Home / Resources / News and Trends / Industry News / 2023 / What Is Your IP Address Cybersecurity IQ

What Is Your IP Address Cybersecurity IQ? The Role of IP Address Data in a Digital World

Jonathan Tomek
Author: Jonathan Tomek, CISSP
Date Published: 3 January 2023

Enterprise data breaches have become fodder for headline news. Millions of consumers are put at risk when customer records are stolen and organizational reputations can be tarnished. In addition to reputational damage, the average cost of a data breach in 2022 is US$4.3 million—an all-time high.1 Now more than ever, security professionals need a thorough understanding of the IP addresses that seek to access their networks. This knowledge can be considered one’s IP address intelligence quotient (IQ).

Why is it important to have a high IP address IQ? Every security professional knows that it is impossible to stop 100% of attackers from breaching their cyberdefenses. Cybercriminals are too well financed, technically astute, and highly motivated, making it inevitable that some will succeed. But that does not mean that significant financial loss is inescapable. Large sums are lost only when attackers go undetected for extended periods of time or the security team does not realize the impact of the cyberattacker(s) responsible for the attack.

Discovering a breach helps identify how an attacker accessed the network. But there is also a need to figure out who they are and how many others are working with them to steal data. It is a race against time. Here is where an IP IQ comes into play.

Know Your Enemy

Mitigating damage from a cyberattack requires one to know their enemy, which is where IP address intelligence data come into play. These data can help determine where attackers are located, sometimes as specifically as identifying their postal code; whether they used a virtual private network (VPN) service, proxy or darknet; the number of mobile advertising IDs (MAIDs) associated with the IP address; the stability of the IP address; and whether any other IP addresses were associated with that VPN. With these IP data in hand, one can search logs and network traffic to detect malicious activity, including historical views of when an IP address was attached to a VPN or proxy.

Understand the VPN Market

In today’s climate, cybersecurity teams cannot know their enemies without understanding the VPN market. VPN usage spiked during the COVID-19 pandemic, as many employees signed up for a free or low-cost VPN services to circumvent regional restrictions imposed by the domain (e.g., US-based Netflix subscribers can only watch Netflix content for US-based users). By definition, those services allow users to enter the VPN from 1 location (e.g., the United States) and exit from another (e.g., the United Kingdom).

What employees using VPNs may not realize is that some providers offer their services for free so that they can hijack the user’s IP addresses, intercept traffic entirely, or insert malware, which can provide an opening to an enterprise’s network whenever the employee signs in to the VPN from home.2

There are thousands of VPN services on the market. Some are undeniably benign, but others offer a slate of features that are friendly to cybercriminals, such as the ability to cover one’s tracks via no logging, the option to pay via cryptocurrency, identity masking, and more. Keeping a network safe from hackers requires a high VPN IQ—a solid understanding of the VPN market and an ability to make decisions based on an enterprise’s risk appetite

Keeping a network safe from hackers requires a solid understanding of the VPN market and an ability to make decisions based on an enterprise’s risk appetite.

Proactively Protect the Network

Fortunately, security professionals can gain access to a wealth of VPN contextual data to help them distinguish between perfectly legitimate providers and those that turn a blind eye to crime. These data include:

  • VPN classification
  • Provider’s name and uniform resource locator (URL)
  • Distinction between a residential proxy, personal VPN and an enterprise service
  • IP address related to a provider
  • Entrance and exit nodes associated with the provider

Understanding these data points can help one proactively protect their network by setting rules around who can and cannot access it.

What feeds one’s IP IQ? There are numerous criteria by which security professionals can analyze these data, including:

  • VPN classification—Is the VPN classification that of a VPN, proxy or darknet? Some of these decorators can explain more about the providers themselves, such as whether they support fraudster-friendly features such as a no logging policy, free vs. paid services, know your customer (KYC) standards, or allowing purchases with gift cards.
  • Proxy or darknet—Are IP addresses associated with a proxy or darknet? The presence and type of proxy should dictate how certain IP traffic is handled. For instance, some enterprises prefer to block all sources of traffic in which the end user's IP address is disguised (or anonymous).
  • VPN provider name/URL—Some VPNs (e.g., VPNLab.net) are known to be used by criminals to distribute ransomware, malware and other sources of cyberattacks. Knowing the name and the URL of the VPN will allow one to conduct research about the providers and determine whether they meet enterprise standards.
  • Location—Is the VPN provider located in a region known for criminal activity? Or from a country that will not extradite cybercriminals? Some organizations opt to block all traffic from a specific location, but that may not be feasible for every enterprise, especially if there is an office in such a region and/or certain employees log in to the VPN while on the road.
  • Allows anonymity for the user—Nefarious actors want to keep their identities and actions hidden. VPNs that allow for anonymous usage and do not log user activity are favored tools. For some enterprise security teams, allowing anonymous traffic is too much of a risk to take, and they should opt to block that traffic.
  • Related provider IP addresses—These are IP addresses associated with a specific provider allowing blocking at the provider level, not just of an IP address.

Conclusion

Neither IP address data nor insights into the VPN market alone can protect a network from attacks. There is still a need for multipronged enterprises defenses to achieve adequate protection. What these data can do, however, is provide contextual information to an existing security strategy, the ability to understand who breached a network should an attack occur and the insights to set policies based on specific risk that an organization faces. With all of this knowledge, one’s IP address cybersecurity IQ can be chart-topping.

Endnotes

1 IBM, Cost of a Data Breach Report 2022, USA, 2022
2 Cawley, C.; “This Free VPN Leaked Millions of User Records,” Tech.co, 28 June 2022

Editor’s Note

Hear more about what the author has to say on this topic by listening to the “What Is Your IP Address Cybersecurity IQ? The Role of IP Address Data in a Digital World” episode of the ISACA® Podcast.

Jonathan Tomek, CISSP

Is vice president of research and development with Digital Envoy, parent company of Digital Element. He has expertise in threat intelligence, network forensics, incident handling and malware analysis. Previously, Tomek served as chief executive officer (CEO) of MadX LLC, head of threat intelligence with White Ops and director of threat research with LookingGlass Cyber Solutions, Inc.