IP Threat Detected Overview

05/2022 - rev 2

Overview

The Oort check for potentially suspicious IP traffic is available via the IP Threat Detected Check.

Goal

This document provides an overview of the IP Threat Detected feature and its benefits.

Audience

This document is intended for identity security analysts and IAM administrators responsible for reviewing and investigating user identity behavior and system access details.

IP Threat Detected Check

The IP Threat Detected feature integrates IP threat intelligence from the Brightcloud service and cross-references it with IP traffic data from Oort user identity data feeds, such as IDPs like Okta and Azure AD.

This feature can be accessed by clicking the Checks menu option in the left-hand vertical menu and then clicking the IP Threat Detected check.

Note - the display order of the Checks will move according to percentage failing and severity. To find the IP Threat check quickly, filter by the Security category.

screenshot 2022 05 16 170136

Within the Check details page, a description is provided, as well as the number of users failing this check and the number of user excluded from the check.

Click View In Users List to see a list of those users failing this check.

Filtering IP Threat Categories

From the Oort Users page, the IP Threat filter in the lower left section can be used to include or exclude specific types of IP threat categories in the user list.

screenshot 2022 05 16 171443

To remove the filter, simply click the 'x' for that filter field.

screenshot 2022 05 16 171750

Investigating IP Threats for a User

For a given user with a failed IP Threat check, click the User object and on the Overview tab, scroll down to the Active IP Addresses tile.

If the user has a long list of different IP address activity, you may need to scroll down this list, until you find one or more entries that has been tagged by the IP reputation service.

screenshot 2022 05 16 173553

To see the specific user events correlated with this IP, click on the IP address in question.

Types of IP Threats and Suggested Remediation

The IP reputation service provides the following categories of IP threat classification. For purposes of investigation and incident response, we have grouped the categories into themes based on likely remediation steps.

Endpoint Compromise Indicated

The following categories of IP threat alert indicate the possibility of malicious software being present on a particular endpoint.

  • Windows Exploits - Active IP addresses offering or distributing malware, shell code, rootkits, worms or viruses.
  • Web Attacks - Cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force.
  • Botnets - Botnet C&C channels and infected zombie machines controlled by bot master.
  • Scanners - All reconnaissance such as probes, host scan, domain scan and password brute force.
  • Denial of Service - Inbound DOS, DDOS, anomalous SYN flood, anomalous traffic detection.
  • Phishing - IP addresses hosting phishing sites and other kinds of fraud activities such as Ad Click Fraud or Gaming Fraud
  • Package - Catch-all category that contains all other types.

Remediation - We suggest investigating the endpoint in question promptly to confirm that no malicious software is residing on it.

Spam Source

Spam source IP tags include behavior tunneling spam messages through proxy, anomalous SMTP activities, and forum spam activities.

In some cases, a user present on a particular network or ISP can get included with this tag, if the network was previously hosting spam-related activity. This can be common with less regulated or monitored ISPs.

Remediation - We suggest investigating the endpoint in question promptly to confirm that no malicious software is residing on it.

Network Proxy Activity

In many organizations, using commercial VPNs or proxy services to access corporate resources is against security policy and also represents a data security risk.

  • Proxy / Cloud Provider- IP addresses providing proxy and anonymization services. This category also includes TOR anonymizer IP addresses
  • TOR Proxy - IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination

Remediation - We suggest investigating the end user activity and contacting them to confirm their use of these non-corporate services.

Mobile Threats

Mobile threats represent a specific form of activity from IP addresses representing known malicious and unwanted mobile applications.

Remediation - We suggest investigating the mobile device and if possible wiping or resetting it, or barring it from corporate use.