UB3.C4.K1 – Users contract and use non-secure ISP
The Internet Service Provider (ISP) our users choose plays a critical role in safeguarding our data and assets. While many people focus on speed, reliability, and cost when selecting an ISP, one often overlooked factor is the provider’s commitment to security. The choice between a secure ISP and a ISP which not invest in security controls (which I will mention them as risky ISP) can significantly affect your data privacy, the integrity of your devices, and your overall cybersecurity posture.
Why Security in an ISP Matters
ISPs act as the gateway between your devices and the internet. They assign your IP addresses, manage data transmission, and control access to online resources. This role makes them a critical component of your network’s security. A secure ISP invests in robust security measures to monitor network traffic, protect against cyberattacks, and ensure their IPs are not exploited for malicious purposes. On the other hand, a risky ISP with lax security practices can expose its users to significant threats. Among some of the differential characteristic we can have:
- Network Monitoring : Continuous monitoring for suspicious activities VS Minimal or no monitoring of network traffic.
- IP Reputation Maintains clean and trusted IP ranges VS frequently blacklisted IPs due to malicious use.
- Data Encryption: Strong encryption for secure data transmission VS Little to no encryption, exposing sensitive data.
- Incident Response Dedicated teams for rapid threat mitigation VS slow or nonexistent response to security issues.
- Privacy Policies: Clear policies protecting user data from misuse VS data may be sold or left unprotected.
- Additional Security Features: Offers firewalls, DNS filtering, and VPN support. VS no additional tools or features for user safety.
- Cost: Slightly higher due to security investments VS often cheaper due to lack of security expenses.
- Laws and obligations: Defined and clear procedures to comply with laws and obligations (such as CERT or corresponding authorities communication) in case of malicious activities VS unclear procedures and not compliance with laws and regulations.
Classifying between secure ISPs and risky ISPs
It depends on the individual. For example, if you have the time to explore each ISP and research its capabilities and features, you can classify them based on your criteria. In my case, I use ChatGPT to gather this information, as shown in the table below:
On the other hand, you can use the following KQL Query to detect if there are users using secure or risky ISP by activities such as sign-in attempts:
//Sergio Albea
IdentityLogonEvents
| where Timestamp > ago(30d)
| summarize Different_IPs=make_set(IPAddress), Total_different_IPs=dcount(IPAddress) ,Total_sign_attempts = count(), Suspicious_Sign_attempt = countif((ActionType has "OldPassword") or (FailureReason has "WrongPassword") or ( FailureReason has "validating credentials due to invalid username or password.") or ( FailureReason has "The account is locked, you've tried to sign in too many times with an incorrect user ID or password.") or (FailureReason has "Authentication failed.") or (FailureReason has "UnknownUser") or ( FailureReason has "The user account is disabled." )),
Success_Sign_attempt = count( ActionType has "LogonSuccess"),
Issues_Sign_attempt = countif((FailureReason has "The session is not valid due to password expiration or recent password change.") or ( FailureReason has "General failure")) by ISP, Location
| extend SuspiciousRatio = Suspicious_Sign_attempt * 1.0 / Total_sign_attempts, ValidRatio = Success_Sign_attempt * 1.0 / Total_sign_attempts, IssuesRatio = Issues_Sign_attempt * 1.0 / Total_sign_attempts
| extend SuspiciousPercentage = SuspiciousRatio * 100, ValidPercentage = ValidRatio * 100, IssuesPercentatge = IssuesRatio * 100
| order by SuspiciousPercentage
// you can use this filter if you want to specify specific percentatge | where ValidPercentage < 10 and (SuspiciousPercentage > 90 or lockedPercentatge > 90)
Focusing on potential risky ISPs used by malicious actors
As an attacker, I would definitely prefer to use a risky ISP instead of a secure one for the obvious reasons discussed earlier in the article about security controls. For example, using a risky ISP could means not being blocked after attack attempts and avoiding IP monitoring, among other controls.
To detect malicious activities, you need to use your threat analysis tools and logs— in my case, I rely on KQL queries for analysis.
First and foremost, it’s important to understand that malicious actors might use secure ISPs like Azure, AWS, or major national ISPs. This can result in false positives, so I employ ratios to help distinguish between legitimate and potentially malicious activities. Let’s go through the results of the KQL Query shared above:
- Case 1 : ISP using multiple different IPs trying to sign-in on my tenant, with 0 successful sign-in attempts. This provides me with useful information, such as potential IPs to be added as Indicators of Compromise (IOCs) in my Threat Intelligence platform, and allows me to monitor future activities from IPs associated with this ISP.
- Case 2: ISP using multiple different IPs to attempt sign-ins on my tenant, with some successful sign-in attempts. In addition, to the case mentioned above, it help me to identify potential accounts compromised by a Risk ISP due to the high number of attempts which could indicate, for example, a brute-force attack.
The advantage of detect Risk ISP
Once you have identified a group of risky ISPs that could affect your organization, you can gain additional security benefits. For instance, if attackers use a new IP from a risky ISP that hasn’t been seen before, instead of waiting for them to initiate an attack and be flagged as malicious by security vendors (such as VirusTotal), you can stay a step ahead by monitoring connections coming from these ISPs. This proactive approach allows you to either block connection attempts from these ISPs directly or receive immediate notifications when a connection attempt is made, depending on whether you choose to block or monitor their activities.
Secondly, if I have users who have successfully signed in from any of the identified risky ISPs, I would require them to reset their passwords or revoke access tokens due to the potentially low security standards enforced by those ISPs.
In addition, Identifying risky ISPs that have triggered multiple connection attempts—especially those that never succeeded and were classified as malicious—can provide you with valuable Indicators of Compromise (IOCs) to integrate into your Threat Intelligence platforms.
Summary
To summarise, monitoring ISPs and classifying them can help us be more proactive against attacks, reduce response time due to the known behavior of the ISP, and decrease the number of requests needed to add malicious IPs and other related indicators in our platforms.
On the other hand, I feel that sometimes we are overly focused on searching for new or trusted sources to add common indicators, such as IP addresses, URLs, domains, and file hashes. Don’t get me wrong—this is absolutely necessary. However, researching additional types of sources, like ISPs, can help us stay one step ahead and provide new indicators to protect our assets and data.