Direct-to-IP Threats Evade 52% of Threat Intelligence Feeds, Report Finds
Attackers are increasingly bypassing security tools by communicating directly with IP addresses, with over half of these threats going undetected by current intelligence feeds, according to Palo Alto Networks.
Cybercriminals are shifting their tactics to evade modern security defenses by communicating directly with IP addresses rather than relying on domain names. This emerging trend, detailed in a recent report by Palo Alto Networks, highlights a significant blind spot in current threat intelligence capabilities, leaving organizations vulnerable to a substantial portion of malicious activity.
Traditional security tools excel at inspecting traffic associated with websites, domains, URLs, and files. However, attackers are moving "lower in the stack" to exploit the limited visibility at the IP layer. This direct-to-IP communication allows malicious traffic to blend seamlessly with legitimate internet activity, making it exceptionally difficult for security systems to identify and block threats.
One of the primary methods attackers use to achieve this stealth is by removing the overt signals that security tools depend on for detection. By communicating directly with IP addresses, threat actors obscure the high-level indicators, such as domain name system (DNS) lookups, that modern security logic relies upon. This bypasses traditional detection mechanisms and makes it harder for security systems to collect crucial information about a connection's true destination and intent.
Furthermore, attackers are leveraging trusted infrastructure, including cloud providers and content delivery networks (CDNs), to mask their activities. Techniques like using fake Server Name Indicators (SNIs) in direct-to-IP connections can make malicious traffic appear legitimate. This obfuscation, combined with the use of AI to generate large numbers of short-lived IP addresses and rapidly rotate source IPs, outpaces the ability of reputation databases and security systems to track and block them.
Reputation-based defenses, a cornerstone of many security strategies, are falling short against these evolving tactics. The Palo Alto Networks report found that a staggering 52% of IP addresses involved in direct-to-IP connections were completely absent from open-source intelligence feeds. Even when malicious IPs are identified, there can be a significant delay—an average of 20 days—before they appear in threat intelligence feeds, creating a substantial window of opportunity for attackers.
The sheer volume of malicious IP addresses generated by adversaries also overwhelms the capacity of security systems. Firewalls and other defenses can only store a fraction of the known malicious IPs at any given time. As threat actors continuously generate new IPs faster than they can be identified and tracked, organizations are left with incomplete visibility, allowing known threats to slip through network defenses.
In response to this growing threat landscape, the report emphasizes the critical need for real-time connection analysis. While application-layer inspection remains vital, organizations must augment this with real-time visibility into network connections. Evaluating traffic based on behavior and context, rather than solely relying on historical reputation data, is becoming essential for effective threat detection and prevention.
The increasing adoption of AI agents within enterprises also expands the attack surface. When these agents host services or interact with data via direct-to-IP connections, they create new exposure points, making endpoints more susceptible to hijacking and further complicating the security posture.