Privacy can be both a boon and a bane in the digital realm. It means that users’ identities are protected, which is crucial due to the prevalence of identity theft and other related crimes. On the flip side, the anonymity that privacy protection brings also gives cyberattackers confidence. This often becomes a significant roadblock for cybercrime investigators as anonymity makes back-tracing difficult. Geolocation database download files can help investigators overcome this challenge, though, as illustrated in this post.
Using a Geo IP Database Download to Back-Trace Criminal Activities
Even though attackers can hide behind privacy protection solutions, there is still a way to trace them. The process begins by examining system logs, which come in the form of application, security, and other event logs. These documents record all events that occurred within a computer, which may include a perpetrator’s IP address.
Let’s consider this scenario as an example: An unauthorized network access occurred. When you check the security logs, you notice several Secure Shell (SSH) login attempts from the IP address 218[.]92[.]0[.]215.
The first course of action is to report the IP address if considered malicious. Although helpful, this won’t stop the attackers behind the IP address. In fact, 218[.]92[.]0[.]215 has already been reported more than 16,000 times on AbuseIPDB but is still being used in hundreds of brute-force attacks as of this writing.
Therefore, security teams would also want to investigate and try to trace the IP address back to its user or device. An investigation is all the more required when there is a potential data breach. A geolocation database download would reveal that 218[.]92[.]0[.]215 is a Chinese IP address with the following details:
- Region: Jiangsu
- City: Nanjing
- Latitude: 32.06167
- Longitude: 118.77778
- Postal code: 210008
- Time zone: UTC+08:00
- GeoNames ID: 1799962
- Autonomous System (AS) number: 4134
- AS name: China Telecom
- Route: 218[.]92[.]0[.]0/16
- Domain: http[:]//en[.]chinatelecom[.]com[.]cn/
- Type: NSP
- Internet service provider (ISP): CHINANET Jiangsu Province Network
- Connection type: Broadband
Such data from an IP address database download can point investigators toward two directions. First, plotting the latitude and longitude would lead them to the center of a city in China. From there, they can coordinate with local authorities to conduct surveillance and launch an in-depth investigation.
Another direction is to turn to the ISP, which, in this case, is CHINANET Jiangsu Province Network. The investigators can communicate with the ISP, report the malicious IP address, and ask for ownership information.
Security teams can further use an IP geolocation database to pinpoint other IP addresses that belong to the ISP in neighboring netblocks. At the very least, these IP addresses can be included in the victim’s watch list, or if the organization does not have any dealings with anyone from China, they can also even decide to block the IP addresses.
---
Even the most seasoned cybercrime investigators face roadblocks at the onset of an investigation, mainly because attackers often hide behind privacy protection services. But this shouldn’t stop them from digging deeper. From time to time, attackers would get sloppy just like what happened to Russian hacker Gucifer, who forgot to turn on his virtual private network (VPN) before logging on to Twitter. As a result, he exposed his IP address to investigators.
And even if the attacker doesn’t get sloppy, event logs are relevant threat data sources that can be contextualized with the help of an IP address database download.
A geo IP database download can enrich cybercrime investigations and bolster the threat detection capabilities of security solutions. But when you buy geolocation data, keep in mind that not all IP geolocation databases are the same. You have to make sure that the IP geolocation sources you use contain precise and wide-ranging geolocation data.