Playbook

Finding and tracking bad actors (without becoming one)

Defensive telemetry, OSINT guardrails, and when to call in specialists.

8 min read

Hunting should expose attacker behavior, not create legal risk. Use defensible telemetry and open-source intelligence under strict ethics and laws.

This playbook shows how we and our contractors and partners hunt safely: what data to collect, how to run OSINT without crossing lines, and clear triggers for escalation to specialists or law enforcement.

Scope, legality, and ethics (start here)

  • No hacking back: do not access, alter, or degrade systems you do not own or have explicit written authorization to test.
  • Minimize personal data: collect only what you need to defend; apply retention limits and access controls.
  • Document authority: who approved the hunt, what assets are in scope, and which tools/sources are allowed.
  • Deconflict with privacy, legal, and HR: agree on rules for handling employee or customer identifiers before you start.

Defensive telemetry that pays off

You cannot track adversaries you cannot see. Focus on high-signal, low-drama data you already control.

  • Identity first: sign-in logs, token issuance, device posture, conditional access decisions, and admin actions.
  • Email/SaaS: OAuth grants, inbox rule changes, external forwarding, app consent prompts, and unusual download bursts.
  • Web & API: authZ failures by tenant/object, 4xx/5xx outliers, session anomalies (country hops, user-agent drift).
  • Endpoint: process + network for browser and identity brokers; script injection and cookie theft indicators.
  • CI/CD: runner provenance, artifact signing/verification events, and pushes to protected branches.

OSINT guardrails (look, don’t touch)

  • Passive collection only: search engines, public repos, breach corpuses via lawful brokers, WHOIS, passive DNS, open forums.
  • No pretexting or infiltration without counsel: avoid sockpuppet engagement, DMs, or joining private groups.
  • Respect platform TOS and sanctions lists; do not pay or materially support criminal services.
  • Record sources and timestamps; preserve copies with hashes for chain-of-custody.

Method: link indicators without overreach

  1. Start from your own evidence: domains, IPs, hashes, wallets, usernames observed in your logs.
  2. Pivot passively: map infrastructure overlaps (registrars, name servers, TLS certs, repo handles) without contacting the actor.
  3. Cluster, don’t attribute: label with neutral tags like “Cluster A (invoice edits)” until multiple signals align.
  4. Close the loop: build detections and blocks tied to the cluster (domains, fingerprints, behavior).

Handling sensitive data and evidence

  • Tag evidence with case IDs, collection method, and hash; avoid copying more personal data than needed.
  • Store in a restricted workspace with audit logging; set automatic retention and review gates.
  • Separate analysis notes from raw artifacts; keep a timeline of actions and decisions.

When to call in specialists (and who)

  • Active intrusion with material risk: bring in incident response immediately (24/7 containment, forensics, negotiation support).
  • Cross-border criminal activity or extortion: counsel coordinates with law enforcement; share only necessary indicators.
  • Financial fraud in motion: notify banks and payment providers through established channels to freeze flows.
  • Attribution needs beyond OSINT: specialized intel vendors can legally enrich clusters at depth.

Metrics leaders can track

  • Time-to-detect (TTD): Median time from first malicious action to first alert.
  • Time-to-contain (TTC): Median time to revoke access, block IOCs, and stop loss.
  • IOC coverage: Percent of clusters with active detections/blocks across email, web, API, and identity.
  • False-positive rate: Noise level of hunt rules; tune for actionability.

Common anti-patterns that create risk

  • Engaging adversaries directly under a false identity without counsel or approvals.
  • Acquiring illegal datasets or paying forums for access, creating legal and ethical exposure.
  • Attributing too early; locking onto a narrative that biases detection and response.
  • Collecting broad personal data with no plan to protect or purge it.

What to do this week

  1. Publish hunt rules: what’s allowed, who approves, and retention defaults for collected data.
  2. Enable high-signal identity and email logs; verify you can see OAuth grants, inbox rules, and session anomalies.
  3. Stand up an OSINT notebook template that records sources, timestamps, and hashes by default.
  4. Pre-negotiate IR retainer and law-enforcement contact paths with counsel.
  5. Create a simple blocklist/policy update routine so new indicators land in controls within hours.

The safest hunt is disciplined and boring: collect the right telemetry, enrich it passively, and act quickly inside your span of control. When the trail leaves your fence line, bring in specialists. That’s how you track bad actors—without becoming one.