Geolocating IP addresses is an inexact science. There are over 3.7 billion public IPv4 addresses and a seemingly unlimited number of IPv6 addresses with 6.5 billion available for each person alive today. The Internet is not only enormous, but it is constantly changing. The physical location of IP addresses is often neither clear nor exact and never static. Thus geolocating IP addresses is often more art than science.

There are entire countries many organizations will never do business within and there are countries, at least for American companies, that they cannot legally do business with or within such as North Korea. These restricted countries are often the source of many of the cyber-attacks against large and small organizations around the world. So why not block Internet traffic from these countries to eliminate potential adversaries for your organization.

Although geolocating IP addresses is an inexact science, Cisco Firepower Threat Defense (FTD) can block hostile Internet traffic based upon the location of the address. Both inbound and outbound traffic can be filtered depending on the reported location of the IP address in the kinetic world. Cisco maintains a database of the geolocations of the public IP addresses which is updated regularly and can be downloaded from Cisco’s cloud by the Firepower Management Center (FMC) either as a scheduled weekly task or manually. Cisco does all the work by learning and maintaining the geolocations of IP addresses across the digital universe. Customers just need to set up the download of the geolocations along with the blocking on their firewall. Automating cybersecurity helps keep up with the ever-changing Internet geography and threat landscape as well as reduces the need for human intervention.

When an organization is ready to start hardening their network perimeter, one should start blocking the countries that are severely sanctioned by the US government such as Iran and North Korea. These nation states are very well known and are very capable cyber security threats for all organizations worldwide. Blocking their IP address ranges should not have a negative impact on business operations especially since it is very unlikely any organization has ever even seen Internet traffic from some of these places like the notoriously isolated North Korea. Most cyberattacks by North Korean hackers are launched from outside their country. Depending on the organization and its place in the world, the next step would be to expand the list of countries being blocked to further reduce the areas potential attackers can operate from against the network.

While firewalls are thought of primarily as a tool to block inbound traffic from the Internet that is potentially malicious, it is also equally important to apply the same concept to outbound traffic as well. Blocking risky traffic destined for the Internet, among many other reasons, can prevent malware from communicating with the attacker’s command-and-control servers. For a successful ransomware attack to occur, where an organization’s data is encrypted, often the malware first must communicate with a command-and-control server located on the Internet. Blocking this command-and-control traffic can mitigate attacks, sometimes before they have even started. The command-and-control servers can be in hostile countries but more likely are in or associated with other countries that many organizations will never have any involvement with for normal business operations. Thus expanding the countries blocked can have a positive cybersecurity impact that can outweigh any potential negative business impact.

Will geolocation blocking stop all cyberattacks? Certainly not, but it is a great resource for Cisco Firepower owners for reducing their attack surface, hardening the network perimeter, and creating a layered defense. It is a no-additional-cost high-impact effort to block potentially malicious IP addresses based upon their likely location in the kinetic world. Reducing the plentiful but often random Internet based attacks as well as a more determined adversary’s attack sources will allow an organization’s threat hunting team to achieve greater success with a lower signal-to-noise ratio. Hunting for a needle is easier when the proverbial haystack is a lot smaller.

To protect your organization from cyber-attacks and unwanted garbage from the Internet, Oviedo Networks provides threat data as well as Firepower expertise to maximize the investments you have already made in network defenses. Contact us to schedule a meeting to learn how our expert solutions and services are defending organizations from cyberattacks. Click here to read more of our blog posts.