Hello Reader,

One question I often receive from clients and new associates is: What do you look for when reviewing external IP addresses in logs, especially VPN or SAS logs?

In the past, analysts would typically begin their investigations by searching for suspicious connections originating from foreign countries. However, this approach is less effective today. Many companies operate globally, and even those that don’t often experience noise from automated scanners and brute-force attempts from foreign countries. While scanning for foreign countries sometimes yields results, most threat actors we track don’t actually originate from their native countries as indicated by their IP addresses.

What we’ve observed instead is that many threat actors—ranging from organized crime groups to nation-state actors—have shifted their operations to US-hosted virtual private servers (VPS). My current approach is to collect all unique IPs within a given time frame and enrich them with additional data, such as the datasets available from ipinfo.io. Their API can identify whether an IP is linked to hosting services, proxies, Tor nodes, anonymous IPs, or VPNs.

Documentation: IP Privacy Detection Database - IPinfo.io

I’ve found it’s very rare for a legitimate company employee to connect from a VPS. Therefore, when we narrow our list down to this subset, it often reliably indicates signs of compromise.

What techniques do you use? Let me know in the comments!