s Brad Freeman.

“To put it another way, doxxing is the work of an amateur likely against an individual. Threat Intelligence is the work of professionals against a threat group.”





Source link