As we watch the tragedy in Ukraine unfold, security professionals are well aware that Russia has built a massive cyber warfare arsenal and has been willing to use it against its perceived adversaries.
In early March, the Federal Cyber Security and Infrastructure Security Agency (CISA) he told USA Today“While there are no specific and credible security threats to the US, we encourage all organizations, regardless of size, to take action now to improve their cyber security and safeguard their critical assets.”
The threat of a cyber attack is real and constant. I have been following the DDoS attacks and bgp hijack against civilian infrastructure, but it’s hard to know precisely what’s happening with detail-obscuring propaganda and nearly invisible network traffic, especially since Ukraine’s internet is local to Russia.
Still, it is wise to take CISA Alert Take heart and follow his advice to “be prepared, improve your organization’s security posture, and increase organizational vigilance.” you’ll be glad to know that US banks are already preparing due to the possibility of cyber attacks.
What should you take into account? The worst cyberattacks are extremely methodical and surgical, which means they can be difficult to stop. Therefore, hardening security requires a combination of forensic efforts and proactive mitigation. The IP context can help with both.
Implementation of enhanced forensic capabilities and efforts
Hardening security requires a great deal of forensic analysis. Let’s say a nefarious actor steals the keys to a kingdom. That theft has occurred and nothing can be done to recover them. But we have a copy of the keys and we know which keys can now be used by untrusted people. Until we can successfully change all the locks, we need to investigate all the people trying to use those keys. This is the forensic nature of security.
Knowing the who, what, when, where and how of a cyber attack is the first step in mitigating its impact and preventing further damage, and it is just as important as preventive blocking. Also, as all security professionals know, it is very difficult to block everything.
Currently, the industry is aware of a large number of “stolen keys”, which means that we know that malicious actors are trying to use them. We also know which locks to change. This, by the way, is precisely why CISO recommends organizations patch all systems, prioritize known exploited vulnerabilitiesand implement multi-factor authentication.
Forensic analysis requires context: Where did this user come from? Are they masking their location through a proxy or VPN? Is the traffic coming from a business, a hosting provider, or a residential IP address? IP data can provide the context needed to perform your forensic analyses. It can also help you proactively block attacks.
Using IP data to help proactively block attacks
An IP address, at any given time, has a set of characteristics: geolocation, home or business use, and whether it is proxy protected, masked, or circumvented in some way.
Think of the IP address as a funnel. Let’s say a user is accessing your infrastructure and you want to know if it’s legitimate traffic. As mentioned above, IP data can tell you where it originated, whether the users are residential or business, and whether it came from a VPN. Let’s say you find out that it’s a US IP address, but it’s tied to a Russian-based VPN provider. This is a crucial and illuminating insight that leads you to wonder: What other IP addresses are tied to that provider?
This IP data allows you to rely on factual information to identify potentially 10,000 other IP addresses that are related and see if any of them are trying to access your infrastructure. To put it another way, context allows you to identify the common thread among these thousands of little funnels, figure out which one is the big funnel, and investigate or block it as needed.
Examining the Context of VPN Services
Let’s consider the implications of VPN data when making decisions about who can and cannot access your network. As a security professional, you probably want to make many policy decisions based on the attributes of the VPN provider itself.
For example, is the provider located in Russia? It’s free? Many professionals are wary of free services because they know that the users themselves are the product in such scenarios. This is a particular concern for organizations with remote employees who use personal routers to log into the corporate VPN. Do employees also use a VPN to bypass internal security protections so they can access Netflix? A VPN can serve as a conduit for attacks that make their way outside of your infrastructure.
If the VPN is a paid service, does the provider allow customers to pay using anonymous cryptocurrencies? Does it promise no activity logging, a feature that makes it an attractive option for bad actors?
The more you know about a VPN and its inner workings, the more you can make smart decisions about what traffic to mark or block. By applying it with other IP data, you can decide when to mark traffic for additional authentication or block it all together.
In fact, the more backstories you can collect about users attacking your infrastructure, the more you can protect your organization’s data and systems from all attackers, no matter where they come from or their motives.