What does “Outside the Firewall” Mean to Nisos

by | Oct 13, 2021 | Blog

You have heard us say that Nisos is an expert at identifying risk and disrupting adversaries “outside the firewall.” Since we say it regularly, it’s probably worthwhile to make sure you know what “outside the firewall” means to Nisos, our partners, our clients, and you.

“Outside the Firewall” is a commonly-used cybersecurity term that describes a monitoring process that takes place outside of an organization’s local area network. In Nisos’ case, it also includes an investigative capability that uses OSINT (Open Source Intelligence) to attribute and unmask threat actors.

The monitoring process is commonly used by cyber threat intelligence teams to identify and alert on attempts that disrupt confidentiality, integrity, and availability of enterprise data systems. However, Nisos applies the data collection and analysis models more broadly outside the firewall to disrupt adversaries in attacks related to physical security, fraud, trust and safety, brand reputation, disinformation, cybersecurity, supply chain risk, and M&A diligence.

To stop adversaries, you not only need to identify what they are doing, you must also be able to accurately identify the individuals responsible. And, ideally, you want to be able to accomplish the unmasking and attribution without expending excessive resources or budgets..

Many capabilities exist for information technology and security functions “inside the firewall” on local area networks. Enterprises invest large sums of money to protect an organization’s people and assets within the perimeter. However, they often struggle when a security event takes place beyond the perimeter. Let’s take a look at some things that need to be considered “outside the firewall.”

Data Variety and Availability

It’s important to have an understanding of data that can be collected outside an organization’s firewall. Nisos is passionate about data.  We often debate strategies to better collect, aggregate, normalize, visualize, extract, transform, load, and most importantly, analyze data. 


Before we discuss the challenges faced outside the perimeter, it’s important to understand the types of data Nisos aggregates allowing us to solve difficult intelligence problems. The following graphic illustrates some of the sources of data we use in our work:

Nisos Data Collection Chart

Intelligence and Technical Capabilities

Nisos’ capabilities outside the firewall allow us to answer important intelligence questions. These capabilities include:

  • Open source intelligence research and attribution: Qualitative and quantitative collection and analysis of public, non-classified sources to deliver contextual intelligence.
  • Technical Signature Analysis: Adversarial-minded investigation of raw technical data, including off-network connection and context for on-network telemetry.
  • Threat Actor Engagement: Leveraging personas and infrastructure, Nisos engages in native language interactions on social media, open, and dark web forums. We are able to provide our clients with detailed insights about specific threats.

Brand Reputation, Executive Protection, M&A Diligence, and Third Party Risk Management

To disrupt adversaries “outside the firewall”, we use broad-based collection strategies to pool social media content and PII. We then search for keywords associated with the brand, key personnel, persons of interest, the company, or company products. We also query and automate critical external datasets, like internet activity, fraudulent domain creations, breach data, mobile signals data, and dark web content to determine security risk.


Platforms are populated with misinformation and disinformation that can impact a company’s brand and reputation. Nisos uses tools and data to watch, alert, analyze information, and identify disinformation campaigns and inauthentic behavior.

Trust, Safety, and Fraud

Malicious actors regularly target external-facing platforms, business applications, operations, and employees for e-crime, fraud, and abuse. Fraud consists of actors using a platform to defraud the company. Abuse consists of actors using a platform (potentially even as a paying customer) to defraud others. These activities generally start outside an enterprise’s perimeter in a closed channel, like Telegram or a sub-Reddit forum. After engagement with an actor, we collect information on protocols and tokens being used, as well as the brokering of information that can harm the client.


“External threat hunting” delivers alerts on activity impacting the confidentiality, integrity, and availability of enterprise data systems. Nisos goes “outside the firewall” to combat threats including social engineering exploits, ransomware attacks, phishing attacks, domain hijacking, DDoS attacks, click fraud, and account takeover. By gaining insight into attacker command and control infrastructure, we are able to gather context, enrich indicators of compromise, and  enable a more robust defense to attacks on network infrastructure and applications.

Adversary Research and Attribution

Attributing threat actors can be a resource-intensive process. In some cases, the ends do not justify the means. In other instances, attribution and unmasking are necessary to stop a threat, engage with an actor, or pursue legal remedy. Attribution doesn’t have to be resource-intensive and can often be solved quickly and efficiently by engaging experts.

Nisos specializes in providing attribution and actionability. Our advanced adversary research relies on sophisticated tradecraft to ensure accuracy. Our ability to attribute and unmask bad actors, and to do so in a manner that is unseen by the adversary, is often a critical component of resolving threats.