Attack Maps and Cybersecurity: More Than Meets the Eye
What is location? In the real world, it’s where your two feet are. On the Internet, location means your IP address for the most part. Certain behaviors, aside from IP, can reveal your location online. Logging into a website or using a signing into your browser can reveal your location if your location data is known.
IP address is the most straight forward way to indicate location on the Internet. Internet Service Providers (ISPs) assign public IP addresses, and change them on a periodic basis. This post will cover briefly how IP addresses work, how IPs can reveal location, and why IP addresses are not always reliable indicators for physical location.
How IP Addresses Work
The IP addresses that route on the Internet is called public IP addresses. It is assigned by your Internet Service Provider. If a person is browsing the Internet, they likely have either a dynamic or static IP address that falls within a certain range from their ISP. Websites typically have static IP addresses that do not change.
An IPv6 packet is visualized above. The Source Address contains the IP address of the packet being sent.
Attack Visualization Maps
People like moving, interesting graphics and maps. Reading lines of text and mountains of background insight is not very exciting. That is where the attack visualization maps come in.
Different companies have produced these visualizations. The exact method of determining the location is not going to be discussed. These maps certainly catch attention and are helpful to visualize attacks happening around the world.
Reasons Why Locations Might Be Uncertain
We will cover several ways locations can be hidden, either for innocuous or nefarious purposes. Other ways location data might be questionable will also be touched on.
Virtual Private Networks (VPN)
A VPN is used for security and privacy reasons around the world. The VPN puts your traffic onto another network and encrypts information sent. This new network has a different IP address. If a VPN is used to launch attacks, the IP address and related location are not reliable.
A proxy also changes your IP address. A proxy server takes traffic from an IP and runs it through a filter. Schools and companies often use proxy servers to block inappropriate content. There could be other uses for proxies that facilitate malicious attacks. The infamous Tor browser was designed to give users more privacy when they browse the Internet. The concept behind Tor utilizes proxy.
IP Address Spoofing
IP Address Spoofing is a technique where an an IP address in a packet being sent is changed. As opposed to simply having a different IP than your location, the new IP is specifically. The reason a person would spoof an IP is to fool a system that filters IP addresses or uses blacklists to check IPs. Spoofing attacks are often used in DDoS attacks to conceal the source and make defense more difficult.
As we have covered, your public IP address is tied to the ISP that you are using to access the information from. A low-tech method of disguising the location of your activities is to hop in the car and visit a coffee shop a few hours away. Or take a plane flight to really throw the map off.
Although this is not a method for a person to hide the location, this technique also results in location data being questionable. If a device falls victim to a botnet, its IP does as well. A device location does not provide evidence the attack is originating from that location. It simple means the IP that the hacked device is using is part of a botnet.
Better Ways to Understand Attacks
Attack maps give a quantitative view of where attackers might be coming from; however, they may not represent the true location of cyber-attacks. To get a better understanding of threats to your organization, it is recommended to focus on developing a Cyber Intelligence capability or partner with a trusted provider that can delivery Cyber Intelligence Services.