By Jonathan Tomek, VP of Research and Development, Digital Envoy
A staggering 96% of UK organisations experienced at least one major cyber-attack over a 12-month period in recent years, with the average data breach costing around $4.5 million. Now, businesses are also facing ongoing challenges relating to building and maintaining IT security levels (47%), a regulatory structure (41%), and reliable ongoing support (41%).
Couple these challenges with an increasing cybersecurity skill shortage, as well as internal staff skill gaps, and it’s easy to see why managed security service providers (MSSPs) are a strong option across all sectors and company sizes.
However, the evolving cybersecurity landscape might shift to placing more responsibility on businesses to protect their own data, as well as their customers. While no specific guidelines have been published, UK and EU GDPR makes data protection a requirement, and with cyber-attacks on the rise, it’s clear that companies have to begin responding accordingly.
Whether you are employing an MSSP or rely on integrated security, IP address intelligence data is key to proactively safeguarding customer and business data by identifying traffic anomalies, and providing insights into malicious activity.
Utilising IP Address Intelligence Data
Each and every device has a unique numerical label that identifies it either on the internet, or on a local network, such as a company network. An IP address is necessary to communicate, send and receive information, or just connect to the web, but what’s important is that IP Address Intelligence Data – which includes geolocation, device type, historical knowledge, and more – is an essential tool in the security arsenal.
The additional insights IP data can provide, such as VPN/proxy data, IP address activity level, IP address stability, home vs business usage, and even how many Mobile Advertising IDs (MAIDs) are connected to one IP address, are integral to understanding and preventing both internal and external threats. This behavioural and contextual data on attack location and type informs threat analysis, which provides the foundation for prevention as businesses can set alerts for specific and suspicious traffic criteria. IP data can also identify credential stuffing attacks through proxy and usage information, as well as information regarding data exfiltration – that is, any kind of unauthorised data transfer – from internal sources.
Lastly, distinguishing between residential and commercial connections helps identify potentially nefarious traffic. Traffic coming from a residential IP address, such as a personal home setup, will be flagged if detected as trying to interact with a commercial system, such as a company’s cloud-based hosting platform. This act singles out threats via IP connection type, in the knowledge that purely commercial systems aren’t meant to be accessed via non-commercial connections.
The rising popularity of VPNs
IP data and VPN usage are inherently interlinked, as VPNs encrypt and disguise online identities. This does not mean VPNs are only used for malevolent purposes; indeed, they have soared in popularity for both consumers and businesses.
Over a third (31%) of internet users worldwide – nearly 1.6 billion – use a VPN for a variety of reasons, from protecting their privacy to circumventing digital rights restrictions, such as accessing Netflix US content from the UK. Meanwhile, businesses have welcomed remote access VPN providers in the age of homeworking: following the pandemic and an increase in flexible working, providing remote access to employees has been essential to maintain services running – in 2020, 88% of companies migrated their staff from office to the home and global VPN usage increased by 27.1%.
However, VPN use of any kind introduces an element of risk. On the consumer side, issues arise when users access free VPN services. Not only do these providers survive by harvesting consumer addresses for resale purposes, but they are also prime targets for attacks: most recently, the PII records of 25 million users were exposed in a free VPN software data breach. When it comes to professional use, VPNs can compromise corporate networks through masked attacks, data harvesting, or spoofing, for example.
Once again, IP address intelligence data can provide a deeper understanding behind traffic to help differentiate the good from the bad. Information such as VPN provider name/URL and type (VPN, proxy, darknet) as well as general settings and features (for example, what kind of traffic does the provider allow, do they log user activity, what kind of IP addresses are related this provider, who is the target audience) can inform decisions when it comes to blocking or allowing VPN connections, and where additional security, such as multi-factor authentication, might be prudent. A no-log VPN, for example, should cause alarm bells as this is more likely to be used by fraudsters.
Investigation and prevention
As sophisticated as security measures and IP data are, hacking tools are constantly evolving. No business or user can be 100% guaranteed that they will prevent every malicious attempt. In this instance, learning as much as you can about the incident is key to mitigating damages as well as building stronger security measures for any subsequent attacks.
The insights and information derived from network traffic can help establish where the activity came from, if a VPN was used, or other IP addresses linked to the VPN service. IP address intelligence data won’t stop criminal cyber activity, but it can provide an additional, valuable layer of protection for in-house teams or MSSPs, and in case of a breach, provide the right kind of information to help track down the culprit and fortify defences for the future.
