Ransomware attacks globally nearly doubled in 2021. Bitsight’s Ransomware for Dummies book reveals indicators of potential attacks, and how to minimize costly damage when successful ransomware targets you.
When users first review the details of their attributed assets in Bitsight, they're often surprised to find IP address ranges, also known as Classless Inter-Domain Routing (CIDR) blocks or ranges, they no longer use. They generally use the prevailing vernacular that those CIDR ranges are false-positives. That's a misnomer, though—these attributions are based on artifacts attributing the CIDR ranges to the organization in one of the Regional Internet Registry (RIR) databases, so the attribution is based on objective evidence. A more accurate term is stale registry entries, which refers to the organization's association with CIDR ranges even after the organization stopped using them. The process of removing an association with a CIDR range can be time consuming and frustrating; in light of this, Bitsight has created a program to facilitate and simplify the process.
What are RIRs?
CIDR blocks, which may be a single IP address or a contiguous block of multiple IP addresses, are allocated and assigned by the Internet Corporation for Assigned Names and Numbers (ICANN) through its responsibility for the Internet Assigned Numbers Authority (IANA). Large CIDR ranges are allocated to Regional Internet Registries (RIRs), which include:
- ARIN for North America
- RIPE for Europe
- APNIC for Asia Pacific
- LACNIC for Latin America
- AFRINIC for Africa.
Each RIR maintains a database, or registry, of CIDR ranges allocated to themselves and those they’ve sub-allocated to Internet Service Providers (ISPs) or Local Internet Registries (LIRs) within their region. The ISPs and LIRs can further sub-allocate CIDR ranges or assign them to customers. (Technically, RIRs can also directly assign CIDR ranges to customers.)
What are stale registry records and why do they exist?
When CIDR ranges are allocated to LIRs or ISPs, the RIR notes the allocation in the main registry for their region. LIRs and ISPs are responsible for maintaining the further sub-allocation or assignment of subsets of their allocation to downstream customers. While ISPs are motivated to attribute assignments to their customers—they get paid by customers to do so—they are not motivated to clear the entries for customers who terminate their contract with the ISP. As a result, there are many stale records in the RIR registry still attributed to organizations, either through a name (e.g., “Bitsight Technologies”) or contact email addresses, even though the organization no longer has any association with the CIDR range. These are known as stale registry records.
Because the IPv4 address space is close to exhaustion, CIDR ranges are increasingly rare and valuable—around $20-25 US per IP address. RIRs will only allocate new CIDR ranges to ISPs if the ISP has assigned most of its existing allocated addresses. Stale records make it seem as though the ISP has assigned more of its allocation than is actually being used, which benefits the ISP when they request more addresses.
RIRs need accurate information to track allocation usage and determine whether new allocations are merited. Accuracy isn't only the goal of RIRs though; you want accurate registry information about the CIDR ranges attributed to your organization because cyber criminals actively look to exploit stale records, and their nefarious activities will reflect back on your organization. See the section, What are the risks of stale registry records? for details.
How is a CIDR range associated with my organization?
Bitsight analyzes the RIR databases and identifies the organization assigned a CIDR block by the name of the organization and/or the email address.
There are three parts to the process:
- Collection: When an organization is initially mapped, Bitsight uses custom tooling to search the RIR databases and identify email addresses in the contact fields that match any of the domains curated for the organization. In addition, a name matching is performed on the description field in the RIR database. For example, "BITSIGHT" in an RIR record would be attributed to the legal entity "Bitsight Technologies".
- Curation: Human curators validate the assets from the initial collection step. Curation is critical to assure accurate attribution of assets.
- Automation: After the initial mapping, automation tools continuously analyze asset evidence. New assets are added to and removed from organizations automatically based on definitive evidence. If the evidence gathered in the Collection step is removed from an RIR record, the CIDR block is end-dated from the organization's assets and new findings will no longer be associated with the organization.
What are the risks of stale registry records?
Per ARIN, registration records that haven’t been updated have become the prime targets of hijackers and other cyber criminals. One common approach is to find registry records that haven't been updated in a few years. If it appears that the CIDR ranges aren’t being used or that the registrant is no longer in business, the perpetrators then attempt to emulate the organization so they can take over the organization record.
The consequences may not seem obvious to the organization that was originally assigned the CIDR range; however, once cyber criminals succeed in taking control over the stale record, they may leverage that false equivalence with the organization to conduct illicit activities, such as attacking other organizations or hosting illegal content, while hiding behind the legitimacy of the organization of record. In addition, they may be able to take over the organization's Org ID and POC records, ultimately hijacking their internet presence and effectively conducting a denial-of-service.
Regardless of how cyber criminals use stale records, law enforcement agencies (LEAs) will knock on the door of the registrant of record. At best, this is an inconvenience; at worst, it can damage the registrant’s reputation.
Having access to up-to-date registration information helps ensure that LEAs can act quickly and confidently when investigating criminal behavior. Encountering any records that haven’t been updated can be a potential hindrance to conducting an efficient investigation. As a good netizen, it's your responsibility to help keep the public safe by monitoring and correcting your assignments in the registries.
How do I get my organization disassociated with a CIDR block?
In the vast majority of cases, ISPs assign CIDR blocks to customers, and the RIRs expect organizations to work through the relevant ISP as a first step. If the ISP is unresponsive, you can escalate to the associated RIR. The process is similar for most RIRs, although it's not always clear what the specific RIR's process is. For example, ARIN requires that:
- The customer sends a request to the ISP as a first step. The request should include the CIDR in question and any relevant information about why the record is out-of-date.
- If the ISP doesn't respond within a reasonable time, resend the request and copy ARIN's support desk, hostmaster[at]arin.net. ARIN will issue a ticket number, which you should take note of for now.
- If the ISP still doesn't respond within a reasonable time, send a request to ARIN's support desk, including the ticket number from ARIN (see previous step). ARIN will then work with the ISP to rectify the stale record
ARIN doesn't specify what constitutes a "reasonable time;” in speaking with their support staff, three to five business days is a reasonable length of time to wait.
The other RIRs don't prescribe their process other than to require that the customer first try to contact the ISP, then escalate to them. All RIRs will work with the ISPs at that point to attempt to have the stale record amended.
What's Bitsight's role in all this?
If you were a Bitsight customer a few years ago, we'd point you to the RIRs. We didn't get involved as we believed that would compromise our objectivity. However, we recognize the scope of the problem is huge and it doesn't make sense to have every organization navigate the different RIR policies individually. We decided that guiding and facilitating the process makes it scale better—and it relieves the burden on the organization. Now if you find stale RIR records associating your organization with a CIDR block you no longer own, we've created a prescriptive guide outlining the process for working with your ISP and escalating to the RIR if necessary.
This process not only helps Bitsight customers, but it also helps our competitors to more accurately footprint organizations. Sometimes you do what's right for everyone, not just what feeds your bottom line. After all, we're in the cybersecurity space and we're all fighting the same enemies. At Bitsight, we believe in cybersecurity for the common good.