IP Addresses, File Hashes, and Email

Learn how to monitor IP addresses, file hashes, and emails for cyber attacks.

IP addresses

One of the least effective ways to identify the source of a scan or attack is to use the IP address it originates from. IP addresses are disposable and can be spoofed or routed through proxies to hide the actual source. An IP address may even lead to someone who is innocent but has a compromised device. For these reasons, attribution based on the IP address is unreliable.

Ascribing attribution to a particular part of the world can also be difficult.

Note: The South Korean government experienced over 110 thousand cyber attacks in five years, and almost none were sourced from the attacker’s country of origin.

Feasibility of monitoring IP addresses for security

Despite their relatively low value, IP addresses may still provide a starting point for creating alerts and dashboards. Also, attackers can occasionally get lazy and forget to hide their IP address. So IP addresses aren’t entirely without value from an attribution standpoint.

Compromised IP addresses

Some IP addresses are perpetually compromised and will always be the source of low-grade attacks and scans. These IP addresses are low-hanging fruit that should be plugged into protection controls to block what should otherwise be considered internet noise.

File hashes

Installing and using hashes with a file integrity checker (FIC) was discussed in chapter one of this course. Known bad file hashes can be supplied by cyber intelligence sources and fed to an alerting solution, such as an SIEM, or to endpoint FICs. If any files are discovered to have a hash that matches a hash identified by intel, there are a couple of response options:

  • Generating an alert.

  • Having the endpoint software quarantine the suspicious file.

Email

Phishing is one of the most effective methods used by attackers to get a victim to download and install malware. Information collected from previous phishing campaigns can provide indicators that can be used to block the same phish from reaching other people’s inboxes. The following are elements of an email message that can be used to cross reference IOCs and block malicious emails.

Get hands-on with 1400+ tech skills courses.