How to defend against malicious IP addresses in the cloud

Using cloud infrastructure to manage attacks is a favorite tactic of cybercriminals who try to hide their activities, and it is an effective way of masking malicious IP addresses.

For example, a criminal organization may target companies with a malware campaign delivered via email. When the email attachment or link is opened, it exploits out-of-date software on the victim's computer and opens a channel to the attacker's command-and-control (C&C) server.

The C&C server is hosted in a public cloud instance such as AWS or Google Cloud. This means the attacker can use the IP address of the server -- which is owned by the cloud provider -- without revealing any information in the WHOIS database. These cloud instances can be registered and paid for fraudulently, making it virtually impossible to track an attack back to the real perpetrator.

What can an organization do when it falls victim to one of these attacks? It can't block the entire range of malicious IP addresses that the attack is originating from because that may also block legitimate services that use the same cloud provider. It's possible to block the individual malicious IP addresses, but attackers tend to have many and can rotate them to make it difficult to completely stop the malicious traffic. It's still worth blacklisting the exact IP addresses linked to malicious activity, though; they can occasionally be hardcoded in the malware used by the attackers, and blacklisting can completely disable the attack.

You can also take some additional steps. First, report the malicious IP addresses to the cloud provider. In many cases, the cloud provider will then investigate and shut down the offending instance, though be prepared for this to take some time. Keep in mind that this isn't a guaranteed fix, and some cloud providers are not reliable at disabling malicious activity within their infrastructure.

If the cloud provider doesn't respond after a short period, report the malicious IP addresses to a threat intelligence provider, such as ThreatCrowd, Cisco Umbrella, Pulsedive or AlienVault OTX. The IP address will then appear on these threat intelligence feeds and will help other organizations to be aware of and block the offending IPs.

You can also report attacks to the Computer Emergency Readiness Team of the country that is hosting the IP address, which may have more influence over the hosting company to make it address the problem.

You can also be loud about it, which is surprisingly effective. Naming and shaming by posting on social media -- especially Twitter and LinkedIn -- and tagging the company hosting the malicious IP address can often produce fast results. You can also try contacting senior people at the company via LinkedIn to more successfully attract their attention. Either of these approaches can be more productive than filing a standard email report. Depending on the company in question, you can also report it to their upstream provider.

Overall, it comes down to the hosting providers to address the issue of the malicious use of cloud IP addresses, as it's their infrastructure that is being abused. Some care more than others, but you can help other organizations by reporting the malicious IP addresses to various threat intelligence feeds as part of your process of remediation.