In the realm of cybersecurity, understanding the origins of identity attacks is crucial for effective defense. Recent data from Huntress’s ITDR dashboard, scoped to their customer base, reveals fascinating insights into the geographical and technical sources of these attacks. Here’s a breakdown of the findings and some practical commands and codes to help you mitigate these threats.
Key Insights:
1. Geo-Relevant IPs:
- Top 5 Countries:
- United States: ~20%
- India: ~7%
- Mexico: ~5%
- Canada: ~4.4%
- Germany: ~4%
- Accuracy: IP geolocation is 99% accurate at the country level but drops to 80% at the state level and below 68% at the city level.
2. Tunnel-Relevant IPs:
- VPNs, Proxies, and Data Centers:
- 2:1 ratio of tunnel-relevant to geo-relevant incidents.
- 13K tunnel-relevant incidents vs. 6K geo-relevant incidents.
- Implications: Geography becomes irrelevant when attackers use VPNs, proxies, or data centers to mask their true location.
Practical Commands and Codes:
1. Blocking GeoIPs with iptables:
iptables -A INPUT -m geoip --src-cc US -j DROP iptables -A INPUT -m geoip --src-cc IN -j DROP iptables -A INPUT -m geoip --src-cc MX -j DROP iptables -A INPUT -m geoip --src-cc CA -j DROP iptables -A INPUT -m geoip --src-cc DE -j DROP
2. Detecting VPN/Proxy Usage:
<h1>Use nmap to detect VPN/Proxy</h1> nmap -sV --script=vpn-detector <target-ip>
3. Monitoring M365 Logins:
<h1>PowerShell script to monitor M365 logins</h1>
Get-AzureADAuditSignInLogs -Filter "createdDateTime ge 2024-08-01" | Where-Object { $_.Location.CountryOrRegion -eq "US" }
4. Blocking ASNs:
<h1>Blocking an entire ASN using iptables</h1> iptables -A INPUT -m asn --asn <ASN-NUMBER> -j DROP
5. Enforcing Device Compliance:
<h1>Enforce device compliance in Azure AD</h1> Set-MsolDevice -ObjectId <device-id> -EnforceCompliance $true
What Undercode Say:
The data clearly indicates that relying solely on geofencing is insufficient to protect against identity attacks. Attackers are increasingly using VPNs, proxies, and data centers to obscure their true locations, making geographical blocking less effective. To enhance your cybersecurity posture, consider implementing a multi-layered defense strategy that includes:
- GeoIP Blocking: While not foolproof, blocking known high-risk countries can reduce the attack surface.
- VPN/Proxy Detection: Use tools like `nmap` to detect and block traffic from known VPNs and proxies.
- ASN Blocking: Block entire ASNs associated with malicious activities.
- Device Compliance: Enforce strict device compliance policies to ensure only trusted devices can access your network.
- Continuous Monitoring: Regularly monitor login attempts and audit logs for suspicious activities.
In addition to these measures, consider using advanced threat detection solutions like Huntress to identify and mitigate sophisticated attacks. Remember, cybersecurity is an ongoing process that requires constant vigilance and adaptation to emerging threats.
For further reading on advanced techniques like device code phishing and primary refresh token theft, check out Dirk-jan Mollema’s blog.
Stay secure, and always keep your defenses updated!
References:
Hackers Feeds, Undercode AI
