As an IT security professional you — rightly — assume your corporate infrastructure is under attack. New threats emerge at a steady clip and nefarious actors have both the skill and the incentive to break into networks and steal data.
You also know that stopping all bad actors from breaking into a network is next to impossible; but you can forensically investigate to understand who was behind it and take action to prevent further damage. (Also read: Digital Forensics: The Ultimate Guide.)
That's where internet protocol (IP) address intelligence comes in. IP address intelligence plays a critical role in digital forensics, especially when it comes to VPN-based traffic.
What is IP Address Intelligence?
IP address intelligence helps shed light on a particular user's characteristics by providing you with various types of data, such as:
- Geolocation data.
- IP address characteristics.
- Masked or anonymous data.
These data can help you learn important context about a user, like where they are accessing your network from, whether their identity is masked via a VPN and whether they are even a user. This information, in turn, enables you to make strategic decisions to protect your company.
Let's examine each of these types of data more in-depth:
Geolocation (longitude/latitude) data will tell you where traffic is coming from.
This can be useful for flagging suspicious activity — for example, if your company is exclusive to the Northeast, a traffic spike from California may be a red flag. Some countries aren't as vigorous about prosecuting cybercriminals as others, prompting many companies to block traffic that originates from them automatically. (Also read: 10 Strictest Data Privacy Laws By Country in 2022.)
Data about IP characteristics can help you determine:
- How stable an IP address has been.
- Who or what is behind it.
- The number of users to which it has been assigned.
- Whether it is associated with a home, business or data center.
- The company and carrier name associated with it.
All of this provides important context when assessing a breach or making decisions about how to protect your network.
IP address intelligence data helps identify users who attempt to circumvent security restrictions via an anonymous VPN or proxy service.
Anonymous traffic is not necessarily malicious, but such users shouldn’t have access to corporate infrastructure.
How VPN Use Can Compromise Security
So, why shouldn't VPN users have access to corporate infrastructure?
To answer that, we need to examine two different types of VPN user:
- Internal VPN users.
- External VPN users.
Internal VPN Users
Internal VPN users are employees who use a VPN service from within your corporate campus. Employees can use VPNs to circumvent company policies, such as one that bans streaming videos while in the office. In a worst-case scenario, a VPN can be used to exfiltrate internal data outside of the network — an event security tools can’t always detect.
Of course, not all employees download VPNs with shady intentions; some opt for free VPN software to, for example, bypass geographic content restrictions. But these employees still put themselves, and your enterprise, at significant risk. For instance, some free VPN providers hijack residential user IP addresses, intercept traffic entirely or insert malware, which can easily work its way into your corporate network when the employee signs in from home.
That’s why it’s important to understand the characteristics of the VPNs your employees may use.
External VPN Users
External VPN users refers to those outside your organization — and there are likely more than you think.
VPN usage skyrocketed during the pandemic, and it’s likely that customers access your network via a VPN service. Many people subscribe to VPNs as a way to surf the web in complete anonymity, and some to circumvent digital rights management (DRM) restrictions — benefits many VPN providers tout. (Also read: Considering a VPN? Make the Right Choice for Your Needs.)
There are plenty of free and paid residential proxy services, some of which offer no-logging, which is a worrying feature as it is very friendly towards criminals. Some VPNs are malware which add their computer to a botnet.
Not all VPN users are bad actors, of course; VPNs and proxies were originally built for security. However, these tools have grown overtime and are now used by organizations to secure their businesses as well as by commercial VPN providers to “remain anonymous” online. Because of that, not all VPNs or proxies should be treated the same and it's important to stay on top of the VPN market. While simply knowing who provides a user's VPN service won’t protect your network, you can take tangible security steps with that knowledge.
How IP Address Intelligence Can Help You Make Strategic Security Decisions
IP address intelligence will help you craft a set of rules, such as blocking, flagging or permitting usage under specific circumstances around where traffic stems from and whether a VPN is used.
Here are some useful questions to ask yourself about a user once you have data on their IP address:
1. Is the User Using A VPN With No Paper Trail?
Every VPN and proxy is anonymous by nature, but what happens if the user commits a crime?
VPNs that require specific information at the time of registration — such as name, address and valid billing information — will have a paper trail. VPNs that are free, allow for anonymous registration or accept anonymous payment via a prepaid credit card or cryptocurrency may be of concern to some, as there will be no paper trail and thus no way to identify the user in the case they're behind malicious activity.
2. Does the Address Belong to a Hosting Facility?
Addresses that belong to a hosting facility can be suspect because human users are not typically located in a hosting facility. Thus, IP addresses belonging to hosting facilities are obviously proxies.
Outbound traffic that comes from a company adhering to a zero trust security framework will appear as if it is coming from a hosting facility. Some insights gleaned from IP address intelligence can provide the needed context to distinguish between people and bots. (Also read: A Zero Trust Model is Better Than a VPN. Here's Why.)
It's also worth distinguishing traditional hosting facilities from bulletproof hosting facilities. Bulletproof hosting facilities don’t abide by take-down notices — even if they come from law enforcement. It’s probably a good idea to block this traffic.
3. Is The User Corporate or Public?
Corporate users are generally considered harmless. However, with IP address intelligence, you can identify domain names and know if a competitor is attempting to access your network.
Public traffic requires some consideration, but that doesn’t mean it should be blocked automatically. Public traffic means multiple users are proxied from a location allowing public internet access — such as libraries or airports — and, as a result, all users share a single IP address. Again, the context IP address intelligence provides can help you decide when to require additional authentication.
IP Address Intelligence Tips for Business
A large organization might have high levels of security built into its infrastructure to ensure protections from malware, credential stuffing attacks or even internal threats. If that's your situation, you should know if those protections apply to your internal systems, users working from home and to legacy systems which might not have the latest protections.
IP address intelligence compliments a large organization's security systems by adding deeper insights for proactively reviewing daily activities and retroactively looking into any incidents.
For smaller organizations or those with less security protection, IP address intelligence is the bare minimum to help block malicious activity or allow traffic from safe locations — whether physical or virtual.
In a worst-case scenario, IP address intelligence and logs from your systems would enable law enforcement or investigators to understand what happened, stop an ongoing incident, and prevent it from happening in the future.
For an organization whose customer base uses a zero-trust framework, IP data will be essential for allowing them to access any customer portal and services you create for them.
Security systems will flag their traffic as coming from a hosting facility and potentially label it "invalid traffic" when, in fact, they’re your customers. Any organization who uses zero-trust should include IP address intelligence to add context to protect the system.
IP address intelligence enables you to ask a series of questions and take informed actions based on your answers. For instance, do free VPN services make you nervous? Would you prefer a paper trail in the case law enforcement needs to be involved? Does your company have traveling employees who access your network from a public place?
If yes, you may want to consider additional authentication steps.