Threat hunting: External IP IoCs

  • Home
  • Threat hunting: External IP IoCs

Attackers take every opportunity to infiltrate your network through activities like phishing, cross-site scripting, etc. All these activities aim at getting hold of at least a single system in your network. Once they infect a system in your network, the next step is to try to contact their Command and Control (C&C) servers.

When attackers intrude and attempt to infect your network, malicious external IP addresses and URLs are the one of the most obvious indicators of compromise (IoCs) in your logs. Security and threat intelligence agencies such as AbuseIPDB and RobTex compile and maintain these IoCs for the enterprises to use. They call it as blacklists or blocklists. They can be applied at various points in your network, such as a host, web proxy, DNS servers, email server, firewall, directory servers, etc.

These lists are often growing. Since the discovered IPs can be blocked, hackers are quick to generate new malicious IPs all the time. It is prudent to have a system in place which not only discovers blacklisted IPs in your traffic but also quickly identifies these ever growing malicious external IPs in your network traffic, in the shortest possible time so as to prevent the damage being done on your network. Here's how you can do this.

The external IP indicator of compromise is evident through three questions:

  1. Is the IP address affiliated with malicious activities?

    This can be answered by looking at your threat intelligence platform which may contain the updated threat feeds.

  2. Is the associated Autonomous System Number (ASN) affiliated with malicious activities?

    An ASN is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators. ASNs are ranked based on the total number of malicious IPs they contain and their association with the C&C malware infrastructure. When an unidentified external IP address is associated with a high risk score ASN, it is most likely to be malicious as well.

  3. Is the associated subnet affiliated with malicious activities?

    If an IP address belongs to the subnet of another identified malicious IP address, chances are high that it is malicious as well.

It is important to keep an eye out for external IP IoCs in your logs. ManageEngine's Log360 is a one stop solution that helps enterprises mitigate external and internal threats with alerting, data security, event correlation, threat intelligence and more. It has a built-in STIX/TAXII feeds processor and a global IP threat database that can instantly detect known malicious traffic passing through the network as well as outbound connections to malicious domains and callback servers. The advanced threat analytics add-on gives deeper insights into the threats. Click here to know more.

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


Cyber Security - Knowledge Base


  Zoho Corporation Pvt. Ltd. All rights reserved.