Bulk IP Lookup: Integrating IP Geo Data Into Cybersecurity Development
IP geolocation data is among the most useful sources of intelligence that can strengthen an organization's cybersecurity posture.
Join the DZone community and get the full member experience.Join For Free
The pervasiveness and increasing sophistication of cyber attacks call for additional data points that can help users make sense of security incidents. Contextualizing cyber alerts generated by cybersecurity tools, for instance, can help security teams prioritize responses. One critical contextual data source is IP geolocation data, which includes the following data points for every IP address:
- Postal code
- Time zone
- Internet service provider (ISP)
- Connection type
In some consumption models, IP geolocation data also includes Autonomous System (AS) details and related domain names.
Ways To Integrate IP Geolocation Data
It could take developers only a few minutes to create a script to retrieve the IP geolocation of multiple devices or users. Here’s an example of how you can obtain locations in Python.
from simple_geoip import GeoIP geoip = GeoIP("YOUR_API_KEY") ipfile=open("ips.csv","r") sites= for ip in ipfile: ip=ip.strip() try: data = geoip.lookup(ip) print(data) sites.append(data) except: pass ipfile.close()
However, using such a script tends to be slow, so retrieving information on huge volumes of data can take time. Other consumption models of IP geolocation data could save you more time and effort, especially when they’re integrated into cybersecurity solutions.
Some IP geolocation APIs are readily integrable and allow you to perform a bulk IP lookup. Depending on the provider, you may be allowed to configure features, such as setting up the API to look up the connected domains of IP addresses. You may also choose the output format.
IP geolocation data may also be integrated into cybersecurity systems as data feeds. As with other database integrations, you need to write scripts that enable your system to fetch data from the database.
Each consumption model and integration method has its strengths and weaknesses, and the choice would depend on specific business needs and resources. For example, IP geolocation databases could be the top option if you want to examine the data first to ensure its accuracy. However, you would need to allocate more time and human resources to update them regularly.
On the other hand, if you want to obtain updated geolocation data immediately and don’t need database visibility, bulk IP lookup APIs would be preferable.
Benefits of Geolocation-Based Contextualization in Cybersecurity
Integrating accurate IP geolocation data, regardless of consumption model, can help enrich security systems, such as threat intelligence platforms (TIPs) and security information and event management (SIEM) solutions. Providing IP geolocation-based context to cybersecurity investigations, incidents, and indicators of compromise (IoCs) can help you implement key cybersecurity policies.
Traffic Filtering and Fraud Prevention
Is the traffic’s source IP address located in a cybercrime hotspot? If it is, then blocking such traffic would be your security application’s following action. You may also use IP geolocation data to block traffic from unserviceable areas to reduce the chances of fraud.
For instance, if your client only does business within the U.S., then your security system should be able to block a request from IP address 1[.]1[.]63[.]255, which is geolocated in China.
Threat Investigation and Reporting
Who owns or manages the IP address? Bulk IP lookup results include the ISP. Knowing the ownership information of a suspicious or malicious IP address can help facilitate its takedown. In some cases, the ISP would investigate the IP address when it is reported. However, you may need to go the extra mile and report the incident and IP address to the country’s Computer Emergency Readiness Team (CERT).
Threat Hunting and IoC List Expansion
What other digital assets are associated with the malicious IP address? Threat actors likely have more than one weapon, so retrieving domain names connected to the IP address can help uncover more malicious properties.
Take, for example, the malicious IP address 3[.]223[.]115[.]185. IP geolocation data in this example includes connected domains, and you can see domains that are seemingly machine-generated and, therefore, possibly unsafe.
Integrating IP geolocation data into the cybersecurity systems you’re developing can provide more context to cyber incidents that your tool can detect. As a result, you provide more value to your company or clients (for commercial security applications).
Opinions expressed by DZone contributors are their own.