In the world of online security, it's tempting to take a rigid, unyielding stance against bad actors. Block any suspicious IP address, and bam – problem solved, right? Not quite. As a fraud prevention expert, I've learned that a more nuanced approach, (instead of simply blocking IP addresses, and being blind to threats, "Be like water" as Bruce Lee said, and adapt to threats) often yields better results.
The Problem with IP Blocking
Many security solutions rely heavily on IP address blocking as a primary defense mechanism. While seemingly straightforward, this tactic is fraught with issues:
Dynamic IP Addresses: IP addresses aren't static. They can change frequently, leading to the blocking of innocent users who now share an IP address previously used by a bad actor. Imagine getting locked out of your favorite online store because of someone else's malicious activity!
Unwitting Accomplices: Legitimate users can become collateral damage. Malware on a user's device can generate malicious traffic, triggering an IP block and preventing the actual user from accessing a website, even though they are unaware of the problem.
Transparency Aids the Enemy: Blocking an IP address after a certain number of failed logins can inadvertently reveal your security measures to attackers. Savvy fraudsters can adjust their tactics, using "low and slow" attacks or rotating proxies to circumvent these thresholds.
You Can’t Fix What You Can’t See: By blocking IP addresses, fraud mitigation systems cannot see what the fraudsters are doing, they are essentially blind to the tactics being deployed by the fraudster.
Embrace Fluidity, Not Rigidity
Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it. - Bruce Lee
Instead of outright blocking, consider a more adaptive approach:
Gather Intelligence: Allowing suspicious activity, while closely monitoring it, provides valuable insights into attacker behavior. Track patterns in login attempts, analyze user agent strings, and observe browser language configurations. This data paints a more comprehensive picture of the threat landscape.
Develop Comprehensive Signals: By observing these patterns, you can identify unique indicators that transcend IP addresses. This allows you to track and mitigate malicious activity even when attackers switch proxies or employ other evasion techniques.
At myNetWatchman, we still see millions of attacks against organizations that are using IP blocking tools. And, as fast as those IP addresses get blocked, miscreants change IP addresses making it a cat and mouse game. Meanwhile, user credentials are still being used causing ATO to continue and most likely, increase. Stopping ATO at the root cause with compromised credential screening is independent of IP address and helps organizations be more like water and adapt to the threat of ATO. Want to know more visit us at www.myNetWatchman.tech.
Comments