It's pretty well known that just because logs of an attack show a source IP address from a particular country,...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
it does not necessarily mean it's possible to assign attribution to that country. Is there a more effective way to identify where an attack is coming from?
Unless you are working with law enforcement or have a specific reason, it's probably not worth the effort to determine where an attack is coming from. In any event, being able to locate an IP address location gives minimal information as to how to stop the attack other than by blocking the source IP or source network. If the attacking systems are using DHCP, proxies, compromised systems, VPNs, Amazon EC2 or any number of other methods that can allow for a change of source IP, however, blocking the source IP will be ineffective. Also, blocking based on IP or subnets requires some maintenance overtime, as IP blocks slowly change.
It may be easier to define where connections are allowed to come from -- i.e., whitelist connections -- rather than where they are not allowed to come from. This may not be possible for Web servers or services that must be available to the public, but, for internal systems that need to be Internet accessible to a limited population, defining the sources might be possible and more secure. This is not to say you shouldn’t block IPs used in attacks for the duration of an attack, but you should understand the value of blacklisting and whitelisting IPs.
If you really need to assign attribution to a country, you could look at decompiled binaries used in an attack to see if there are any clues to the language in use in comments, status messages reported by the software, logs of communications, keyboard mapping, OS version if it includes language configurations, or the time zone settings. These settings can give some information about the attacker.
Dig Deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.