Insider Threat Located! Custom Geolocation IP Python scripting to catch insider threats

DavidInfosec.com,

How a spontaneous tool caught an insider threat

The Backstory

Hello again, I hope you are having a lovely day. I was chatting in a study group that I’m a part of one night, and I was delighted to find that a system administrator from a school was wondering if he could find some geolocation on an IP address, wondering if there was a faster way to do it. Think about it, hundreds or even thousands of IP addresses can take a lot of manual entry to figure out information like ASNs (Autonomous System Numbers), which they were wanting. You also have some extra information provided on an IP address like longitude, latitude, city, state, zip code, etc., This can all be crucial for deciding if an IP address is malicious or not.

Quick Thinking

On a whim, this was during the AI fascinations, so I was like, “Hmm, maybe I can quickly get ChatGPT to write something that will work for this system administrator.” Little did I know, I had a solid start after a few prompts, so I was able to take it to my code editor and start making some changes because it was broken at first. I believe my first starting prompt was something along the lines of, “Create me a Python Script that calls an API to collect information on an IP address”, and I was hoping it had some kind of direction for which API I could use. I found a free API, “ipinfo.io” – I figured this would work for the task.

Revisions and Bug Squashing

Now, I wouldn’t consider myself the most professional or advanced person in the world at writing scripts, but I have tried my hand at Python a few times prior, especially with my Domain Name Ninja project, so I was enjoying what I was getting into. Surely enough, I had some solid project going, and the priority here was speed, because this was a one-off task for this system administrator in chat and I didn’t want to keep him waiting on something, so I just spun something up. Of course, spontaneity led to having pure enjoyment seeing if I could get this working, and that’s what I love about these kinds of projects.

So, with this project then complete, I reached back out to the system administrator, and it was working to his requests, where it would call the API after reading an IP address list from a excel spreadsheet, grab the ASN, and spit it out into a CSV format for each IP address, all very efficient. It was satisfying to have this working because it introduced me to working with APIs for the first time, and also outputting data to a excel spreadsheet through a Python script, which I was blown away by. It gave me some flashbacks of the stories I heard where some data analysts were able to automate a majority of their job by simply scripting to something of that effect, and I remember having that confirmation after I had seen what I pioneered.

Only to not be used?

The irony in all this was the the system administrator for the school had never even used the script, mainly because he didn’t like working with Python and thought it would be a bit daunting, so I never actually saw him get anything out of it, but I put it in my back pocket and uploaded it to GitHub. Until…

Oh? Wait!?

A few weeks later in the study group, I’m talking to someone interested in music, especially along the vein of similar interests as me. We are bonding for a while, and then we get to know each other and I find out that he’s an IT Manager with over 17 years of experience. Now, that’s a great contact to have, and for the next few days we had established a lot of really good foundation for a long term contact. I felt comfortable to know that there was someone so experienced in my corner, and I wouldn’t be surprised if he’s reading this post right now. For that, I say, thank you for being someone of importance to give me advice on my resume, on my project “ReportName.com”, and giving me the motivation and realization that I am providing value to someone, somewhere, and for that I will pay it forward.

Spontaneous Moments Are Amazing.

So, while we were chatting, he approaches me with a situation about some particular IP address that he wanted information on while he was at the office. This conversation was prompted as I was sharing some of my scripting tools that I had done, like Domain Name Ninja for example, and then when I talked about my IP Tool, he wanted to see it in action. He has this IP address, sends it to me, and I send him some screenshots of my tool in action. Now, I’m not entirely sure why he wasn’t able to find this information on his own because he said he tried, but maybe it was some specific information that wasn’t super easy to find. Anyway, I don’t argue about it, I send the results of the IP address geolocation and whatever the IP was able to put into the spreadsheet.

The Threat Located!

Lo’ and behold, he tells me more in depth that the IP came from a cloud provider for one of the services they use. Apparently one of the employees, which the business is employee-run, insult to injury, apparently they had deleted a ton of backups and other sensitive information, and they were probably trying to sabotage the business to some degree. Because of the IP tool information that I provided, the IT Manager was able to track down the individual, by name, and from there, the rest is history. I am completely floored that I was able to be a part of something in a real world environment, where I could bring change. While I could say, yeah, he could have maybe found that information himself, I am very happy that one of the things I made went to something useful, especially since I didn’t even intend for the IP Tool to even be shared outside of the GitHub repository or with the system administrator, like, I had no expectation of anything like that necessarily.

Humble Resolution

So, that is the story of how my IP Geolocation tool located an insider threat for a company, and hopefully it can be used in other ways. It’s a simple script, open source on GitHub, so by all means if you’re reading this and want to take a look, play around, fork it, develop it, I don’t take all the credit in the world because the gift of AI helped me a lot, but, it is something I am proud of, and I appreciate you reading this post. I will have more stories like this if you enjoy them, and I am thrilled to see what other inspiration I get. Till next time!

Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *