How D3 and ZeroFox Enable Proactive Threat Hunting and Automated Brand Protection

One of the great things about SOAR is that it can make powerful tools even more powerful, by integrating them into end-to-end, automated workflows. One such tool is ZeroFox, a full-spectrum threat intelligence and digital risk protection (DRP) platform. ZeroFox is an important technology partner of D3, and we will be teaming up to present a webinar on March 31st. You can register for that webinar here.

D3 has a comprehensive, out-of-the-box integration with ZeroFox that enables 13 commands between the platforms. Some of these commands are used to perform threat intelligence enrichment, which is an invaluable but common SOAR use case. However, there are two more exciting use-cases for our integration with ZeroFox: brand protection and proactive threat hunting.


Brand Protection Use Case

Let’s take a closer look at how brand protection might look in a security environment with D3 and ZeroFox. ZeroFox’s DRP capabilities enable users to monitor threats to their digital assets, such as domains, social media, and apps. This includes dark web activity, fraudulent websites, and trademark abuse.

When ZeroFox detects a possible instance of brand impersonation, such as a fraudulent website made to look like your website, it generates an alert in D3, which triggers a specific brand protection playbook. D3 then strips out elements of the alert, the URL of the fraudulent site, for example, and checks them against integrated threat intelligence sources to get a reputation score. D3 also scans the corporate email system to see if anyone has received emails from that URL, which would indicate a phishing campaign. If the URL is found to be malicious, or phishing emails are detected, D3 will set the incident severity to high.

From here, the D3 user can choose to orchestrate numerous response actions. They can block the URL on the firewall, run a phishing sub-playbook to identify any data exfiltration, and temporarily disable affected users via Active Directory. Through the integration with ZeroFox, a user will be assigned the incident and the URL will be added to a ZeroFox threat feed. Finally, the D3 user can choose to trigger an automated takedown order for the website through ZeroFox.

Because of the extensive integration between the two platforms, the entire investigation and response requires minimal manual steps.


Proactive Threat Hunting

The use-case we’ll focus on in our upcoming webinar is threat hunting. Specifically, how to turn ZeroFox’s high-fidelity threat reports into automated, proactive operations. Cyber Threat Intelligence teams in large organizations have to filter through dozens or hundreds of threat feeds, including detailed intelligence from sources like ZeroFox, so being able to automate the processing of information and the orchestration of tasks is hugely valuable. D3 fills this gap.

When ZeroFox produces a threat report, D3 can ingest it as a Threat Feed, which functions like an event in the platform. Then the report can be run through playbooks for threat hunting to quickly determine if any of the threats are present on the system. For example, D3 can parse a list of malicious IPs and query the SIEM and firewall for potential hits. Or D3 can search the SIEM for file hashes from the report.

However, ZeroFox’s threat reports are much more than lists of IOCs. They include valuable context and recommendations. D3 can preserve these elements by field mapping the text to the notes field when the report is ingested. So analysts can easily reference the recommendations in the report.

Investments in threat intelligence are also hard to quantify in terms of ROI. How do you report on the value of information? ZeroFox and D3 also help solve this problem. For example, a CTI or SOC manager can report that they have ingested X number of feeds, updated the blocklist X times, and ran X threat hunting playbooks. Out of that threat hunting, X IOCs were found to be involved in data exfiltration. D3 can produce these metrics for reporting, which threat intelligence platforms on their own cannot.


Learn More About D3 and ZeroFox

To learn more about D3 and ZeroFox work together to bring threat intelligence to every alert and protect your brand from reputational and financial damage, check out our integration guide here. If you’d like a closer look at the brand protection use case, we have a short video that walks you through it step-by-step.

And don’t forget to register for our webinar with ZeroFox on March 31st, where product experts from both companies will answer your questions and go in-depth on what our joint solution can do for your company.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.