Category: Cybersecurity

A Five-Part Blog Series to Bust the Myths Surrounding VPN Intelligence Data

Over the past few months, we’ve addressed the common questions we hear most frequently when speaking to customers about the rise of VPNs. In our discussions we hear a lot of myths about VPNs — myths that if believed can put corporation information and networks at risk.

To date, we’ve addressed the following myths:

• All VPN-data driven data is the same
• VPN breadth does matter
• IT teams only need to concern themselves with VPNs listed in popular Top Ten lists
• VPN threat vectors originate from common sources and remain static

In this final post in the series, we take on the myth that country-level IP geo data provides sufficient protection.

Myth #5: Country-level IP geo provides sufficient protection.

Throughout this blog post series, we’ve highlighted just how easy it is for VPN users to change their IP address to one that appears to originate from another location. In fact, this feature is so ubiquitous and easy that it is positioned as a selling point by VPNs that sell to consumers.

In a blog post, vpnMentor shows readers how to change their region in seconds. vpnMentor is owned by Kape Technologies PLC, which owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego (which speaks to blog number 3 in this series, Covering the Top 10 VPN Services is Sufficient).

This begs the question: how much should you trust an IP location as a proxy for a legitimate user? Let’s say a company has a policy to block all IP addresses that originate in Russia or Iran for security purposes. But does this policy actually provide any protection for the company? The answer is no, given how easy it is to change one’s IP address geographic location.

Conversely, there are good and bad VPN providers and users in every country, including the U.S. If you block users on a country level, you may inadvertently block legitimate users, some of whom may be your own employees or customers.

Let’s say an R&D company blocks IP addresses that originate in Iran. All traffic coming from that country would be deemed nefarious, right? But what if that company sent a team of scientists to present a paper to the International Conference on Science Technology and Management, which will take place in Tehran? The company’s scientists would be prevented from exchanging email with their colleagues back at home.

It’s All About Context

Here’s the reality: IP address data alone won’t protect your corporate network, but it will provide substantial context about incoming traffic. From there you can make intelligent decisions, and establish best practices, as to how to treat VPN traffic.

For instance, some VPNs offer features that are friendly to criminals, such as payment via untraceable crypto currencies, no logging which enable them to cover their tracks. If a crime against your network occurs, such VPNs will not assist you or law enforcement in tracking down the perpetrators.

Other VPNs tout the fact that users can easily change their IP address in order to bypass digital rights access restrictions, as the above example illustrates.

You may not want users of such VPNs to access your network, regardless of where they reside. In fact, you establish a set of best practices that bar users from your network based on the VPN service they use. But to implement such rules, you’ll need access to that rich contextual data in order to set access rules for your network.

The Digital Element Difference

Digital Element’s Nodify provides a rich set of IP address intelligence data so that you can understand the context of users who access your network, including:

• VPN classification
• Provider’s name/URL
• Distinction between residential or commercial
• IP addresses related to a provider

With this data in hand, you can make smart decisions about the VPN traffic that accesses your network, and set rules to enforce it. For instance, you can opt to flag all commercial VPN traffic with additional multi-factor authentication automatically.

To learn more about VPNs and how to incorporate IP geolocation and intelligence data for corporate network protection, download our white paper “The Need for Proxy/VPN Data in Today’s Heightened Cybersecurity State.”

A Five-Part Blog Series to Bust the Myths Surrounding VPN Intelligence Data

In this five-part blog series, we tackle the questions our customers ask us, with a goal of busting the myths that are driving those questions. In our first blog post of the series, we dispelled the myth that all VPN-driven data is the same. For Part Two, we addressed the myth that VPN breadth doesn’t matter. Part Three dispelled the myth that IT teams only need to worry about detecting the VPN services included in a Top Ten list they’ve found online.

This blog post, the fourth in our series, tackles a pernicious myth that VPN threat vectors originate from common sources and remain static.

Myth #4: VPN threat vectors originate from common sources and remain static.

There are many reasons why this statement is false. Before we can even begin to identify the IP addresses that are proxies, we need to understand how the IP address space operates. There are three portions of the routable IP space that apply in this context: 

1. ISP blocks, which are tied to ISPs that offer home and business connectivity
   
2. Mobile blocks, which are for mobile and IoT devices and provided by telecom companies
   
3. Hosting IP blocks, which is where VPN activity originated and continues to live, services all kinds of connectivity needs, such as domain or web hosting, co-location, and so on. 

However, over the past 10 years, VPN providers have begun to tap into IP addresses that historically have been within Hosted IP address blocks to dynamic addresses within the ISP and Mobile blocks and are starting to leverage those as proxies. 

Dynamic vs Static IPs

Given the distinction in the routable IP space, it’s no surprise that there are two broad classes of IP addresses: static and dynamic.

• Static IP Address. A static IP address is one that has consistent geolocation, meaning at the time it is analyzed its geolocation is the same as previously identified. Static IP addresses are likely tied to the same end users if within an ISP block.
  
• Dynamic IP Address. A dynamic IP address is one whose geolocation changes frequently. It’s dynamic because it can service different end users at any given moment. This is more common in Mobile and ISP blocks because end users fluctuate within a given area. These addresses are difficult to block as the end user may be different every day making blocking the IP address problematic.
  

Example of a Dynamic IP Address

A home user’s IP address, also known as a residential IP address, is a highly valuable IP address to a VPN provider as they are dynamic and can change everyday. A VPN service will use these addresses for their service, knowing that the IP address can change at any given moment, making it easier to circumvent restrictions that would apply to Static IP addresses.

Example of How VPN Exit Nodes Operate

Lets say a user signs up for “Big Name” VPN user and connects to a server in the U.K.  They will be assigned a Static IP address of “1.2.3.4” from a hosting provider like “Digital Ocean”. That is the entrance node. The “Big Name” VPN user then wants to visit a streaming media provider. At that point the provider routes the user through an additional IP address “5.6.7.8” from an ISP like “British Telecom”. This is the exit node. And this is the IP address that looks like a residential IP address. 

Furthermore, if the “Big Name” VPN user leaves the U.K. server and chooses a U.S. server from the “Big Name” VPN provider, that IP address is “9.10.11.12” and it belongs to a hosting provider, such as “Linode LLC”.  This is the entrance node. If the user connects to a media streaming service, they get routed through “13.14.15.16 ” which belongs to an ISP “Comcast Cable”. This is the exit node and this is also another residential IP address. 

It’s also a good example of the challenges it poses to companies that offer services to that user. Once upon a time, security teams could reasonably assume that an IP address associated with a proxy was a bad actor who should be blocked from accessing their networks or services or a bot performing a malicious action. But we see in this example that a home user can be associated with a proxy. If you’re a streaming media company, do you still block this home user, who may be a paying customer? 

The Bottom Line

What does this mean for security teams? You can identify an IP address as a threat vector and block it, but that is no assurance that you’ve stopped the bad actor. That actor can simply access and use another IP address to attack your network. This is when the process of blocking certain entities can begin to look like a game of whack-a-mole. 

The Digital Element Difference:

We deploy multiple strategies to help security professionals to stay on top of threat vectors. 

First, we identify which IP blocks are static and which are dynamic using proprietary methodologies. Additionally, we use several different applications, each with its own methodology, to identify the IP addresses that are currently being used as proxies. 

Importantly, we also see the volume and frequency of both static and dynamic IP addresses that are tied to VPNs. We can verify that dynamic IPs tied to VPNs remain predominantly in the Hosting space, even as VPN providers are actively moving into static IP space.

Given the dynamic nature of the space, we also have a very robust aging mechanism to ensure that we don’t label an IP address as a proxy longer than we should. This aging mechanism also runs 24/7.

Up Next: In our fifth and final myth of this series, we’ll talk about the pitfalls of relying only on geolocation datasets, and explain why blocking an entire geographic region isn’t always in your best interest.

VPN usage exploded during the pandemic, as consumers sought ways to hide their location so that they could circumvent geographical restrictions to content. Consumers face no difficulty in finding a VPN service provider, as a plethora of free and paid residential proxy services have entered the market.

Some of these VPN services are favored by nefarious actors because the service offers features that allow them to mask their malicious activities, including scraping, scanning and network password testing. The FBI has warned that cyber criminals are exploiting home VPN usage to break into corporate systems.

As a result of this surge in the VPN market, it’s essential that security professionals gain a deep understanding of the VPN market so they can properly protect data and network assets. Knowing which VPN providers promise criminal-friendly services can help you make important decisions about the traffic that can access your network, and set policies to keep nefarious actors at bay.

Organizations Need Granular Detail Around VPN Traffic, Usage, and Intent

Earlier this year we introduced, Nodify, a threat intelligence solution that identifies whether inbound or outbound traffic is tied to a VPN, proxy, or a darknet. Nodify provides security professionals with a wealth of context around VPN providers to help you distinguish legitimate users from bad actors.

Recently we’ve made important updates to Nodify, making it the most extensive VPN detection system available. The notable updates are:

• Higher Frequency: With proxy IPS and VPNs changing rapidly, Nodify data is collected on an hourly basis and provides customers with a daily update on usage.
• Deeper Insights: Going beyond the generic VPN collection, Nodify provides users with critical insights into the VPN user, including services provided by the VPN provider such as “no logging,” “multihop,” and “corporate.” These fields help clients determine the good vs the bad based on their use case.
• Ease of Use: Nodify has a user interface that allows clients to quickly get a complete understanding of any VPN provider through a simple web dashboard.

Treat Yourself to Our Cybersecurity Brief Today

We recently published a cybersecurity brief, “The Need for Proxy/VPN Data in Today’s Heightened Cybersecurity State” which is available for download today.

Created to help security professionals understand and respond to the surge in VPN providers and usage, this brief describes the new classes of VPNs that have emerged during the pandemic, how they exploit consumer usage, and the unique risks they pose to corporate systems.

It also provides concrete steps that security teams can take to protect their networks proactively using Nodify insights.

Download “The Need for Proxy/VPN Data in Today’s Heightened Cybersecurity State” today.

 

A Five-Part Blog Series to Bust the Myths Surrounding VPN Intelligence Data

In this five-part blog series, we tackle the questions our customers ask us, with a goal of busting the myths that are driving those questions. In our first blog post of the series, we dispelled the myth that all VPN-driven data is the same. For Part Two, we addressed the myth that VPN breadth doesn’t matter.

In this blog post we take on the myth that corporate security and IT teams only need to worry about the ability to detect and screen the VPN services included in a Top Ten list they’ve found online. But as you’ll see, there are flaws to this strategy.

VPN usage continues its upward trajectory. Today nearly one in every three people worldwide use one, making VPNs one of the most popular pieces of consumer software. Among the biggest reasons people use VPNs are security (43%), streaming (26%), and privacy (12%).

As any IT professional knows, the increased popularity means increased risk. VPNs have been popular tools for cybercriminals, who use them to obfuscate their original location, circumvent firewall blocks or even deep packet inspection, among other things. Once a nefarious actor has breached a network through a compromised device, such as the work PC of a remote worker, the entire network is at risk. In January of this year, police in Europe shut down VPNLab, a VPN service that cybercriminals used to distribute malware and ransomware to over 100 businesses throughout the continent. These cybercriminals were able to avoid detection tools because the VPN encrypted the traffic to the endpoint.

For publishers, people using VPNs for streaming may often be circumventing digital rights management rules put in place to prevent piracy from siphoning off revenues. In fact, piracy is expected to skyrocket as inflation and subscription fatigue collide. Content owners and operators are fighting to protect intellectual property, and are finding that fighting piracy and protecting content assets is coming down to a cybersecurity issue within their organizations.

These are not idle concerns. Naturally, corporate security teams are keen to understand the VPN market better, including which services are favored by bad actors and which are more benign. It’s a topic we’re asked about frequently, and are happy to provide our clients with the insight and tools they need to make smart decisions regarding who can access their networks, who should be flagged for additional authentication, and who should be blocked altogether.

Myth #3: Covering the top Ten VPN sites provides sufficient protection.

Fact:

Google “Top Ten VPN sites” and you’ll get a plethora of results. In fact, Google returned 53 million results in less than one second. Some of the Top Ten lists are created by well known entities, such as Forbes, Security.org and CNET, while others, like Top10VPN.com, should raise alarm bells.

But even if the source is reputable, should you trust its analysis? Take the Forbes list, which analyzed VPNs for the key features that Forbes editors value, namely cost and number of servers worldwide. The top VPN selected, Private Internet Access, was chosen because it “strikes a perfect balance of pricing, features, and usability.” To their credit, Forbes notes that some security teams are uncomfortable with its “checkered past.”

We at Digital Element are uncomfortable with the whole notion of a Top Ten VPN list, and the advice it delivers. How many VPNs were analyzed to begin with? How were they selected? In the case of Forbes, that data is absent from its report.

In its The Best VPN of 2022 list, Security.org tells readers that its security experts analyzed  “dozens” of VPNs, to determine which are the best. How many dozen? And why were they selected? If a VPN wasn’t analyzed, can we assume it’s safe? How should the security team treat traffic that comes through those unanalyzed VPNs?

This is the challenge with relying on Top Ten VPN lists. On the whole they are a meaningless metric for a variety of reasons, all of which are well worth exploring. For starters, there are way more than 10 VPN services in the world today. In fact, there are way more than dozens of services. There are literally thousands of existing services, with new entrances occurring daily.  In such an environment, how can anyone claim which ones ought to be included in a list of Top Ten? From our take, the most popular VPNs in the Top Ten lists are affiliate links that pay the person promoting the VPN. You can see in this list, the commissions for a sale. There is quite a lot of money in it. It’s no wonder so many people promote them.

Second, some VPNs are more concerning to specific industries than others. If you’re a company that streams copyright-protected content to subscribers, the commercial VPNs are more relevant to you than corporate VPNs. Many of the VPNs boast the ability to circumvent digital rights access parameters, which is a direct threat to your business. Consequently, your list of Top Ten VPNs will be based on a different set of criteria than a global retailer’s.

Third, the lists themselves are very suspect. While there are thousands of VPN services, many are owned by the same set of parent companies. For instance, 105 separate VPN services are owned by just 24 companies. As it happens, the VPN parent companies also own the review sites, which means they’re essentially grading their own homework.  Kape Technologies owns multiple VPN services, including ExpressVPN, CyberGhost, Private Internet Access, as well as a collection of VPN review sites. There is an obvious conflict of interest between owning a service and writing its review.

This is a significant issue in the VPN space. In fact, U.S. lawmakers recently asked the Federal Trade Commission (FTC) to examine the promises VPN service providers offer consumers, as a study revealed that 75% of them make exaggerated or outright false claims about the level of protection and privacy consumers can expect.

The Digital Element Difference

Digital Element has a policy to review and classify all new VPN services as they emerge. We also monitor more than ten — or even dozens of VPN services. Currently, we monitor 361 VPNs, 56 proxies, and two darknets, which we’ve identified through mapping out the entire provider network and identifying darknet nodes.

We go beyond determining if a service is a VPN or proxy, we also go to the source of where those VPNs exist. We also provide contextual information about the VPN provider itself, a feature that is unique to Digital Element.

For instance, we provide nearly 20 fields about the provider, ranging from ID, Provider, Site URL and whether it’s a paid or free service, to location and whether it accepts crypto payment.

The rich detail we provide allows security teams to establish best practices for VPN traffic. For instance, you may opt to ban all users who use a VPN that has no paper trail, accepts payment in crypto or located in a region of the world where you have no customers, offices or employees.

Next Up: VPN threat vectors originate from common sources and remain static. Or do they? We’ll dig deeper and report on what our proprietary technologies reveal.

Did you know that October is Cybersecurity Awareness month? We have answered the National Cybersecurity Alliance’s call for cybersecurity champions, because we share the Alliance’s dedication to promoting a safer, more secure and more trusted internet.

Founded in 2004, Cybersecurity Awareness Month, is the world’s foremost initiative aimed at promoting cybersecurity awareness and best practices. Led by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA), Cybersecurity Awareness month is a collaborative effort between government and industry to raise cybersecurity awareness nationally and internationally.

A 24/7 Mission for Digital Element

It’s important to note that our dedication to cybersecurity isn’t limited to the month of October. Everyday we help security teams across the globe protect their networks against cybersecurity threats and attacks.

Moreover, we work continuously in developing new tools and relationships so that we can provide security teams with more data, insights and tools they need to keep their network and customer data secure. For instance, we recently announced enhancements to Nodify, our threat intelligence solution which provides critical context surrounding VPN traffic, enabling cybersecurity teams to understand the level of threat such traffic poses, as well as set policy around that traffic.

Education is critical to achieving our mission, and in that vein, our employees, recognized domain experts in the field, share their insights on emerging trends and security strategies by authoring white papers, presentations and articles for the benefit of the cybersecurity commission.

In the spirit of raising awareness around cybersecurity, we’ve collected some educational materials for you to access, including:

• The Need for Proxy/VPN Data in Today’s Heightened Cybersecurity State. This white paper looks at the meteoric rise in VPN usage, the new classes of VPNs that have emerged and the risks they pose to corporate security. It also addresses how corporate security teams can apply rules to mitigate those risks.
• How IP Data Can Help Security Professionals Protect Their Networks, an article penned by Jonathan Tomek, VP of Research and Development, Digital Element. In it Jonathan discusses how beefing up security requires a combination of forensic efforts and proactive mitigation.
• How IP address data can bolster cybersecurity for federal agencies and their contractors, an article written by Justin Skogan, Vice President of Enterprise Sales for Digital Element. Justin taps into his deep expertise servicing federal agencies, and highlights areas where they can shore up their cybersecurity in the face of emerging VPN threats.
• VPNs, Remote Working, and Cybercrime: How It Professionals Can Tackle 2022’s Rapidly Growing Threat, another article written by Jonathan Tomek, which goes into some of the specific risks that remote work poses to corporate security.
• Three Ways IP Data Can Enhance Cybersecurity, also by Jonathan Tomek, that provides practical steps security professionals can leverage IP data to improve their cyber security.

Cybersecurity is all of our concern, and we all play a role in promoting a safer, more secure and trusted internet. Together we can achieve those goals.

About Cybersecurity Awareness Month

Cybersecurity Awareness Month is designed to engage and educate public- and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/cybersecurity-awareness-month/ 

A Five-Part Blog Series to Bust the Myths Surrounding VPN Intelligence Data

No trend deserves the corporate security team’s attention more than the explosion of VPN usage, as well as the influx of VPN providers to the market.

The numbers speak for themselves:

• By 2027, the total VPN market may reach $92.6 billion.
• Consumers will contribute to the growth; per IDC, the market for consumer VPNs will double in size, reaching $834 million by 2024.

Countless people will attempt to access corporate systems and websites via a VPN service, forcing security teams to make decisions as to which are legitimate, which are suspect, and which are likely to have nefarious intentions.

In our first blog post of the series, we dispelled the myth that all VPN-driven data is the same. In this post we take on the myth that VPN breadth doesn’t matter.

Myth #2: VPN breadth doesn’t matter. Once you know the entrance IP addresses you have the VPN covered.

Fact: Google “VPN providers” and you’ll see plenty of Top 10 or Top 25 lists, few of which contain the exact same providers. How many VPN services are there exactly? It’s a difficult question to answer, but it’s probably somewhere in the thousands. With that many providers, breadth absolutely matters!

Let’s start with some basics. Not all VPN services are the same. Broadly speaking, there are four main types:

1. Commercial VPN aka Personal VPN

This is a service that’s geared to individual or personal use rather than business use. Personal VPNs are used to protect a home or office computers and devices from external attacks. They’re also used to circumvent geography-based restrictions to content. These can be used on mobile devices, laptops, and home routers.

2. Corporate VPN aka Remote Access

This is a service that allows employees who work remotely to access and use their employers’ corporate data, systems and applications. All traffic between the user and the corporate network is encrypted.

3. Private Relay

This is designed to enable privacy for an individual without allowing them to circumvent geography-based restrictions. The goal of these types of VPNs is to encrypt network traffic to prevent data snooping.

4. Site-to-Site VPN

This is a connection between two or more networks, such as a network within a corporate HQ and one in a local branch office.

 Complicating matters further, VPN infrastructure can be quite broad with numerous entry and exit points that change frequently.  For instance, a commercial VPN service allows a user to enter the VPN via a US-based IP address and exit it via an IP address that’s located in another country. This allows the user to bypass any geo-restriction policies — an action that you will miss if you have just the US-based point of entry IP address.

Keep in mind that there are many free and low-cost commercial VPN services on the market that offer simple interfaces that allow users to change the location of their IP addresses quickly and easily. In fact, many services offer this functionality as a key selling point.

This means that an employee can also use a personal VPN service from within your corporate campus to circumvent your internal company policies, such as one that bans streaming videos while in the office. Worse, a VPN can be used to exfiltrate internal data outside of the network — an event that security tools can’t always detect.

The bottom line: One IP data point — either the entrance or exit point — is like one hand clapping.

The Digital Element Difference: We are an IP address intelligence data provider that tracks both entrance and exit points of your traffic, which means we are the only company that can eliminate these blindspots for you.

Our breadth of data provides the context you need to protect your corporate network by establishing and implementing best practices about VPN traffic.

Next up: The common myth that covering the top 10 VPN sites provides sufficient protection. We look forward to giving you the whole story on this.

A Five-Part Blog Series to Bust the Myths Surrounding VPN Intelligence Data

It’s no secret that VPN usage is exploding. Driven by the pandemic and lockdown orders, consumers everywhere signed up for a VPN service in order to access content that was otherwise off limits to them. Others were keen to secure their privacy.

Today, some 1.6 billion people — about 31% of the world’s Internet users — rely on a VPN to surf the web and access apps anonymously.

That enormous pool of users is an irresistible draw for entrepreneurs, investors, consumers and nefarious actors who see an opportunity to cash in on the trend. There are thousands of VPN services (though most are owned by the same subset of parent companies). Obviously, a great deal of VPN usage is benign, but not all of it. For instance, the credentials of 21 million VPN users were stolen from just three VPN apps, SuperVPN, GeckoVPN and ChatVPN, and are now up for sale on the dark web.

Residential users aren’t the only victims, as the FBI has warned that cyber criminals are exploiting home VPN usage to break into corporate systems. Meanwhile, streaming companies and compliance teams have seen VPN users circumvent their geographical rights management and digital rights restrictions.

The crimes are both serious and costly given that many VPN providers are happy to turn a blind eye to the activities of their users, providing them with a gateway for a range of malicious activities, including scraping, scanning and testing passwords in order to access your network.

Today, corporate security and compliance teams must navigate treacherous waters. With remote and hybrid work models a permanent fixture, employees sign into their workspaces via the corporate VPN by day, and their personal VPN by night, exposing the company’s systems to unprecedented risk.

Security and compliance teams feel a tremendous urgency to get a handle on the VPN market so they can make smart decisions about which VPN traffic to allow, which to investigate, and which to ban altogether. To make those distinctions, however, they need context and insight. VPN intelligence data is essential. But not all VPN data is equally valuable; critical differences exist, and those differences can spell the difference between a hack that is cauterized quickly, and one that makes national headlines.

There are many myths about VPN data. In this five-part blog series, we examine those myths one at a time. First up: the myth that all VPN-driven data is the same.

Fact: No, Not All VPN-Driven Data is the Same

Too often we hear that “all VPN-driven data is the same.” The differences begin with where the data originates — the VPN provider itself — and its intentions when offering a service to the market.

For instance, some VPN services are built for securing an organization (e.g. Zero-Trust Gateways), while some are privacy focused (e.g. Google VPN). Some allow the user to determine his or her exit destination to circumvent restrictions (e.g. NordVPN) in order to bypass digital rights restrictions. This means that each and every traffic source must be evaluated in its own right to determine which is safe, potentially suspect, or outright nefarious.

Additionally, the breadth of data can vary from provider to provider. A lot of VPN intelligence data providers get their data from a limited scope of sources, such as gambling apps. This is a huge problem because it misses vast swaths of VPN usage. For instance, schools and universities require students to use their VPN to register for classes or pay their tuition. None of this traffic will be covered by a service that relies on limited sources for their main source of data.

Millions of people who are not gamblers sign up for a VPN service in order to circumvent digital access rights so that they can stream content outside of their geo-location (e.g. stream The Office via UK Netflix rather than pay for a Peacock TV subscription).

And there are corporate VPNs which convolutes things. Let’s say an employee is at her desk researching products for her job via your corporate VPN. When she visits a website outside your network, she will appear to that website as an unknown actor hiding behind a VPN. Is she a legitimate customer or a competitor seeking to steal company secrets? To make that determination, the security team for that website will need more context around your VPN itself, such as the company name, provider URL, and so on.

Here’s another example for why context is critical: you may consider all VPN traffic originating in Russia as suspect and block it automatically. But what if you have employees (or students, if you’re a university) traveling there for work or a study abroad program? You may block legitimate people from accessing your network based on broad brushstrokes.

The Bottom Line

There is no one “best source” of data to protect business interests. The datasets that are right for your industry depends on your sector, geo-location, users, employees, and a host of other factors. There is no one-size-fits-all.

The Digital Element Difference: We don’t rely on a single source for our IP address intelligence data. Rather, we tap into multiple sources to ensure we have no gaps. And importantly, we distinguish between different types of VPN traffic and provide context around each VPN to help security teams understand the user behind the traffic.

Our breadth of data provides the context you need to investigate and contain breaches, enforce digital rights management, as well as establish and implement best practices about VPN traffic.

Next up: The common myth that VPN breadth doesn’t matter. Once you have one IP, you have the VPN covered. We look forward to getting the facts straight on this one.

Today’s enterprise IT professionals are navigating a challenging cybersecurity environment. In many ways, the problem’s scope is stunning and alarming. For instance, ransomware attacks increased by 151 percent year-over-year in 2021, while phishing scams increased by 440 percent in a single month.

The escalating attacks come with a price. According to IBM’s Cost of a Data Breach Report 2023, the average cost of a data breach in 2023 was USD $4.45 million, a 2.3% increase from 2022’s cost of $4.35 million.

As a result, companies are increasing their cybersecurity investment, fortifying their defensive postures to avoid the financial expense, reputational damage, and productivity loss that inevitably follows a cybersecurity incident.

In the process, cybersecurity leaders and organizational decision-makers face difficult decisions as they allocate resources, invest in new solutions, and support their personnel. This is especially challenging as threat actors display remarkable agility, exploiting novel vulnerabilities and harnessing the latest technologies to wreak havoc on a company’s digital infrastructure.

However, by evaluating the latest technology trends, companies can get ahead of the next threats.

New Technologies Introduce New Threats

New technologies invite threat actors to invoke fresh tactics when launching ransomware attacks, infiltrating company networks, or illegally occupying consumer accounts. In a pandemic-stricken environment, many are leveraging camouflage techniques that allow them to operate anonymously from anywhere in the world.

Most prominently, virtual private networks (VPNs), proxy servers, queue networks, and domain name systems (DNSs) allow threat actors to operate with nearly total anonymity.

At the same time, many organizations have made VPNs, encrypted connections over the internet from a device to a network–through a single IP address, available to the employees, providing expanded access to company IT from anywhere in the world. Collectively, companies deploy VPNs for several reasons, including:

• Ensuring general security, such as avoiding identity theft
• Minimizing privacy concerns, such as securing personal data
• Mitigating information exposure from public WiFi
• Accommodating job-specific requirements

Meanwhile, more than half of VPN users rely on the technology to access region-restricted content from streaming services and digital platforms. Unfortunately, many users are downloading free VPN software to access this region-restricted content, and they’ve unknowingly had their residential IPs hijacked by these VPN providers.

When consumers download and sign up for a free commercial VPN, many agree to give the VPN provider the right to use their IP address in the entire proxy pool for routing purposes. While this clause is often hidden in the Terms of Service, it can have significant implications for cybersecurity.

Threat actors have found proxies to be an effective way to masquerade their malicious activity. Companies can’t prevent VPN users from accessing the internet, but this practice increases the risk of labeling customers or employees as threat actors while failing to detect or discover the root of cybercrime.

Incorporating IP Data for Protection

Simply put, it’s evident that companies need to develop the capacity to separate threat actors from genuine users. The ability to identify threat actors operating through a proxy enables companies to flag potential criminal activities, set protocols for handling this type of “non-human” traffic, and review post-action analytics.

By incorporating proxy and VPN data on the front-end of online security measures, companies can automatically flag IP addresses as suspicious and reject or block the incoming IP from connecting to their service, website, or network. In addition, proxy data can trigger variable fraud alerts that enable companies to differentiate authentic traffic from fraudulent activity more effectively.

Most importantly, success is predicated on data quality. Information reliability can vary significantly among data sources, but the most accurate proxy data providers ensure that this information is constantly updated and originates from excellent sources. The cybersecurity implications are far-reaching, including:

• Government agencies can use IP-based VPN data to filter and identify safe VPNs.
• Financial services and eCommerce platforms can incorporate proxy and VPN data to implement smart rules to verify consumer IP addresses automatically.
• Managed security service providers can use proxy and VPN data as a foundational, front-line layer of fraud prevention and security enhancement.

To thrive in a shifting cybersecurity landscape, companies must continually equip themselves with the data and tools to protect their digital assets. Developing the capacity to analyze and respond to high-quality proxy and VPN data strips threat actors of their anonymity, making it one cybersecurity strategy that companies can’t ignore in the year ahead.

To get more information about using IP data to solve cybersecurity challenges for your organization, access our guide, “The Need for Proxy/VPN Data in Today’s Heightened Cybersecurity State” here.

According to research firm Cybersecurity Ventures, the cost of global cybercrime will reach $10.5 trillion USD annually by 2025, up from the $3 trillion USD that it was in 2015.

Today’s enterprise IT professionals are clearly on the front lines of a very intense battle, where the losses span monetary, reputational, productivity and IP theft, to mention only a few.

In today’s world, new technologies usher in new tactics used by criminals. They can launch ransom attacks, take over networks, and illegally infiltrate consumer accounts through diverse devices from anywhere in the world. 

By leveraging camouflage techniques, they can do so anonymously. Tools such as Virtual Private Networks (VPNs), proxy servers, queue networks, and Domain Name Systems (DNSs) allow them to hide their true identities and locations.

The reliance of cyber criminals on these tactics can be key to deciphering crime networks and their activities if businesses take the right approach.

Separate the Bad Guys from the Good Guys

A growing amount of internet traffic is being masked through proxies. For example, online users wanting to surf the web anonymously often use proxies that can provide them with a means to hide their IP address from the rest of the world.

By connecting to the internet through proxies, a device’s IP address will not be shown but rather the IP of the proxy server. Whether used intentionally or unintentionally, proxies can significantly throw off a company’s online initiatives.

The expanded availability of low-cost, IP-redirect options that run through geographically distributed hosting facilities have caused a proliferation of proxies. These include anonymizers, VPNs, and Tor services to name a few.

Cyber criminals, in particular, have found the use of proxies to be effective. But, it’s important to remember that not all proxies have malicious intent. VPNs are widely used by legitimate users for diverse purposes and are a popular choice for enhancing security and privacy. Recent data indicates approximately 26 percent of global online users access the internet using a VPN or proxy server.

As a result, stopping all VPN users is not practical. It increases the danger that real customers or employees are mistakenly labeled as crooks. If that is not enough, this method fails to discover the root of cybercrime. In order to mitigate risks and protect real users, companies must find the means to separate the bad guys from the good guys― and one of the tools for accomplishing this is the incorporation of IP-based VPN and proxy data into your platforms and technologies.

Data Accuracy Is Imperative for Fighting Cyber Crimes

By connecting to the internet through proxies, the IP address of the criminal’s device will not be shown accurately, but rather the IP of the proxy server.

The ability to identify if an online user is connected through a proxy and what type of proxy it is enables companies to flag potential criminal activities and set protocols for handling this type of “non-human” traffic differently.

Understanding the type of proxy a visitor is connecting to the internet with, such as anonymous, transparent, corporate, public, education or AOL, can trigger fraud alerts. Responses to the type of proxy can vary depending on what type of proxy it is―for example, an anonymous proxy may warrant a higher fraud score than a corporate one. By identifying connections that obscure the end-user location or those that seek to portray a connection from an “acceptable” city or country can now be easily identified and categorized.

Of course, success depends on data quality. Reliability of information can vary significantly among data sources. But the most accurate proxy data providers not only ensure that information is constantly updated on a daily basis, but that information also originates from excellent sources.

The Advantage of Other IP-Based Data

The analysis of criminal activity can go far beyond proxies. Initially, this may include an assessment of the connection type. For example, a hosting center can be a tool for traffic, not a source. Then traffic originating from it can be examined alongside existing records, such as information stored in a Customer Relationship Management (CRM) database. The same goes for proxy, VPN and queue servers. By evaluating the type of proxy used against the highest quality proxy data, companies can start distinguishing between a reliable VPN and a mechanism that is more suited to suspicious activity.

Beyond connection features, IP geolocation allows companies to run comparisons. For example, in retail, this includes the implementation of smart rules where IP location is automatically checked when there are log-ins from high-risk locations. Alternatively, companies can secure internal networks by tracking speed patterns and identifying suspicious trends, such as people jumping between locations at illogical speed or in illogical order.

After analysis, companies can choose their preferred mode of action. Any suspicious activity that poses a low threat can be flagged for a form of authentication, such as sending an email or SMS that allows the user to confirm their identities. In the meantime, serious threats can be blocked immediately to prevent damage. Alongside reducing false positives, this approach shows consumers that companies are committed to cybercrime prevention.

In order to thrive in the digital world, companies must equip themselves with tools that identify and exploit crooks and cyber criminals to strip them of their anonymity without jeopardizing real users―and this can be accomplished effectively and seamlessly through proxy data and other IP-intelligence factors.