|
Every organization faces two kinds of cyber threats daily—“known” and “unknown” ones. Known threats are those that security experts have discovered, often published in blogs and major news outfits with accompanying indicators of compromise (IoCs). Unknown threats, meanwhile, are those that remain hidden to victims and researchers. IoCs for these have yet to be identified and disclosed.
One way to detect unknown threats is by using known IoCs as a starting point. That is possible through blacklist enrichment. That said, enterprises may find it useful to dive deeper into their existing blacklists to discover attackers’ entire digital footprint using a harmful or downright malicious IP address as an input. We show how to do that in this post aided by a reverse IP/DNS database.
To illustrate, we obtained a list of the 20 most recent malicious IP address additions (as of 30 September 2020) to the AbuseIPDB database, which include:
IP Address | Number of Citations for Malicious Activity |
---|---|
158[.]69[.]110[.]31 | 8,870 |
141[.]98[.]9[.]165 | 3,038 |
222[.]186[.]30[.]112 | 3,036 |
91[.]204[.]248[.]42 | 2,311 |
106[.]12[.]92[.]246 | 2,264 |
180[.]76[.]186[.]109 | 1,253 |
147[.]135[.]135[.]111 | 1,133 |
171[.]34[.]78[.]119 | 467 |
116[.]233[.]19[.]80 | 454 |
106[.]13[.]177[.]53 | 444 |
209[.]97[.]166[.]234 | 139 |
119[.]28[.]223[.]229 | 48 |
59[.]42[.]39[.]125 | 27 |
113[.]173[.]192[.]117 | 2 |
123[.]27[.]89[.]50 | 2 |
180[.]120[.]211[.]191 | 2 |
206[.]189[.]72[.]161 | 2 |
141[.]98[.]9[.]166 | 1 |
156[.]199[.]196[.]137 | 1 |
222[.]138[.]49[.]79 | 1 |
Initial analysis of the IP addresses cited for violations revealed the following:
The top 3 reasons for malicious citations were hacking (18 IP addresses), File Transfer Protocol (FTP) brute force (17 IP addresses), and brute force (16 IP addresses).
While IP-level blocking could protect organizations from the threats that any malicious IP address such as 209[.]97[.]166[.]234 can bring, it may not be sufficient or optimal. An alternative or complementary approach would be to seek and block domains or subdomains connected to malicious IP addresses though only after confirming these are harmful.
Our reverse IP/DNS database, for instance, showed that 209[.]97[.]166[.]234 resolved to the following domains and subdomains at some point in time:
Users can check these entities using a threat intelligence platform or publicly available threat databases to see if any related domains or subdomains may require blacklisting. From the list above, for example, we found that appleidmanage[.]ddns[.]net was dubbed malicious on VirusTotal.
Organizations that only rely and block access to and from known IoCs might miss out on the opportunity to bolster their cybersecurity. The identification of dangerous properties that may represent yet unknown threats is possible by subjecting malicious IP addresses to further checks using a reverse IP/DNS database.
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix