Yes, IP geolocation can help your company do more than direct users to localized content, to their local site or enable them to change to their native language. Of course, all of these are important, but it goes further.
An IP geolocator can also serve important cybersecurity needs by:
- Identifying IP addresses from which attacks are originating
- Identifying users employing VPNs (Virtual Private Networks), TOR (anonymizer) and proxies
Let’s dig into this further to explore how IP geolocation can help with cybersecurity.
Using an IP geolocation API
Leveraging such an API will enable attribution of a visitor’s physical location by using IP lookup. Irrespective of whether they’re IPv4 or IPv6 addresses, IP blocks are owned by ISPs (Internet Service Providers). This ownership enables IP address geolocation to source this geodata to identify the geographical location of any internet user.
This data can be relatively general (continent, country, region) or quite specific (city, ZIP code or postal code, latitude/longitude). Yes, this data may not be wholly accurate, but it’s frequently accurate enough to meet many use cases.
For example, in e-commerce, you want to know that the person placing the order is the registered cardholder. Using IP address data, you can determine the city of the IP address and this can be compared with the city of the registered cardholder. Yes, the cardholder may be travelling or on holiday, but it could also indicate a stolen credit card or identity theft.
Defending against DDoS
More likely to be aimed at larger companies, DDoS (Distributed Denial of Service) attacks can be monumental brute force attacks. They’re intended to paralyze servers rather than compromise them. Typically, this is achieved by a hacker compromising a massive number of machines and then using these as a coordinated system (a botnet) to send an ongoing stream of GET or POST requests to servers. The sheer number of responses requested from the server makes it incapable of doing anything else.
IP geolocation services can detect the IP addresses that attacks are originating from. These suspicious IP addresses can then be used by your cybersecurity team to ‘black hole’ all connection requests from those IP addresses. This means that the server won’t respond to the GET or POST requests, helping to keep it online. Then, your security team can focus on ensuring that they can get your company’s servers online to keep your business operational.
Also, this IP address data can then be taken back to the relevant ISP(s). They can be asked to block the attacks at the source.
Effective responses to the two potential cybersecurity threats mentioned above depend on being able to accurately identify the IP address. However, this threat data can be obfuscated. A VPN, for example, while having legitimate uses, can also be used to set a fake IP address. Then, IP geolocation would see that fake address and the threat could escape detection.
But IP geolocation has responded with the capability to detect VPNs, TOR, proxies and more. If these are detected, then the connection request or purchase can be viewed as high risk and automatically blocked.
Also, some IP geolocation vendors maintain blacklists of known malicious IP addresses in their IP geolocation databases. Geolocation data such as city and latitude/longitude can be sourced in real-time and compared to known threats. So even if a threat isn’t automatically detected, the comparison can result in a match.
Corporations can have huge cultural presences which can make them a target. If they’re dependent on public facing servers for their business, then this can present a huge ‘attack surface’. An attack surface is all the company systems that can be discovered by cybercriminals. Threat intelligence capabilities will play a huge part in defending your business.
However, in early 2021, a security vulnerability was found in Microsoft Exchange. This is the back-end system that enables email and calendar data to be transmitted to be used by front-end systems such as Outlook. So, then anyone using those systems for email and calendars was at risk.
Sure enough, when the attack was discovered, illegitimate accessing of data was taking place and was found to have been taking place for months. Then, as more hackers learned of the vulnerability, the capability to attack this way effectively became a meme and it became a massive cybercrime bandwagon.
The original attack has been attributed to the Chinese. Worse, the attacks weren’t aimed at critical infrastructure or government or military-industrial complex specifically. Instead, they were sweeping in nature, hitting small businesses as well. The cybersecurity advisor, Kiersten Todt, considers the Chinese to simply be hoovering up all the data they can for reasons as yet not understood. This means that there’s no level at which it’s safe to assume that you’re safe by virtue of being small.
One way to help defend against threat actors is to filter IP addresses. For example, you could use IP geolocation data to capture a visitor’s location data. If that falls outside the countries in which your company operates, then that connection can simply be blocked. Consider a policy that remote workers must use the company approved VPN to connect to company services. Then, if no VPN, or the wrong VPN, is detected, the connection can be blocked.
Of course, there are no magic bullets to prevent cyber attacks. However, this article sets out some of the measures that can be taken to minimize the threats that your company might face.
The best approach is to be prepared. IP geolocation has a role to play in defending against cybersecurity threats. However, it should be treated as part of a suite of security systems, processes and staffing. You’re going to need cybersecurity professionals. You’re going to need a rigorous process for updating software so that, as software vendors patch security vulnerabilities, your company applies them to minimize risk.
And train staff. Phishing, where people click on suspicious links still takes place. Make sure that all staff receive training on what processes are required of them to mitigate cybersecurity threats.