Guest Column | September 26, 2022

From Prevention To Forensics: What MSSPs Need To Know About IP Address Intelligence Data's Role In Cybersecurity

By Jonathan Tomek, Digital Element

Ransomware Security

The number of corporate cyber breaches continues to climb. As I write this, cyber breaches are up 14% over this time last year. Ransomware attacks, meanwhile, are growing at even a faster clip, up 71%. Given that the average ransomware payout is $1 million, we see the impact such crimes have on the health of a company, and the urgency to stop them.

Breaking into corporate systems to steal PII data is big business. Fraudsters can use that data to commit any number of identity fraud crimes, from applying for credit cards and bank loans in the victim’s name to exploiting existing accounts. Identity fraud is a $56 billion business, according to the Federal Trade Commission (FTC). And that, in turn, means that fraudsters are highly motivated to try, test, and iterate new tactics to get access to that goldmine.

Your clients rely on you to protect their customers’ data and their brand reputation. IP address intelligence data is an important tool in the arsenal of every managed security service provider (MSSP) as it provides critical context to identify and mitigate anomalies in traffic, gain insights about the users who attempt to breach or succeed in breaching a network and set smart proactive rules to protect your clients.

What Is IP Address Intelligence Data?
Behind every IP address is a set of data characteristics that is invaluable in the fight against cybercrime. IP address intelligence obviously includes IP address information, but it goes way beyond what is traditionally offered to the security community, which is geolocation, device type, historical knowledge, and so on. IP address intelligence data also includes home vs. business usage, VPN/proxy data, IP address activity level, IP address stability in weeks, VPN, features, and the number of MAIDs connected to an IP address, among other things.

This IP address intelligence allows MSSPs to identify proxied traffic, as well as glean rich insights and behavioral data for traffic and threat analysis, enabling you to understand where attacks originate and what nefarious traffic looks like. It also provides rich context around data exfiltration from an insider threat. And it can be used to track proxy type and usage which enabled a successful credential stuffing attack.

What’s more, you can use this insight to set rules and alerts for traffic that meet specific criteria, as well as establish best practices going forward, which we’ll get to in a bit.

Distinguish Between Residential Or Commercial Connections

Distinguishing between a residential or commercial connection helps security MSSPs distinguish between legitimate and potentially nefarious traffic.

Residential IP addresses look more legitimate when they log into systems or visit websites. If a residential IP address attempts to visit a website from a hosting or commercial provider, such as Amazon Web Services, it will look suspicious, as no one actually lives in a data center. That’s not to say that all traffic coming from a data center is suspicious. These centers deploy bots and web crawlers to automate their services, but this traffic will not be labeled “residential.”

VPN Usage

It’s impossible to discuss cybercrime without examining the impact of the spike in VPN usage, and the unique challenges it poses for security teams.

Over the past few years, a plethora of VPN providers has entered the market, including high-end premium services and residential VPN proxy services. VPN usage isn’t inherently bad. Many consumers want it to protect their privacy as they surf the web, which is a perfectly legitimate use case. Some, however, want to circumvent digital rights restrictions, and many will sign up for a free or paid VPN service to do so.

Whatever their motivation, consumers have embraced VPN usage. In a two-week period in March, VPN usage went up 124%. As of July 2022, 31% of all internet users worldwide have used a VPN. That’s nearly 1.6 billion users who surf the web via a VPN.

What most consumers don’t realize (or are not overly concerned about) is that when the service is free, they themselves are the product -- and they’re your newest threat to worry about. The free services seek to harvest the IP addresses of consumers who come through home residential address connections, which are resold to users outside of the U.S. There’s no way to know who the users of those harvested IP addresses are, or what they’re up to. These services also can potentially introduce vulnerabilities to corporate networks through data harvesting. Free VPN services also have been compromised and millions of credentials have been stolen.

Additionally, some VPNs offer features favored by nefarious actors, such as no-logging, anonymous payments, and some are malicious and used for launching attacks.

IP address intelligence data alone won’t keep your clients safe from breaches, but it can give you a deeper understanding of who’s behind the traffic. For instance, IP data can include classification (VPN, proxy, darknet), VPN provider's name/URL, whether that provider allows any traffic (good/bad) and logs user activity, IP addresses related to a provider, languages of the target market of the VPN provider, and more.

This context allows you to differentiate between extremely risky VPN connections and more benign ones so that you can make smart decisions as to who can access your clients’ networks, and who must be flagged for multi-factor authentication or blocked altogether. For instance, you may want to block all users who attempt to access a network via a VPN provider that offers fraudster-friendly features such as no-logging.


Try as you might, it’s impossible to prevent a breach from occurring, as everyone in the field understands. What you can do, however, is find out everything you can about the hacker to minimize the damage they can do and prevent others in their ring from breaking in.

That same IP address intelligence data described above will provide a lot of insight into the who: where they’re located, if a VPN service was used, what other IP addresses are associated with that VPN, and other clues. This data allows you to look into logs and network traffic to detect malicious activity, including historical views of when an IP address was seen acting like a VPN or proxy.

As an MSSP, no one knows better than you how quickly cybercriminals switch up their tactics to circumvent the security measures you put in place. IP address intelligence data won’t stop criminals from attempting to ply their trade, but it can give you the insight to make smart recommendations to your clients to keep their corporate data safe and to apply forensics if someone succeeds in breaching your defenses.

About The Author

Jonathan Tomek, VP of Research and Development for Digital Element, is a seasoned threat intelligence researcher with a background in network forensics, incident handling, malware analysis, and many other technology skills.

Jonathan served in the United States Marine Corps. He worked at multiple threat intelligence companies and built their threat capabilities to include identifying tactics, techniques, and procedures of malicious actors. He led several technical cybercrime and espionage teams in their initiative to enhance technical efficiency in malware analysis, malicious actor tracking, and tool development.