Built in E-Mail, IP & Domain Intelligence for your App.
Published Nov. 2, 2018, 12:48 p.m. by stoos
This post will try to ease you step by step into blacklists and their importance no just within the IT security realm but also on what effects they can have on your company’s operations and sales.
You have probably heard this in a movie
before, maybe even in person from one of those weirder friends that everyone
seems to have at least one of in their circle. Some person is not allowed to
fly on an airplane because they got “blacklisted”. This means they did
something right while at the airport or maybe even earlier that led authorities
to believe this person could pose a threat to the air traffic’s safety in any
way. To avoid this danger that person is no longer allowed entrance to
airplanes or airports’ boarding areas.
Their personal information was written into
a registry, that’s the blacklist. A list that authorities and security personal
at airports use as part of their passenger screening process to guarantee air
traffic’s and airports’ safety.
Pretty much the same thing exists for the
internet as well. There they are also called blacklists. And just like at every
airport, they should be part of IT security and network screening processes in
every organization or company.
Certain organizations or individuals
maintain blacklists, that list IP addresses or domains that in the past have
shown (or in the future are expected to show) malicious or abusive behavior.
These systems therefore can pose threats to certain systems or parts of
networks and maybe should be isolated, blocked or otherwise taken care of to
guarantee smooth and secure operations.
There are hundreds of blacklists out there.
Each one’s entries list different IP addresses or domains based on different
kinds of threat patterns. Some emphasize on at first glance for operations
irrelevant criteria like for example SPAM. Others list rather dangerous
patterns like ddos botnets or bruteforce attempts.
Whether you belong to the security nerds
(like me) or to the people whose mouths start drooling by reading about
improved sales numbers, blacklists are an important building brick in today’s
enterprise networks.
Let’s start with the IT security
perspective.
Bruteforcing used to be and to date still
is a serious threat to the integrity of systems. Bruteforcing means
relentlessly trying every possible combination of characters and symbols to
crack a password or cypher used for access to a system or used for encryption
of data or traffic. Malicious attackers often connect to previously compromised
systems to launch their attacks onto their primary target.
If a previously unknown system, or rather an IP address or domain, repeatedly launches unauthorized and unsuccessful attempts at login, like for example via SSH, it is a strong indicator for a compromised system and a malicious hacker using it to bruteforce attack another system.
Similarly the same can be said about botnets that are being used for ddos attacks or spam mail distribution. Security administrators can block compromised domains in advance and therefore massively dampen the effects of a ddos attack or the flood of spam mails received by other systems.
Although these previously explained
scenarios are all good arguments to implement blacklists into a company’s security
stack, they are all looked at from the victim’s perspective where one uses
blacklists to protect their system from the bad things out there. But, like in
society, no one thinks of themselves as being the problem.
The number of highly skilled malicious attackers isn’t in the billions, but just one determined and capable bad hacker is enough. These guys compromise systems and use them completely under the radar. So the average system administrator will look at the cpu, ram and network usage of their systems, maybe even run an antivirus check and all results will point towards a healthy system. Never even suspecting their system having been blacklisted days, weeks or even months ago for suspicious behavior.
But the very same blacklists that list
their systems as threats to the world can help system administrators to find
unknown infections and therefore help them increase their company network’s
safety. Maybe just by listing their domain, but maybe even by listing a
specific IP address pointing to a system. The type of blacklist can help the
administrator further in zeroing in on what kind of issue or threat is being
posed by their system. Maybe their system is being used to attack another
system, or to send spam.
Many companies only found out about their systems being compromised through the use of blacklists.
Let’s take a quick look at the other perspective previously mentioned. Sales.
Like already explained, to avoid a
connection to IP addresses or domains on blacklists and therefore avoiding an
infection or mitigating the chances of attacks, often blacklisted systems will
only be connected to with warning messages or get blocked completely.
Now let’s say a company has a website (much wow, much hightech, the future is now). Imagine sales numbers dropping lower and lower over time. Sales department is getting frustrated and has no idea what advertisement strategy to apply.
Unsurprisingly the website traffic curve
looks similar to the sales curve and has been decreasing over time.
So the sales department starts
brainstorming and the sysadmin starts investigating.
Is the design unpleasant? Is the Javascript
not working properly? Is the DNS resolution working properly? Design is nice,
Javascript works fine and DNS entries are not corrupted. So what’s the problem?
Maybe the system has been blacklisted.
That’s the problem. And that’s the solution.
By removing the system’s IP address of the
blacklists its listed on website traffic and therefore
sales start to go up again.
And the systems administrator becomes the companies best sales person.
This example focuses not on the IT security
point and on it’s future implications, but rather on the immediate effects blacklists
can have for a company’s finances.
By having an IP address or domain blocked potential customers have no access to it and are forced to do business elsewhere. The blacklist entries also lead to a bad reputation (in a IT sense) and therefore blacklisted websites and domains are being avoided. Either way leading to a, sometimes substantial, loss in visitors and sales.
The scenario of losses in sales can also originate in connection with spam mail blacklists. Yes, like I explained previously, malicious attackers can abuse systems to send spam and therefore have that system blacklisted. But now look at it from a different perspective.
Many companies have newsletters. Like grocery stores used to print newsletters in paper, many online stores offer good deals or special products only for a limited amount of time and send their newsletter via email. Maybe they are trying to sell a new product and try to tell their customers about their new offering or maybe they are trying to get rid of their inventory to make room for the next season’s products. Either way they need to inform their loyal customers and advertise to other people to win new customers.
But since their system is blacklisted their legitimate newsletters are being blocked or categorized as spam and therefore never get coverage. Which once again can lead to a massive loss in revenue and sales. Essentially destroying all the hard work the sales department put into catchy advertisement.
As you can see, blacklists can help any
company to improve operations. Whether it is for IT security reasons to fight
abusive hackers using their systems or to raise sales and revenue and offer
higher coverage, any company not considering blacklists as part of their IT
infrastructure is deliberately risking its safety and sales numbers.
Our free Account gives you up to 500 API requests a day!
IP Address, Email & Domain Intelligence