By Jonathan Tomek, VP of Research and Development, Digital Envoy
Cyber security professionals were never worry-free; there are simply too many nefarious players who have much to gain by hacking into corporate networks and systems to steal an organization’s valuables or harm its reputation. 2021 was a particularly heinous year, with a record number of ransomware attacks and high-profile breaches like the SolarWinds debacle. We ended the year with the discovery of a vulnerability in Log4j, and the realization that it could bring down the entire Internet.
Role of IP-Based Data and Security
Cyber security professionals are keen to access and deploy every available tool to help them secure their networks. IP address-based data by itself won’t provide security, but it offers a level of context that will enhance virtually every security strategy in place today.
Behind every IP address is a set of characteristics or context that is crucial for security professionals. IP address-based data lets them know where that traffic originates, and whether it is proxied, masked, or circumvented in some way, shape, or form.
IP address data can also fuel traffic and threat analytics, enabling security professionals to understand where attacks originate and what nefarious traffic looks like. They can use that insight to set rules and alerts for traffic that meet specific criteria, as discussed below.
Some IP address-based datasets include additional insights, such as the history and velocity of IP addresses (i.e. the number of times it has changed) and the number of observation points and devices associated with it.
Below are some of the security use cases for IP address-based data.
Web Application Firewall (WAF)
Location data will always offer value from a web application firewall (WAF) security perspective because cloud providers don’t want traffic from specific areas known for fraudulent activity. They want the ability to handle and manage traffic from suspect regions, specifically for a variety of different reasons.
For instance, some countries don’t restrict hacking or break-ins of computer systems located outside of their borders. Russia is a primary example of a country that allows attacks on any country other than its own. In fact, Russia will not extradite a hacker who has attempted to, or successfully, break into any other country’s systems.
IP address location data allows administrators to flag traffic by location of origin, and process it according to a set of internal rules, such as invoking multifactor authentication steps.
VPN usage is increasing worldwide, reaching $31 billion in 2021, with the potential of exceeding $90 billion by 2027. That growth is being driven at the household level by consumers who view VPNs as a way to keep their browsing habits safe from prying eyes. Meanwhile, corporate VPN usage is up due to the hybrid work models and remote work that grew out of the pandemic.
The increased adoption of residential proxies, combined with the increased use of commercial VPNs, is a worrying trend for security professionals, but more on that later. What’s important in the context of the IP addresses that access corporate systems.
IP address-based data can help security professionals identify proxied traffic, as well as provide rich insights that they can leverage to detect potential criminal activity, including connection type, log-in location, and infected systems. Credential-stuffing attacks that use compromised user credentials to log into systems are becoming more sophisticated by leveraging VPNs or proxies to avoid being put on an IP address block list.
I must admit, IoT devices concern me the most these days, especially when we consider it in the context of remote work. Internet-connected devices are plentiful, inexpensive, and easy to connect to a home WiFi router. Most consumers don’t even update their home routers, and still fewer look for the most recent security updates for their smart plugs, web cameras, coffee makers, or televisions.
Some manufacturers are unable to release security patches, as they’ve gone out of business or were acquired and have sunsetted their products. This is what we like to call, low-hanging fruit, which is why malicious actors like to target them frequently.
This introduces a huge vulnerability for the work computer that shares that home network. Malware can enter a home through a mobile phone or smart TV, and wend its way to the work laptop and ultimately a corporate network. There are over 45 billion IoT devices in the world today, all of which can threaten a network.
IP address-based data can help mitigate this threat in a few ways. Security teams can use it to ensure that data comes from the same location as their employees’ homes. It can inform the security team if a malicious actor is trying to break in from another location. If an attacker attempts to use a VPN to log in from an area near the employee, this could be flagged as it might be in another city or state to which they have never been to.
Cyber threats grow more sophisticated by the day. By understanding the context of legitimate traffic — e.g. traffic that originates where employees, customers, and business partners are located — security professionals can take steps to protect their networks, flag problematic traffic, and gain additional insights into the threats they face.
About the Author
Jonathan Tomek, VP of Research and Development, Digital Envoy is a seasoned threat intelligence researcher with a background in network forensics, incident handling, malware analysis, and many other technical skills.
Jonathan served in the United States Marine Corps. He worked at multiple threat intelligence companies and built their threat capabilities to include identifying tactics, techniques, and procedures of malicious actors. He led several technical cybercrime and espionage teams in their initiative to enhance technical efficiency in malware analysis, malicious actor tracking, and tool development.
He is a co-founder of THOTCON, a world-renowned hacking, and security conference hosted in Chicago. As a researcher and leader, he has spoken at many security conferences around the world. He has won or placed in multiple national hacking competitions including DEFCON CTF.
Jonathan Tomek, VP of Research and Development, Digital Envoy