May 27, 2021

Cybersecurity activity patterns inferred from real-world geospatial IP data

Cybersecurity activity patterns inferred from real-world geospatial IP data
This blog post discusses the application of crowdsourced GPS-based mobility datasets for cybersecurity incident investigations.
Sign up for our webinars to learn from our data scientists and geospatial experts. They will show you how geospatial intelligence can be used in the most cost-effective way to measure and analyze movement patterns.

The marked increase in cyber attacks and cybersecurity incidents across the United States has renewed the level of interest in exploring alternative datasets to tackle the menace head on. This article is a general overview of the applications of geospatial datasets, specifically crowdsourced GPS-based mobility datasets for cyber use cases.

The Internet ecosystem ultimately boils down to various types of devices communicating with one another in an interconnected fashion.  At its core, having the ability to passively track where devices are physically located, where they are coming from, or where they are going can help shed a great deal of light on potential malicious activity or assist in finding various kinds of online badness.

Traditional IP intelligence falls significantly short of being able to decipher where devices are physically located and even with tools like MaxMind or IP2Location, they are extremely limited when it comes to mobile location detection, not to mention the fact that they do not provide any ongoing insights into mobile location movement patterns.  

Location data provides a unique intersection of network telemetry with device information and device movement that is difficult to replicate in other more traditional ways. Since information security involves IP addresses at the core, location data can intersect with that uniquely by providing further context on IPs and devices over time.

IP addresses are often transient, especially when it comes to mobile devices.  As such, this is a severe limitation that traditionally hampers modern investigations because it can be difficult to uncover a deeper level of information surrounding specific incidents or addresses without leveraging secondary and tertiary datasets and capabilities to further enhance that insight.

Location data can provide many use cases including but not limited to:

  • Tracking malicious devices over a period of time regardless of what IP address or network they might be at a given moment in time.  Persistent hashed identifiers increase the chances of being able to draw more accurate conclusions about movement patterns, important locations, or even attribution.
  • Pivoting on persistent identifiers of interest may allow the ability to cluster what may look like unique individual IP addresses into one common device, thereby associating behaviors across address spaces.
  • Location intelligence can provide a greater level of insight on devices entering or leaving specific areas of interest or areas of responsibility (AOR).
  • Device intelligence can be cross referenced with IP history to provide a deeper level of insight on what types of mobile platforms may be used including clues from make, model, and even user agent.
  • Mobile intelligence can be leveraged to cross reference with known bad actors or identifiers (IDs, IPs, or general characteristics) to create signatures and behaviors in order to track their behavior or movement ongoing.   In addition, it can be cross referenced to locate potentially secondary related actors or devices through common usage/behavior patterns such as through location clustering.
  • Fraud signals can also be created whereby devices exemplify patterns of behavior expected to be coming from specific locations, but where traditionally using only IP address GEO location, the signaling can be very inaccurate and imprecise.  Instead, location data can help to show where discrepancies between IP Geo Location and actual location of the device or devices in question.  
  • Linking seemingly disconnected devices and networks together through common patterns of behavior or traffic.  

Simply put, mobile location intelligence is not limited to a specific mobile phone provider but it is more agnostic, usually collected at the device level itself through opt-in participation within mobile applications.  For this reason, the potential network visibility can be quite broad and allow for analytics regardless of where devices might travel to.  

Insights and analytics can be performed in aggregate across regions and boundaries, or across IP addresses, or across clusters of devices based on common behavioral patterns.   These insights, when combined with third party data and secondary systems, can be a powerful tool in locating various kinds of nefarious activity or patterns.


CITYDATA.ai continues to be 100% focused on consumer privacy and consumer data protection. We are publishing this write-up for educational purposes and to increase awareness about the increasingly alarming cybersecurity problems faced by nation-states. That being said, we do not necessarily endorse the methods and approaches outlined in this article.