Defending network assets requires security professionals who work with federal agencies and contractors to respond to the recent changes in the virtual private network market, and the threats they pose to government networks and data. Meeting these threats requires a more comprehensive set of data that provides context around the VPN providers themselves, including the IP addresses associated with them.
New VPN providers, greater VPN usage
VPN usage shot up during the pandemic. While much of that usage stemmed from employees accessing corporate data, remote work doesn’t account for all of the growth. Many people use a VPN to gain access to content that is restricted to specific geographic regions. In fact, according to one survey of users, 57% of respondents said they use a VPN to gain access to better entertainment services.
Today, 31% of internet users worldwide use a VPN, in part due to a new crop of VPN providers offering a proxy service at no cost. Unfortunately, users who download free VPN software in order to bypass geographic content restrictions unknowingly have their residential IPs hijacked by these VPN providers. By agreeing to their Terms of Service, the consumers’ residential IPs are then sold to other VPN providers that, in turn, sell them as a premium offering. Other VPN providers offer features that are friendly to nefarious actors, such as no-logging, and come from regions of the world known to be hotspots for bad behavior.
That’s not to say that VPN usage is inherently bad. There are plenty of legitimate VPNs that are strictly meant to be used for privacy. The challenge for security professionals today is to differentiate between risky and good VPN connections so that they can block nefarious actors, while still allowing legitimate employees to access their networks. The secret to making that distinction lies in the contextual data surrounding individual VPNs and IP addresses.
Federal agencies and contractors need detailed intelligence to help them identify whether an IP address is associated with a VPN, proxy or a darknet, and other details so they can make smart decisions on which users are granted access, blocked or required to further authenticate themselves. This includes:
VPN classification: Is the VPN masked, public or private? Masked VPNs are a red flag for federal agencies, and you can opt to bar them from accessing the network or data automatically. Authorized employees may want to access data via a public VPN they’ve installed, and if that’s the case, you will want to ensure it’s not one of the providers that harvest consumer IP addresses.
Proxy or Darknet: Are IP addresses associated with a proxy or darknet? The presence and type of proxy should affect how certain IP traffic is handled. However, Darknet traffic is virtually untraceable between the server and the client, making targeting the traffic type imperative.
VPN provider name/URL: Some VPNs, like VPNLab.net, are known to be used by criminals to distribute ransomware, malware and other types of cyberattacks. Knowing the name and the URL of the VPN will allow you to research the providers, and determine if they meet your standards.
Location: Is the provider located in a region of the world known for criminal activity? Or from a country, such as Russia, that won’t extradite cyber criminals? Factoring in geographical hotspots for cybercriminal activities and economies is a key part of filtering and identifying safe VPNs.
Allows anonymity for the user: Nefarious actors want to keep their identities and actions hidden, and VPNs that allow for anonymous usage and don’t log user activity are favored tools. Federal agencies may not allow such users to access their data.
IP addresses related to a provider: This data allows you to understand if a given IP address is associated with a benign VPN provider or one that is frequently used by malicious actors.
The influx of new VPN providers, and the number of people using them, have muddied the waters for security professionals. They need to know a lot more about individual providers and their features, and make decisions and rules based on their offerings in order to prevent bad actors from infiltrating or hijacking their systems or engaging in espionage. Access to accurate and granular IP geolocation data and other contextual insights is crucial to this process, which means it is essential that security professionals work with trusted data providers when deploying these types of solutions.
Justin Skogen serves as vice president, enterprise and government, for Digital Element.