Zero trust architecture and IP data
Recent and current events have influenced the future of cybersecurity architecture. As remote work has grown, so have increased vulnerabilities to organizations’ assets. But remote work isn’t the only factor at play.
Organizations are also combatting an increase in fraud, ransomware, and other malicious activity. Especially since 2020, cybersecurity professionals are dealing with more alerts and more sophisticated organized cyber criminals.
Now, more than ever before, organizations from Medtech to Fintech, Edtech to governments, are embracing a zero-trust architecture to ensure compliance with security protocols. Rather than assume that in-network devices are legitimate users, zero-trust architecture assumes every device, network, and connection within an organization’s infrastructure is likely to be compromised.
The natural result of robust zero-trust measures is that IT and security teams can be overrun by alerts, spending large amounts of time manually checking possible threats. Meanwhile, Ransomware-as-a-Service (RaaS) and Access-as-a-Service are growing at unprecedented rates.
Getting the same quality data as IPinfo with an in-house team is actually quite difficult. That’s why we chose IPinfo. - Fraud Intelligence Team, Nethone
The question then is this: How can cybersecurity organizations gain the visibility they need at scale?
IoCs: The role of IP data in zero trust architecture
IP address data is only increasing in importance for cybersecurity professionals. As an IoC (Indicator of Compromise), IP addresses reveal a wealth of contextualized datasets that reveal context no one sees. Here are several IoCs derived from IP data.
Geolocation
IPinfo’s geolocation dataset retrieves the country, region, city, latitude/longitude, postal code, and more for each IP address. In addition to helping flag suspicious activity or logins, these details also provide a basis for mitigating DDoS attacks. For instance, geolocation can be used to establish what machines are instigating the attack.
GreyNoise, a log management solution, uses these datasets to support efficient threat analysis and detection:
- IP to Geolocation
- ASN data
- IP Ranges
- Hosted Domains
“IPinfo is absolutely essential to our business. The data is rock solid, the API is dead simple, and the price is unbeatable. I constantly recommend it to all of my friends in the industry.” -Andrew Morris, Founder & CEO, Greynoise Intelligence
IP and Domain reputation
IP data also contribute to risk analysis, threat intelligence, and efficient incident response. Since an organization’s compromised networks, servers, or other endpoints can be used as part of botnets, phishing, DDoS attacks, and other spamming platforms, IP and domain reputation provides a critical IoC.
Additionally, if outward-facing servers appear on a blacklisted site, there’s most likely compromise. That’s why using IP address data and domain reputation data to monitor the reputation of entities interacting with company assets is so important. For instance, if a company’s IP or domain details appear on sites like Pastebin.com, there may be some security compromise with their network.
Host.io is a tool that gathers DNS details, scraped website content, outbound links, backlinks, and other hosting details for any domain. Users can use this information to determine co-hosted domains as well as monitor top-level website details and DNS records. Here's a helpful resource for more details about API endpoints within Host.io.
Masked identities
As remote work increased, especially in 2020, over 50 percent of organizations increased their VPN capacity. The result was major disruptions to network security practices. From a zero-trust security perspective, increased VPN usage and remote work have complicated identity verification and threat detection.
Then in 2021, Apple released iCloud Private Relay. In the following months, IPinfo noticed a significant uptick in APR adoption as represented by the graph below.
We’ve also released some research on masked IPs, including the most commonly used VPNs. Read more here.
Suffice it to say, VPNs, proxies, tor usage, and other masked IPs have complicated identity verification not just for cybersecurity organizations but also for advertising agencies, financial institutions, and more.
IPinfo’s VPN detection data is currently being used by many of these organizations to pinpoint fraudulent IPs within website traffic. Using IPinfo’s Privacy Detection data, Adcash developed a proprietary solution to separate human activities from non-human entities to eliminate fraud.
There are just a few other providers that actually serve VPN detection data, but those are completely incorrect based on what I tested and compared. It’s just not true what they’re offering. We tested Maxmind - another data source - but only IPinfo actually had accurate data. - Yonko Tsonev, Head of IT at Adcash
Within organizations, VPNs are encrypted servers, making them somewhat ideal for remote work. However, relying primarily on VPN-protected devices or inline web filtering allows users to access network segments and subnets without any other intra-filtering. All in all, VPNs can allow for more permissive security architecture.
VPNs can also introduce more unnecessary threats to organizations. Over the years, there have been many VPN breaches, including Pulse Secure, SuperVPN, Gecko VPN, and Chat VPN in 2021. Plus, back in 2018, NordVPN - a trustworthy VPN - experienced a breach where their servers and private key were exposed and open to decryption.
Almost every single fraud method involves some form of VPN. It’s a crucial parameter to detect when someone is about to commit a crime. - Marcin Zubrycki, Senior Product Manager of Fraud Intelligence Team, Nethone
If VPNs are a necessary part of your corporate cybersecurity architecture, Privacy Detection data and IP Geolocation can help organizations detect patterns and develop content for risk analysis within a zero-trust architecture.
But for companies who don’t use organizational VPNs, IPinfo’s datasets help detect potential threats and malicious actors.
Additionally, our geo-aware feature within the Privacy Detection dataset allows users to gather further context for APR (Apple Private Relay) users.
Accurate insights for reliable zero-trust use cases
IPinfo supports zero-trust security by prioritizing accurate IP address data. Since IP data is like a moving target, we update our database every 24 hours. The result is IP address data that are reliable enough to support zero trust security, fraud prevention, and more.
Discover how IPinfo can help support cybersecurity organizations! Connect with a data expert today.