Control and Responsibility for IP Addresses and Domains

We ("Bitsight") have developed a proprietary set of heuristics to determine the IP and domain footprint of a company. We use available registration data sources to automatically assign IP addresses and domains to companies. Once our system has completed this preliminary work, our technical researchers then verify that the collected information is correct and complete. Some of the tools we use include BGP routing information, passive DNS, WHOIS, and the regional registries.

This approach focuses on publicly available records of control of IP addresses and domains. The organization on record as controlling a particular IP or domain generally bears the cyber security risk related to activities observed from the IP space registered to them. This remains true even in the case of fully isolated networks. For example, there are risks for the controlling organization's reputation if IP addresses under their control are involved in a high-profile cyber security failure. An attack or data breach originating from an IP controlled by an organization is likely to generate negative headlines for that organization regardless of the organization’s responsibility for that actual infrastructure using that IP at the time. There are similar implications for domains, for example, if an organization gives responsibility for a certificate for their domain to another party, there remains an impersonation risk to the owner of the domain.

There are particular industries, e.g., internet service providers and application hosting platforms, where this attribution of IP space means that organizations with large quantities of IP addresses and domains are credited as a company that's in the business of renting out for others to use. In these cases, these organizations are designated as ‘Service Providers’ and are labeled as such, with an explanatory note, in the security ratings platform. The platform also provides the opportunity for any organization to create a Primary Rating, where they specify the infrastructure to be rated and exclude the infrastructure for which they have control, but do not believe that they have responsibility. Some ISPs and hosting providers have created breakouts which separate their customer infrastructure from the corporate infrastructure for this purpose.