How IP Address Intelligence Can Protect Your Business Network
As an IT security professional, you – rightly – assume that your corporate infrastructure is under attack. New threats are emerging at a steady pace and nefarious actors have both the skill and the incentive to break into networks and steal data.
You also know that it’s nearly impossible to keep all bad actors out of a network; but you can investigate forensically to figure out who was behind it and take action to prevent further damage. (Also read: Digital Forensics: The Ultimate Guide.)
This is where the intelligence of the IP (Internet Protocol) address comes in. IP address intelligence plays a vital role in digital forensics, especially when dealing with VPN-based traffic.
What is IP Address Intelligence?
IP address intelligence helps shed light on the characteristics of a particular user by providing you with different types of data, such as:
- Geolocation data.
- Characteristics of the IP address.
- Masked or anonymous data.
This data can help you learn a user’s important context, such as where they’re accessing your network from, whether their identity is masked through a VPN, and whether they’re even a user. This information, in turn, enables you to make strategic decisions to protect your business.
Let’s take a closer look at each of these data types:
Geolocation data (longitude/latitude) will tell you where the traffic is coming from.
This can be useful for reporting suspicious activity. For example, if your business is exclusive to the Northeast, a spike in traffic from California might be a red flag. Some countries are not as vigorous as others in prosecuting cybercriminals, prompting many companies to automatically block traffic from them. (Also read: 10 strongest data privacy laws by country in 2022.)
IP characteristics data can help you determine:
- The stability of an IP address.
- Who or what is behind it.
- The number of users it has been assigned to.
- Whether associated with a home, business or data center.
- The company and name of the carrier associated with it.
All of this provides important context when assessing a breach or making decisions about how to protect your network.
IP address intelligence data helps identify users attempting to circumvent security restrictions through an anonymous VPN or proxy service.
Anonymous traffic is not necessarily malicious, but these users should not have access to corporate infrastructure.
How Using VPN Can Compromise Security
So, Why Shouldn’t VPN users have access to corporate infrastructure?
To answer this, we need to look at two different types of VPN users:
- Internal VPN users.
- External VPN users.
Internal VPN users
Internal VPN users are employees who use a VPN service from your company’s campus. Employees can use VPNs to circumvent company policies, such as one that prohibits streaming video in the office. In the worst case, a VPN can be used to exfiltrate internal data outside the network, an event that security tools cannot always detect.
Of course, not all employees download VPNs with shady intentions; some opt for free VPN software to, for example, bypass geographic content restrictions. But these employees still put themselves, and your business, at significant risk. For example, some free VPN providers hijack residential users’ IP addresses, intercept traffic entirely, or insert malware, which can easily find its way into your corporate network when the employee logs in from home.
That’s why it’s important to understand the features of VPNs your employees can use.
External VPN users
External VPN users refer to those outside of your organization – and there are probably more than you think.
VPN usage has skyrocketed during the pandemic, and customers are likely to access your network through a VPN service. Many people subscribe to VPNs to surf the web anonymously, and some to circumvent digital rights management (DRM) restrictions, which benefits many VPN providers. (Also read: Considering a VPN? Make the right choice for your needs.)
There are many free and paid residential proxy services, some of which don’t offer logging, which is a worrying feature because it’s very criminal-friendly. Some VPNs are malware that add their computer to a botnet.
Not all VPN users are bad actors, of course; VPNs and proxies were originally designed for security. However, these tools have developed over time and are now used by organizations to secure their business as well as commercial VPN providers to “stay anonymous” online. For this reason, not all VPNs or proxies should be treated equally and it is important to stay on top of the VPN market. Although simply knowing who is providing a user’s VPN service won’t protect your network, you can take tangible security measures with this knowledge.
How IP address intelligence can help you make strategic security decisions
IP address intelligence will help you come up with a set of rules, such as blocking, reporting, or allowing use in specific circumstances regarding where the traffic is coming from and whether or not to use a VPN.
Here are some useful questions to ask yourself about a user once you have data on their IP address:
1. Is the user using a paperless VPN?
Every VPN and proxy is anonymous by nature, but what if the user commits a crime?
VPNs that require specific information at the time of registration, such as name, address, and valid billing information, will have a paper trail. Free VPNs, allowing anonymous registration, or accepting anonymous payment via prepaid credit card or cryptocurrency may be of concern to some, as there will be no paper trail and therefore no way to identify the user in case it is the source of malware. activity.
2. Does the address belong to a host?
Addresses belonging to a hosting facility can be suspicious because human users are not usually found in a hosting facility. Thus, the IP addresses belonging to the hosts are obviously proxies.
Outgoing traffic from a company adhering to a Zero Trust security framework will appear as if it is coming from a hosting facility. Some insights gained from IP address intelligence can provide the context needed to distinguish between people and bots. (Also read: A Zero Trust model is better than a VPN. here’s why.)
It is also worth distinguishing between traditional hosting facilities and foolproof hosting facilities. Bulletproof hosting facilities do not honor takedown notices, even if they come from law enforcement. It’s probably a good idea to block this traffic.
3. Is the user corporate or public?
Professional users are generally considered harmless. However, with IP address intelligence, you can identify domain names and know if a competitor is trying to access your network.
Public traffic requires some consideration, but that doesn’t mean it should be blocked automatically. Public traffic means that multiple users are proxied from a location that allows public Internet access – such as libraries or airports – and therefore all users share a single IP address. Again, IP address contextual intelligence can help you decide when to require additional authentication.
IP Address Intelligence Tips for Business
A large organization may have high levels of security built into its infrastructure to provide protection against malware, credential stuffing attacks, or even insider threats. If this is your case, you need to know whether these protections apply to your internal systems, home users, and legacy systems that may not have the latest protections.
IP address intelligence complements a large organization’s security systems by adding deeper insights to proactively examine day-to-day activities and retroactively review any incidents.
For small businesses or those with less security protection, IP address intelligence is the bare minimum to help block malicious activity or allow traffic from safe locations, whether physical or virtual.
In the worst case, information about IP addresses and your systems logs would allow law enforcement or investigators to figure out what happened, stop an incident in progress, and prevent it does not happen again in the future.
Zero Trust Organizations
For an organization whose customer base uses a zero-trust framework, IP data will be essential for them to access any customer portals and services you create for them.
Security systems will flag their traffic as coming from a hosting facility and potentially label it as “invalid traffic” when in fact it is your customers. Any organization that uses zero trust must include IP address intelligence to add context to protect the system.
IP address intelligence allows you to ask a series of questions and take informed action based on your answers. For example, do free VPN services make you nervous? Do you prefer a paper trail in case law enforcement needs to be involved? Does your company have traveling employees who access your network from a public location?
If so, you may consider additional authentication steps.