How Bulk IP Geolocation Helps Cybersecurity Pros
Despite the clampdown on obtaining personally identifiable information (PII) without user consent due notably to the implementation of strict privacy regulations, or maybe because of it, bulk IP geolocation data has become useful in tracking down cybercriminals.
Bulk IP geolocation data from providers like this one can’t readily reveal their owners but can serve as a good jumpoff point for cyber investigations. This post will show how.
Bulk IP Geolocation Uses in Cybersecurity
Bulk IP geolocation data has several cybersecurity applications. With its help, cybersecurity pros can use IP geo as part of other data sources to identify potential intruders who may have found a way into their corporate network. They can compare suspicious remote users’ IP addresses with those of frequent users’ on record to identify mismatches.
Bulk IP information can also help pinpoint the source of a cyber attack or an indication of it. It provides clues that can lead to perpetrator identification. And just as cybersecurity teams could use it to confirm suspicions, bulk IP geolocation data can also help combat online fraud. Confirming customer identities by comparing their current with usual locations is doable with its aid, too.
Bulk IP geolocation data can also help cybersecurity investigators identify trends to determine likely sources of threats for monitoring.
Many threat intelligence sources (e.g., AbuseIPDB and Feodo Tracker) regularly publish lists of malicious IP addresses to protect individuals and organizations from cyber attacks. We obtained one such list to demonstrate how cybersecurity specialists can use bulk IP geolocation data to jumpstart or further investigations.
Bulk IP Geolocation at Work
We got the Feodo Tracker Botnet Command-and-Control (C2) IP Blocklist for 28 March 2021, which contained 96 malicious IP addresses. Subjecting it to a bulk IP geolocation lookup gave us the countries, regions, cities, latitude and longitude coordinates, postal codes, and time zones where the addresses hailed from. The query also gave the IP addresses’ Internet service providers (ISPs), domains, and Autonomous System (AS) details.
Given the bulk IP geolocation results, we know that:
- Chart 1 shows the top 12 country origins of the IP addresses. As shown, a majority pointed to U.S. locations. The remaining 23 IP addresses were distributed across 18 other countries—two each from the Czech Republic, India, Poland, Taiwan, and Thailand and one each from Australia, Cameroon, Colombia, Ecuador, Hong Kong, Iran, Italy, Mauritania, New Zealand, Pakistan, Singapore, Slovakia, and Spain.
Chart 1: A majority of the botnet C2 IP addresses point to locations in the U.S.
- Chart 2 shows the top 12 ISPs responsible for the malicious IP addresses. As shown, the highest number of IP addresses (5) are under OVH SAS’s management. The remaining 61 IP addresses were distributed across the same number of ISPs.
Chart 2: Charter Communications and Telekomunikasi Indonesia (PT) managed four malicious IP addresses each. DigitalOcean, LLC and Host Europe GmbH owned three each, while another three didn’t disclose their ISPs. 1&1 IONOS SE, Amazon Technologies Inc., Chunghwa Telecom Co. Ltd., NetInformatik, SpectraIP B.V., and Tencent Cloud Computing accounted for two of the bad IP addresses each.
When monitoring for suspicious IP addresses, cybersecurity pros can use the data shown by Chart 1 & Chart 2 as a guide for prioritizing alerts from solutions like security information and event management (SIEM) platforms.
And if any of the IP addresses attempts to breach an organization’s network, the ISP information could prove useful when seeking takedown-related assistance.
As this post showed, bulk IP geolocation data can support cybersecurity in that it provides context to either get the cyber investigation ball rolling or moving forward.