As we watch the tragedy unfold in Ukraine, security professionals are all too aware that Russia has built a massive cyber warfare arsenal and has been willing to use it against its perceived adversaries.
In early March, the Federal Cybersecurity and Infrastructure Security Agency (CISA) told USA Today, "While there are no specific, credible security threats to the US, we encourage all organizations — regardless of size — take steps now to improve their cybersecurity and safeguard their critical assets."
The threat of cyberattack is real and constant. I've been following the DDoS attacks and BGP hijacking against civil infrastructure, but it's difficult to know precisely what's going on with both propaganda obscuring the details and with the network traffic being nearly invisible, especially as Ukraine's Internet is local to Russia.
Still, it's wise to take CISA's alert to heart and follow its advice to "be prepared, enhance your organization's security posture, and increase organizational vigilance." You'll be glad to know that US banks are already gearing up for the possibility of cyberattacks.
What should you look out for? The worst cyberattacks are extremely methodical and surgical, which means they can be difficult to stop. Beefing up security, therefore, requires a combination of forensic efforts and proactive mitigation. IP context can help with both.
Deploying Enhanced Forensic Efforts and Capabilities
Shoring up security requires a good deal of forensics. Let's say a nefarious actor steals the keys to a kingdom. That theft has occurred, and nothing can be done to unsteal them. But we have a copy of the keys, and we know which keys can now be used by untrustworthy people. Until we can successfully change all of the locks, we must investigate all people who are attempting to use those keys. This is the forensic nature of security.
Knowing the who, what, when, where, and how of a cyberattack is the first step in mitigating its impact and preventing further damage, and it's just as important as preemptive blocking. Besides, as all security professionals know, it's really hard to block everything.
At present, the industry knows about quite a number of "stolen keys," which means we know malicious actors are attempting to use them. We also know which locks to change. This, by the way, is precisely why CISO recommends organizations patch all systems, prioritizing known exploited vulnerabilities, and implement multifactor authentication.
Forensics requires context: Where did this user come from? Are they masking their location via a proxy or a VPN? Is the traffic coming from a business, hosting provider, or residential IP address? IP data can provide the context needed to conduct your forensics. It also can help you proactively block attacks.
Using IP Data to Help Proactively Block Attacks
An IP address, at a moment in time, has a set of characteristics — geolocation, home vs. business usage, and whether it is proxied, masked, or circumvented in any way.
Think of the IP address as a funnel. Let's say a user is accessing your infrastructure and you want to know whether it's legitimate traffic. As mentioned above, IP data can tell you where it originated, whether users are residential or business, and whether they're coming from a VPN. Let's say you discover that it's an IP address from within the US but it's tied to a VPN provider of Russian origin. This is a crucial and enlightening insight that leads you to ask: What other IP addresses are tied to that provider?
This IP data allows you to pivot off on one factual piece of information to identify potentially 10,000 other IP addresses that are related and see whether any of them are attempting to access your infrastructure. To put it another way, context allows you to identify the common thread between these thousands of little funnels, figure out what the big funnel is, and investigate or block it as required.
Examining the Context of VPN Services
Let's consider the implications of VPN data in making decisions regarding who can and cannot access your network. As a security professional, you probably want to make a lot of policy decisions based on the attributes of the VPN provider itself.
For instance, is the provider located in Russia? Is it free? Many professionals are wary of free services because they know the users themselves are the product in such scenarios. This is a particular concern for organizations with remote employees who use personal routers to sign into the corporate VPN. Do the employees also use a VPN to bypass internal security protections so they can access Netflix? A VPN can serve as a conduit for attacks that make their way out of your infrastructure.
If the VPN is a paid service, does the provider allow customers to pay via anonymous cryptocurrencies? Does it promise no activity logging, a feature that makes it an attractive option to bad actors?
The more you know about a VPN and its inner workings, the more you can make smart decisions as to which traffic to flag or block. When applying it with other IP data, you can decide when to flag traffic for additional authentication — or block it all together.
In fact, the more background stories you can piece together about the users who hit your infrastructure, the more you can protect your organization's data and systems from all attackers, regardless of where they're from or their motives.