IP Address Blocking: A Vote Against Election Hacking

August 31, 2016 by Marie Hattar

Election computer systems in Arizona and Illinois were breached by cyberattacks in July, as announced in a Flash Alert from the FBI’s Cyber Division, issued on 18 August.  The alert warned election officials across the U.S. to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.

According to the FBI Flash Amber Alert, the unknown attackers scanned a State's Board of Election website for vulnerabilities and, after identifying a Structured Query Language (SQL) injection (SQLi) vulnerability, used an open-source pentesting tool, SQLmap to target the websites.

The criminal possibilities of such a cyberattack are sinister yet fascinating.  Information on up to 200,000 voters was accessed in Illinois alone – such data is clearly valuable in itself, but speculation is also rife as to whether malicious hackers could interfere with election processes and results.  The Illinois State Board of Election has therefore been quick to emphasize that it is ‘highly confident that no information was added, deleted or altered’ as part of the attack.

However, an interesting angle on this story is also mentioned in the FBI’s Flash Alert, which specifically identifies ‘7 suspicious IPs’ used to mount the attack. The law enforcement agency may not yet know exactly who was behind the attack – but it certainly knows where on the Internet that the attack originated from.

This identifying of the malicious IP addresses used in the attack underlines the value of our ThreatARMOR security appliance, which identifies and blocks traffic from IP addresses that are known to be compromised, to have been used for potentially criminal activity, or host malicious content.  Traffic from ‘known bad; IP addresses, as well as unwanted geo-location traffic are automatically filtered out by ThreatARMOR before they hit the network, at once dramatically reducing the risk of cyberattacks, as well as reducing the processing burden and boosting performance of other security tools, such as firewalls, IPS and more.

An ongoing database of malicious and suspicious IP addresses is maintained by a Ixia’s cloud-based Application Threat Intelligence (ATI), which is updated every five minutes. Statistically, an IP address that is known to host malware, control a botnet or otherwise be ‘bad’ is very unlikely to become ‘good’ further down the line.  As such, the IP addresses identified by the FBI are extremely likely to have already been used for suspicious or criminal activity.

We’ve previously blogged about the key role that IP address blocking can play in mitigating the risk of distributed denial of service (DDoS) attacks, since it can intelligently identify and block traffic from addresses under botnet control.  And more recently about using IP address filtering to nullify the risk of infection by zero-day mutations, whereby existing malware is tweaked just enough to bypass signature-based antivirus and other such perimeter protections. Such zero-day attacks can be hugely effective and profitable for cybercriminals, because their very nature dictates that they are able to bypass the conventional defences of a majority of target organizations.

IP address blocking provides an intelligent, continually updated and highly effective form of protection against multiple forms of sophisticated threats and exploits.  If you’d like to see for yourself how ThreatARMOR makes networks safer and improves the efficiency of your security operations, then vote with your mouse and contact us for a demo