Insight and analysis on the information technology space from industry thought leaders.
Proxies at the Frontlines of Defending Against Cyber Threats
Learn about the role that proxies play in enhancing cybersecurity efforts.
April 23, 2024
Proxies are mid-servers between the client device and the end server. In the cyber wars between bad actors and specialists trying to protect us from them, proxies help the latter with stealthiness and access. They enable security tools to go behind enemy lines and bring back valuable intelligence. Supported by proxies, these tools investigate suspicious activity and places across the web, protecting brands from threats and illegitimate usage of their intellectual property.
What Can Proxies Do?
On the surface, proxy servers have very simple functionality. As an intermediary between the client device and the end server, the proxy hides the client's IP address. Furthermore, it allows accessing the server in a particular way, for example, from the proxy's geographic location. Together, these capabilities allow for hiding one's online identity when checking the dangerous corners of cyberspace.
The underlying power of these basic functions reveals itself when constantly accessing many servers all over the world and in specific ways. Equipped with a proxy pool of various IP addresses, cybersecurity tool developers expand their solutions' geographical scope and accuracy.
Proxies in Action
For companies gathering cyber threat intelligence on a scale, a premium proxy infrastructure is an absolute must.
Protection against spear phishing
Emails with harmful attachments or links have been one of the most widely used tactics since the advent of the Internet. Tax season makes people especially vulnerable to phishing attacks as everyone expects emails from national tax collectors like the IRS during this period. While tax season attacks particularly prey on individuals and small businesses, enterprises are also susceptible to phishing emails. A well-crafted email sent to an executive's mailbox is one of the easiest ways to spread malware throughout the company's network or acquire information that can be used in future attacks.
The role of proxies is especially important to email protection companies with many clients in different countries. Such clients need to be protected from spear phishing attacks, which are targeted and customized for specific people.
Knowing in which country the target is and what Internet Service Provider (ISP) they use, hackers can diversify what happens when the link in a phishing email is followed. The client connecting from their company IP will go to a malicious website. Meanwhile, an email protection company using an IP belonging to a different country and ISP might be directed to a legitimate website, such as the actual website of the client's bank. This way, the protection tool is tricked into greenlighting a phishing email.
Access to a proxy pool consisting of IPs from various countries and providers solves this issue. An email protection tool can use a proxy IP address associated with the same ISP and location as the client's IP. With a sufficiently similar IP, the tool will be directed to the exact same website as the client. Thus, using a diverse proxy infrastructure, companies can reliably protect clients all over the world from phishing attacks.
Fighting URL hijacking and malvertising
Typosquatting is a URL hijacking technique that exploits typos users make when typing domain names. By slightly misspelling a legitimate website's URL, users might be directed to a domain that is deliberately made to look similar but belongs to malicious actors. Threat agents use this technique to steal personal information or trick users into downloading malware.
When combined with malicious advertising (malvertising) in search engine results pages (SERPs), URL hijacking does not rely on users misspelling names. A correctly spelled name of a software application can return sponsored content with a similar-looking domain name at the top of the results page.
A proxy infrastructure enables web scanning that identifies such malicious ads and domains. The larger the proxy pool, the more geo-specific content is accessible, allowing companies to report and remove more online threats.
Checking marketplaces for brand misuse
Plenty of bad actors aim to profit by selling subpar products in the guise of a trusted brand. Counterfeit products and misuse of trademarks cause substantial reputational and financial damage to businesses.
Effectively monitoring various e-commerce websites requires a reliable and extensive pool of proxy IPs. Tools that extract data from dynamic e-commerce web pages and automatically rotate IPs to avoid bans help brand protection specialists avoid slip-throughs and process breaks.
Dark web monitoring
Stolen company data is bought and sold in dark web marketplaces or hard-to-access Clearnet forums. Hackers also tend to boast about their achievements on these forums. Monitoring these marketplaces and forums allows uncovering previously unknown leaks and vulnerabilities.
However, bad actors have protections in place here. They will ban IPs associated with cybersecurity firms and deny access to anyone they find suspicious. Opening multiple forum pages from a single IP every few seconds immediately tells administrators that someone is using automation to gather intelligence. Thus, companies need rotating proxy IPs to mimic organic user activity when extracting information from these websites. Often, proxies are more stable and less recognizable than other solutions usable for this purpose.
Integral solution
It is crucial to note that proxies are not meant to be sufficient cybersecurity solutions by themselves. Instead, they should be integrated into systems that address specific threats. For example, proxies cannot scan emails and attachments on their own to identify suspicious and potentially harmful material. However, proxy-supported web scraping solutions can follow links in the emails and check the websites they lead to.
Additionally, protection is often facilitated by sandbox technology. Sandbox is a secure virtual environment where suspicious emails are sent before reaching the recipient. Security tools can then check what attachments or lines of code are within the email traffic and how they behave. This is a safe way to identify malware without endangering the internal network.
Proxies can be integrated into sandbox-based security systems. In this case, they direct traffic into the sandbox, helping ensure that the traffic has no contact with the internal system before being inspected in the sandbox.
Summing Up
Proxies show their best colors when helping cybersecurity specialists conceal their online identity and access content that informs about vulnerabilities and emerging threats. As threat actors constantly leverage new technologies, we must match them in innovation and ingenuity. Over the years, relatively simple functions of proxies proved flexible and indispensable in action. Time will show how else they can be adapted to improve cybersecurity and help extract timely and actionable threat intelligence.
About the Author
You May Also Like