Security Experts:

Connect with us

Hi, what are you looking for?



Using an Attacker’s ‘Shadow’ to Your Advantage

Digital Shadows

Digital Shadows

With more than three billion individuals interacting across social media, mobile and cloud services, digital footprints are increasing. The age of digital business has, for the most part, been a positive thing. It has increased the ease and speed of communication at the same time as reducing the cost. However, some of this information can be inadvertently exposed and may be used maliciously.

A ‘digital shadow’ is a subset of a digital footprint and consists of exposed personal, technical or organizational information that is often highly confidential, sensitive or proprietary. Adversaries can exploit these digital shadows to reveal weak points in an organization and launch targeted attacks.

This is not necessarily a bad thing, though. Some digital shadows can prove advantageous to your organization; the digital shadows of your attackers.

The adversary also casts a shadow similar to that of private and public corporations. These ‘shadows’ can be used to better understand the threat you face. This includes attacker patterns, motives, attempted threat vectors, and activities. Armed with this enhanced understanding, organizations are better able to assess and align their security postures.

The chief aim of cyber criminals is to make money. The anonymity offered by the ‘dark web’ creates a safe-haven for these actors. By observing what is being sold on online marketplaces, you can gain a better understanding of the latest tools being used and which vulnerabilities are being exploited. You can then use this information to better position your security defenses.

You need not penetrate the dark web in order to exploit the shadows of adversaries, however. Hacktivist activity, for example, more typically uses social media such as Twitter and Facebook, and sharing sites such as Pastebin.

Hacktivists tend to be more visible and easy to track because a primary motivation is to be heard and cause disruption and embarrassment. Their activity can be broken down into three main parts:

1. Indication and warning – Social media is a useful tool for monitoring for hacktivist operational announcements. The use of operational hashtags, which are prevalent, aids this process. Groups will invariably provide operation names and specify target lists. If a hacking group name you on a target list, you are going to want to know.

2. Evidence of attack – You can also monitor for claims of defacements, DDoS attacks and breaches. This may occur on social media, often Twitter, but also on code-sharing sites such as Pastebin. Getting there first can help to reduce the reputational impact on your organization. But it also helps from a historical view; understanding what tactics, techniques and procedures (TTPs) have used in the past help you to gauge how to best prioritize defense spending.

3. Significant activity – Organizations can monitor social media and news sources for significant activity. While more mature organizations may use Activity Based Intelligence (ABI) to draw this information out, this approach need not be that complex. This approach may simply include observing arrests, reference to new techniques, declaration of links to other groups or actors.

The dark web can be a useful place to find out about the latest TTPs of cyber criminals, but do not underestimate the power of social media and sharing sites. These can provide a valuable insight into the activities, motivations and TTPs of attackers. Simply put, those who possess an understanding of these will be in a stronger position to defend themselves.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...