We've published a lot of articles that involve the 'intelligence' topic, because it's one of the most requested subjects for both blue and red teams. And despite what many non-technical people may think, cybersecurity isn't only defined by DDoS attacks, massive defacing, and other popular types of cyber crime, it's also defined by intelligence data.
OSINT is an essential part of any defensive or offensive cybersecurity team. Whether you use it to detect sensitive data about your assets that's been wrongly exposed, or to perform information gathering tasks for penetration testing, OSINT will always include IP intelligence data, as the Internet is based on IPs. All of its services, protocols and the products we use on a day-to-day basis are powered by IP addresses at the network level.
That's why this post will explore the definition of IP intelligence, its main purpose and examples, as well as IP intelligence tools and services for modern infosec research.
- What is IP intelligence?
- IP intelligence examples
- What tools are needed to get intelligence on IP addresses?
What is IP intelligence?
When we say 'IP intelligence' in cyber security, we're talking about IP address data that can be used to intelligently influence any cybersecurity field, such as threat prevention, attack surface analysis, risk management, and much more.
In plain English, IP intelligence can be defined as all the data you can get about an IP address, or a group of IP addresses.
In the same way that 'enemy intelligence' has helped different armies gain advantages, plan strategies and execute winning attacks during the course of several wars, IP intelligence can be used for both the offensive and defensive sides in the cybersecurity field.
Let's take a look at the data we consider when we talk about 'IP intelligence.'
IP intelligence examples
IPs involved in malicious situations such as virus and malware, spam or ransomware attacks are perfect examples of IP intelligence. In other words, an IP's reputation can't be ignored when you're building an IP profile.
Other examples of IP intelligence could be:
- IP usage stats
- IP neighbors
- IP geolocation
- IP block and subnets
- RIR allocation
- Hosted domains and subdomains
- Open ports
- Operating system name and version
- Software and versions
- User-agents seen on that IP
- IP P2P activity
What tools are needed to get intelligence on IP addresses?
A number of tools can help you get all the IP address intelligence you need. Some of them are fairly manual, while others are quick, fast and don't require terminal or networking knowledge.
Let's take a look at a few of them:
IP intelligence scripts and sources
There are a lot of services, scripts and sources that allow you access to direct IP intelligence, but it would literally take weeks to mention them all. They're split into many different categories, depending on the needs of the agency or security research that requires it.
Some popular sources for IP intelligence:
- DShield: This is one of the most popular and oldest IP-based reputation collaborative projects out there. Started by Johannes Ulrich in the late 2000, it enables system administrators and blue teams to protect the servers from malicious IP addresses that have been logged in different systems all over the world. Malicious data is collected and grouped into text-based lists that contain offending IP addresses involved in suspicious/malicious activities such as port scans, SSH scanning, suspicious domains, etc.
- SpamHaus Spam BlockList: Along with DShield, Spamhaus is another popular IP reputation list. SBL stands for Spamhaus Blocking List, and it's a realtime list of IP addresses involved in spam activities. By using this RBL, system administrators are able to detect and block possible incoming email data containing spam, phishing, malware, virus and other forms of malicious emails.
- Exonerator: This service is used to detect whether an IP address has been part of the Tor network as part of a relay exit node. For automated lookups, the TorDNSEL service provides the same features.
IP intelligence web-based tools
- AbuseIPDB: This is a centralized service where system administrators, network engineers, webmasters and users can report IP addresses that have been involved in malicious activities such as DDoS, spam, malware, hacking activities and more. At the same time, using their API can protect your servers. They provide free and commercial API plans so you can integrate the malicious IP lists with popular blue team tools such as Fail2ban.
- GreyNoise Intelligence: This service offers an effective and simple way to detect, analyze and label IP addresses involved in Internet mass scanning activities. This includes opportunistic scans as well as targeted scans that could be involved in real malicious activity. GreyNoise enables you to inspect any IP, get the right information including first- and last-seen dates, OS, ASN, country and city. You'll also get valuable IP intelligence data such as whether malicious activity has been detected, bot network involvement, and types of scans performed, including protocol and ports knocked by the scanner. Read our interview with Andrew Morris from GreyNoise Intelligence for further information about him and his very cool security company.
BGPView: Performing an ASN lookup to get full network information is one of the main things security researchers do while building an IP profile of any organization, and BGPView offers all that and more. When it comes to ASN information, it includes details such as country, announced prefix, prefix name, prefix description, ASN, ASN description and full ASN name.
It also offers full RIR data, including RIR IP prefix, GeoIP country, number of IP addresses, regional registry, allocation status, allocated country and allocation date.
- URLScan: This great IP intelligence service allows you to scan any website and get valuable OSINT data, including full IP data such as current DNS records, main IP address, geolocation, associated IPs involved in website interaction, web hosting provider, ASN information, IP redirects and TLS certificate data. You'll also find full domain intelligence, indicators of compromise, HTTP header information, links found on the main website, DOM tree data and more.
- VirusTotal: This is one of our favourite services, one that allows end users to get virus and malware intelligence about any IP address. By simply entering any IP within their IP search field, you'll see if that IP has been involved in any malware or virus distribution activities by their own virus search engine as well as by 3rd party scan sources. You'll also find full information about the scanned IP address such as network, ASN, AS label, RIR and country.
ASI: Identified by its abbreviation for Attack Surface Intelligence, it's one of our top enterprise-grade products. With it, you'll get all the IP intelligence you need in seconds.
In the following test, we'll pick any random group of IP addresses and run tests against it, to see how much IP intel we can get.
First things first: Getting the IP overview is easy and quick. Simply click on any IP and it will load all the details in seconds:
From this area, you'll be able to quickly access all the data about this IP, such as open ports and software data, IP location, usage, access network, tenant, forward DNS and IP reputation.
Does this IP address have any open ports? When planning an attack, open ports are one of the first things bad guys look for during the intel gathering process. ASI makes port discovery, for both past and present open ports, an easy task.
What devices connected using this IP address? We have records of every device that has interacted with any IP address, and you can browse the results by date or user agent, as shown below:
Is the IP free from P2P activity? Our P2P IP analyzer will instantly reveal whether an IP has been involved in any kind of P2P file sharing activity, as you can see in the following screenshot:
What are the IP usage stats from this IP? Can I trust this IP? Is this a server or a client? How many domains are pointing here? Are there any SSL certificates running? Is this an anycast IP? We've gathered all the important data in one single interface:
Unlike other tools, ASI isn't just about IP intelligence, but about having a complete command center to manage, curate and monitor all your online assets.
The Internet was built with IP addresses as one of its core components, to allow users to send and receive information. And as is the case with real-world organizations and people, some IP addresses are clean and legitimate, and some are directly linked to malicious activities.
If you're wondering whether an IP has been used maliciously or not, this post should point you in the right direction, toward familiarity with IP intelligence and the path to discovering some of the most useful services and products available for getting all the IP intelligence data you need.
ASI, our enterprise-grade attack surface intelligence tool, was created for that very purpose: to monitor, contain and manage all your assets, letting you know anything and everything about your IP address.