A SOC Analyst's Playbook: Investigating Security Incidents Using ASN and IP Intelligence

Introduction

In the Security Operations Center (SOC), every second counts. Analysts are bombarded with a ceaseless stream of alerts, each a potential threat that needs immediate investigation. The initial piece of data is almost always the same: an IP address. Yet, in today's complex and layered digital world, chasing individual IPs often feels like chasing ghosts, leading down rabbit holes and resulting in investigative dead ends.

This playbook is for the frontline SOC analyst who needs to cut through the noise and get to the root of a threat quickly and efficiently. We will move beyond a simple IP lookup and dive into the world of network-level intelligence. By understanding and utilizing Autonomous System Number (ASN) data, you can add a powerful new dimension to your investigations, uncover hidden relationships between seemingly disparate events, and transform your approach from reactive to proactive.

A study by the SANS Institute has repeatedly shown that the overwhelming volume of alerts is a primary challenge for SOCs. Efficiently contextualizing and prioritizing these alerts is not just a 'nice-to-have'; it's a core operational necessity for any effective security team.

Click to Tweet

The Limits of IP-Only Investigations

The modern internet is a dynamic and often anonymous space. Threat actors are adept at hiding their tracks, using a variety of techniques to obscure their true origin. Relying solely on IP addresses for threat investigation is no longer sufficient, as this single data point provides a very limited and often misleading view of the situation. An IP address can change in an instant, and its location might not be the true source of the activity.

Sophisticated adversaries leverage vast, automated networks to launch attacks. They frequently use compromised devices, open proxies, and the infrastructure of major cloud service providers (like AWS, Google Cloud, and Azure) to blend their malicious traffic with legitimate activity. When an alert points to an IP address registered to one of these massive cloud platforms, the trail often goes cold. For the SOC analyst, this is a common and frustrating dead end.

Furthermore, with the adoption of services like Apple's iCloud Private Relay, user IP addresses are being intentionally obfuscated for privacy reasons. While beneficial for user privacy, this trend adds another layer of complexity for security teams trying to distinguish legitimate user activity from malicious threats. It underscores the critical need for additional data points beyond the IP address to make accurate assessments.

What Is an ASN and Why Does It Matter?

If an IP address is like a single house on a street, the Autonomous System Number (ASN) is the entire city's postal code. It's a unique global identifier for a large network or a group of networks under the control of a single administrative entity, such as an Internet Service Provider (ISP), a university, a government agency, or a large tech company like Google or Netflix.

Every IP address on the internet belongs to an ASN. While the IP address tells you where a connection is coming from, the ASN tells you who controls the network it's coming from. This context is a game-changer for a security investigation. An IP on its own is a volatile data point, but an ASN provides a stable, high-level view of the network's identity and, often, its purpose.

Consider a suspicious login attempt. An IP lookup might show it originated in Ashburn, Virginia, home to a massive concentration of data centers. This isn't very helpful. But discovering the IP belongs to a small, obscure hosting provider's ASN, rather than a major residential ISP like Comcast or Verizon, instantly changes the context and raises the risk profile of the event.

Your New Playbook: Fusing IP and ASN Intelligence

Integrating ASN data into your standard investigation workflow elevates your capabilities. It allows you to pivot from a single, low-fidelity indicator (the IP) to a more stable, high-context one (the ASN). This creates a more reliable foundation for your analysis and decision-making. Tools like a professional IP Location Intelligence service are the first step in this process.

Here's a step-by-step guide to incorporating this into your incident response playbook:

1. Initial Alert Triage: Start with the IP address provided in the alert. Use an IP lookup tool to gather basic information: geolocation, the ISP, and crucially, its ASN.
2. Analyze the ASN: Now, shift your focus to the ASN. Is it a well-known residential or mobile network provider (e.g: AT&T, T-Mobile)? Or is it a data center, a known VPN provider, or an obscure hosting service you've never heard of before?
3. Establish a Baseline: For user-related incidents (like suspicious logins), compare the event's ASN against the user's typical activity. An employee who always logs in from a corporate network (one ASN) suddenly appearing from a Russian hosting provider's ASN is an immediate, high-priority red flag.
4. Assess ASN Reputation: Go deeper by analyzing the reputation of the ASN itself. Some ASNs are known havens for malicious activity due to lax policies. A high-quality Network Intelligence (ASN) tool can provide data on whether the ASN is commonly associated with spam, botnets, or other cyber threats.

Scenario: Investigating a Coordinated Attack

Imagine you see a series of failed login attempts against multiple executive accounts over a 24-hour period. Each attempt comes from a different IP address, spread across different cities or even countries. On the surface, this might look like a scattered, uncoordinated brute-force attack. An IP-centric view yields very little actionable intelligence.

Now, let's apply the ASN playbook. You extract the IP address from each failed login and look up its ASN. You quickly discover a pattern: a significant percentage of these disparate IPs all belong to the same two or three ASNs. These aren't major telecom providers but smaller hosting companies registered in Eastern Europe and Southeast Asia.

This is your "aha!" moment. You haven't just been hit by random attacks; you are the target of a coordinated campaign originating from a specific set of networks. You can now move from reactively blocking individual IPs to proactively blocking or flagging all traffic from the malicious ASNs, effectively shutting down the entire attack campaign. This is the power of network-level correlation.

From Reactive to Proactive: Using ASN Reputation

Investigating incidents after they happen is only half the battle. A truly mature SOC operation aims for proactive defense. ASN reputation is a cornerstone of this strategy. Just as individuals have credit scores, ASNs have a reputation based on the known activity originating from their networks. A robust Network Intelligence (ASN) service analyzes vast amounts of data to determine if an ASN is a source of legitimate traffic or a hub for cybercrime.

High-risk ASNs often share common characteristics: they may be newly created, have a history of hosting malware command-and-control servers, or be registered in jurisdictions with weak enforcement against cybercrime. By enriching your security data with ASN reputation scores, you can automate your defenses.

For instance, you can create rules in your SIEM (Security Information and Event Management) system to automatically increase the risk score of any event associated with a low-reputation ASN. A single failed login from a trusted network might be a low-priority event, but a single failed login from a known "bad neighborhood" on the internet should immediately be escalated.

Integrating ASN Intelligence into Your SIEM

To make ASN intelligence truly operational, you must integrate it directly into your existing security tools and workflows. Most modern SIEM platforms (like Splunk, QRadar, or an ELK stack) can be enriched with external threat intelligence feeds, and Greip's APIs are designed for exactly this purpose.

Here's a conceptual guide for integration:

1. Choose Your Data Source: Select a reliable provider for ASN and IP intelligence, like Greip's Network Intelligence (ASN) and VPN & Proxy Detection APIs.
2. Automate Enrichment: Write scripts or use built-in SIEM apps to automatically query the API for every IP address observed in your logs. The API response, containing ASN details and reputation scores, should be appended to the event data.
3. Build Correlation Rules: Create rules that trigger on ASN-related data. For example, you can alert on activity from any ASN on a watchlist, flag users who switch between multiple ASNs in a short period (a potential sign of proxy jumping), or block inbound traffic from ASNs with the worst reputation scores.
4. Enhance Dashboards: Modify your dashboards to visualize data by ASN. Instead of a map showing IP locations, create charts that show the top ASNs generating alerts, the reputation of your inbound traffic, and the types of networks (residential, mobile, data center) your users are connecting from.

Overcoming Common Investigation Roadblocks

While powerful, this approach isn't without its challenges. Threat actors know you're watching, and their techniques are constantly evolving. A common tactic is to use the massive infrastructures of major cloud providers, making it difficult to distinguish their traffic from legitimate services.

In these cases, blocking an entire ASN (like AWS or Azure) is not feasible as it would disrupt legitimate business operations. The solution is to use ASN as one of several signals. For example, if an alert originates from an AWS IP, you can layer on other data points. Is the user also using a known proxy or VPN? A service like Greip's VPN & Proxy Detection can provide this crucial context.

Another challenge is the risk of false positives. Overly aggressive blocking based on ASN data can inadvertently block legitimate users. This is why the quality of your intelligence provider matters. A good provider will have sophisticated methods for calculating reputation and will provide enough detailed context for you to make an informed decision rather than applying a blanket block.

Future-Proofing Your SOC with Advanced Intelligence

The cybersecurity landscape is in a constant state of flux. The techniques that work today may be obsolete tomorrow. The cat-and-mouse game between attackers and defenders will continue to escalate, with both sides leveraging automation and machine learning.

The future of security investigations lies in predictive intelligence. By analyzing network-level trends, it's possible to identify emerging threats before they fully materialize. For instance, observing a new ASN with a large IP space suddenly become active and primarily used for scanning activities could be an early indicator of a new botnet being assembled.

As a SOC analyst, your role will increasingly involve not just investigating alerts but also understanding these broader trends. Enriching your data with comprehensive ASN and IP intelligence is the first step toward building this forward-looking capability, moving your SOC from a reactive fire-fighting unit to a proactive intelligence-driven operation. For more on this, "From Risky to Reliable: A Deep Dive into ASN Reputation Scoring for Proactive Threat Intelligence" (https://greip.io/blog/From-Risky-to-Reliable-A-Deep-Dive-into-ASN-Reputation-Scoring-for-Proactive-Threat-Intelligence-322) is an excellent resource.

Conclusion

The IP address is no longer a sufficient focal point for modern security investigations. To combat sophisticated and evasive adversaries, SOC analysts must elevate their perspective from the individual IP to the network level. Integrating ASN intelligence into your playbook provides the crucial context needed to quickly identify threats, uncover coordinated campaigns, and build a more proactive and resilient defense.

Actionable takeaways for every analyst:

• Think Networks, Not Just IPs: For every IP-based alert, immediately ask, "What network (ASN) does this belong to, and what is its reputation?"
• Enrich Everything: Automate the process of enriching your logs with ASN and IP intelligence. This data should be readily available within your SIEM at the moment you need it.
• Correlate and Visualize: Go beyond simple lists of IPs. Use ASN data to find the hidden links between incidents and build dashboards that reveal the true nature of the traffic hitting your network.
• Leverage Professional Tools: Utilize services like Greip's Network Intelligence (ASN) and IP Location Intelligence to provide the reliable, real-time data needed to power this new playbook.

By adopting this network-centric approach, you can cut through the noise, close investigations faster, and provide a stronger security posture for your organization. It's time to stop chasing ghosts.