Skip to main content

Do Random IP Lookups Mean Anything?

Being able to identify the external IP address of a network is usually a benign activity. Applications may opt to use online services via an HTTP request or API call. Currently, there are some web-based applications that provide this kind of service openly, and some with possibly malicious uses. In fact, malware threats have been using these services to map out and identify their targets for quite some time to already - an acknowledged fact hidden in technical write-ups but which hold little recognition for an active defender. The goal of looking into these web services is to isolate threats that had abused the network service and identify this kind of network activity. If we can associate an external IP lookup to a suspicious activity, then we would be able to assume that an endpoint requires some form of investigation. Endpoint identification through IP addresses may pose a challenge, but the correct placement of the identification methods proposed in this paper may be considered. This paper will also look into the associated malicious activity that had used online services, the use of such services over time, differentiate the threats that use them, and finally how to detect them using open source tools, if applicable.

Download file

38405 (PDF, 2.76MB)

2 May 2018
ByJay Yaneza
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

A New Era in Vulnerability Management: A SANS Review of the Seemplicity Platform

Research Paper

In this paper, Dave Shackleford offers an inside look at Seemplicity, a vendor-agnostic remediation orchestration platform designed to unify vulnerability management across code, cloud, and infrastructure.

  • 18 Aug 2025
  • Dave Shackleford

Adopting an Offensive Security Posture: Strategies and Best Practices

Research Paper

This paper delves into essential concepts, and offers practical guidance for adopting an offensive security posture.

  • 18 Aug 2025
  • Jorge Orchilles

Enhanced Decisions with WatsonX: A Look at IBM QRadar Investigation Assistant

Research Paper

This paper examines IBM QRadar Investigation Assistant, an AI-powered tool that enhances SOC performance by streamlining incident triage, automating threat enrichment, and enabling natural language query capabilities.

  • 6 Aug 2025
  • Matt Bromiley

Balancing On-Prem and Cloud Security Strategic Considerations for Modern Organizations

Research Paper

This paper examines the strategic trade-offs between cloud and on-prem deployments, and the growing trend of consolidating tools into integrated security platforms.

  • 30 Jul 2025
  • Matt Bromiley

Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing

Research Paper

While most evaluations rely on vendor checklists and surface-level comparisons, this white paper takes a different approach: building and applying a hands-on testing framework grounded in NIST SP 800-207 and the CISA Zero Trust Maturity Model.

  • 11 Jul 2025

Defense in Depth: Multiple Layers of Protection Fortifying Your Cyber Defenses

Research Paper

Download this paper and learn how to implement and evolve a Defense-in-Depth (DiD) strategy tailored to your organization’s risk profile, infrastructure, and cloud environment.

  • 10 Jul 2025
  • Ted Demopoulos

Dropzone AI Can Make Internal SOC Teams More Effective

Research Paper

In this paper, SANS Certified Instructor Mark Jeanmougin examines how Dropzone AI can integrate into existing security stacks and help SOC teams stay focused on high-impact decisions.

  • 17 Jun 2025
  • Mark Jeanmougin

AI-Driven Insecurity: Assessing Security Gaps in AI Generated IT Guidance

Research Paper

The increasing reliance on AI-generated technical guidance for IT system configuration introduces significant security risks. This study assesses these risks through a case study: setting up an Apache web server on a Rocky Linux system using instructions from seven AI models.

  • 13 May 2025

Validating the Effectiveness of MITRE Engage and Active Defense

Research Paper

This research examines the impact of Active Defense compared to a traditional security posture when an adversary employs common tactics and techniques to identify high-value targets or exfiltrate sensitive data.

  • 29 Mar 2025

Shift Left the Awareness and Detection of Developers Using Vulnerable Open-Source Software Components

Research Paper

The research presented in this paper demonstrates that companies can shift the detection and awareness of developers using vulnerable components left in the early development stages.

  • 26 Mar 2025

Strolling Through the STIG

Research Paper

This research demonstrates how a new tool, Stroll, avoids the additional hardware requirements by living off the land.

  • 7 Mar 2025

Building Resilient IoT Devices: Binary Hardening with Yocto and Clang

Research Paper

This paper addresses the critical need for enhanced security in Internet of Things (IoT) devices by evaluating the implementation of binary hardening techniques using Clang security features within the Yocto build environment.

  • 3 Mar 2025

Harnessing Entra ID Snapshots for Effective Post-Security Incident Detection and Containment

Research Paper

This research focuses on implementing identity snapshots within Microsoft's Azure Entra ID, demonstrating their potential to significantly enhance the efficiency and effectiveness of post-incident detection and containment.

  • 3 Mar 2025

Identifying Advanced Persistent Threat Activity Through Threat-Informed Detection Engineering: Enhancing Alert Visibility in Enterprises

Research Paper

Advanced Persistent Threats (APTs) are among the most challenging to detect in enterprise environments, often mimicking authorized privileged access prior to their actions on objectives. Moving within the environment slowly and quietly, APTs can often persist within the environment for months before detection.

  • 20 Feb 2025

Evaluating Modern Network Protocol Fingerprinting: Defending Bastion Hosts in Hostile Networks

Research Paper

Adversaries continue to attack the network perimeter and trusted user workstations to gain access to sensitive networks. Modern networks are designed and often mandated to use encrypted communication paths everywhere.

  • 6 Feb 2025

Revolutionizing Enterprise Security: The Exciting Future of Passkeys Beyond Passwords

Research Paper

As digital threats grow increasingly sophisticated, traditional password-based authentication systems are proving inadequate, leaving enterprises vulnerable to phishing, credential stuffing, and other cyberattacks.

  • 23 Dec 2024
  • Rich Greene

The Proof is in the Pudding: EDR Configuration Versus Ransomware

Research Paper

Each Endpoint Detection and Response (EDR) tool is slightly different in its functions and operations but is similar in its goal.

  • 23 Dec 2024

Malware Function-based encryption technique

Research Paper

Recent malware often uses techniques to evade detection by cybersecurity products. One of the...

  • 22 Jun 2022

Detecting Unauthorized Behavior From Legitimate Accounts

Research Paper

Incident Responders face an almost insurmountable amount of log events, and the move to the Cloud...

  • 22 Jun 2022

Recover an RSA Private Key from a TLS v1.2 session

Research Paper

Cyberattacks happen every day.Most organizations have administrative and technical controls...

  • 22 Jun 2022

Subscribe to GIAC’s Monthly Newsletter

Receive expert insights, priority access to certifications, essential updates on regulatory changes and industry developments.