Network Defense is Hard
Being a network defender is a really difficult job. Quality IP reputation feeds cost a lot of money. Sometimes you just want to take a shortcut and apply publicly available block lists to your firewalls to simplify your life. While this works for some, this might not be the best strategy for all businesses, especially those which can't afford to have a false positive. Aggressive blocking might work for some but, simple lists of IP addresses lack the context to provide the granular control needed for effective and accurate blocking. Unfortunately, there are no shortcuts when you are a defender.
Context is Everything
Before diving into the meat of the article, I want to talk a bit about Spur's data. People tend to refer to us as the VPN or proxy company. Or our data is conflated with threat intelligence. VPNs and proxies are definitely one major component of what we offer, but more simply put: we offer contextual information. We make no direct claims of something being good or bad. We just want to help others put what they see into perspective. For some, our precision geo information provides a lens into geo-fraud. Others, our IP behaviors help label the OPSEC profile of APT actors. Our data is meant to augment so you and your team can make the most informed decisions possible.
Context in Reputation Feeds
Most IP reputation and "threat intelligence" products categorize an entire IP address by the narrow activity it detects being performed on the internet. This does not mean the product is wrong, but it does mean it can miss the bigger picture.
For instance, two IP addresses throw a CVE at a honeypot controlled by a researcher. Both of these IP addresses are labeled as performing this activity. One of these IP addresses belongs to a Comcast subscriber with a limited number of devices on it. The other IP address belongs to a Motel 6 in Hollins, VA with an estimated 25 devices. Without additional context, blocking both IP addresses may be overly aggressive. If the CVE was thrown by an individual on both IPs, it is more likely that all activity coming from the Comcast subscriber is suspect but there are 24 potentially benign devices on the Motel 6.
Without knowing more about the IP address, you may be tempted to just block them based on the activity alone. But how long is that block list good for? Should we keep blocking the same IP for a day, week, or month? Is the IP address just a proxy or VPN being leveraged by a bad actor? Is it a public network? Separately, is the activity being performed as a result of a compromised router that will still be malicious regardless of the number of users? There are a lot of questions to answer before you can make an informed decision.
CINS Army List
The example above is actually a real example from the CINS Army List. The details I am going to dive into is specific to the 8/25 CINS feed; however, we had similar results with a half dozen other free reputation lists. All of these lists do serve a purpose and can provide some details when an organization cannot afford more. We are just going to highlight some potentital pitfalls in relying on these types of lists.
If you take a look at the SSID table, you can see several public WiFi networks that include the term
hotel. Additionally, there are a lot of devices on those networks. Depending on how you use the list, you could prevent access from real customers, clients, or employees.
Further analysis shows
14% of the IPs in this list belong to mobile network providers. Since the reputation lists are gathered with a narrow view of the activity these IPs are performing, it is hard to tell what percentage of the traffic is malicious vs legitimate. With hundreds of users on mobile gateways, it is likely there will be a low percentage of malicious traffic.
Not as notable, but many commercial VPN services are also included. Previously, one of our partners GreyNoise noticed malicious activity from Mullvad VPN. These services allow anyone with bitcoin to use their infrastructure without logging. It is hard to tell what is legitimate traffic or not. Simply blocking all VPN exit points is a common use-case we encounter with our own customers.
AWM_PROXY being the top detected residential proxy in the feed also makes sense. As noted by Krebs, AWM uses the TDSS botnet to source their proxy IPs. These IP addresses could be listed because they are infected with TDSS or because of the activity the AWM proxy customers are performing. Without more information from the reputation provider, it is hard to tell why the IP was included.
Free and available block lists can definitely serve a purpose. However, adding more context can help you see the bigger picture and make a more informed decision. Here are a few final notes:
- At best, blocking mobile IPs will be effective for a short window of time. At worst, it could affect other unrelated users/activity.
- A single user on a busy gateway could negatively impact the reputation for all users.
- If you are blocking an individual VPN IP, should you be blocking all from that provider? Since that provider has allowed malicious activity, the actor could simply switch exit points and continue.
- Context for one customer is not the same for the next. Some businesses may wish to allow their customers to access from a VPN where others may not. A context-free IP block list misses the necessary context to execute informed blocking decisions.
If you are a ThreatConnect subscriber, be sure to check out Spur's Context API integration so that you can add this level of detail to all of the threat indicators you ingest. Stay tuned for support from Anomali's ThreatStream as well!
If you are a threat intelligence company and want to add our context to your feeds, contact us here.