The increasing frequency of internet-wide exploit attacks targeting newly announced vulnerabilities is a tremendous challenge for security teams. There is a long line of “celebrity vulnerabilities” that we at GreyNoise have observed with increasing alarm. And given our focus on internet noise, customers have naturally been asking for our help in providing visibility into vulnerabilities being actively exploited in the wild.
This is why we created GreyNoise Trends, a new view into the GreyNoise data set to help security analysts identify and respond to internet attacks targeting specific vulnerabilities.
When a new vulnerability is discovered and announced, it's a race against time to see who can find vulnerable servers first. For example, when the Apache Log4j vulnerability (CVE-2021-44228, aka “Log4Shell”) was announced on December 5, 2021, GreyNoise saw a dramatic spike in internet-wide scanning activity searching for servers that exposed this vulnerability:
Note that thousands of unique IP addresses searching for a vulnerability can generate billions or trillions of connection requests across the internet, generating a storm of internet noise that makes it difficult to identify true threats.
For security teams, responding to this kind of event is extremely challenging. Under pressure of a newly announced vulnerability, they need to understand how serious the vulnerability is, whether it is being actively exploited in the wild, whether they are vulnerable, and whether they may have already been compromised. And if they have vulnerable systems, they need to patch them on an emergency basis.
According to a recent report by IBM, severe vulnerabilities in internet-facing enterprise software are being exploited and weaponized at a higher frequency, at massive scale:
Furthermore, the amount of time between disclosure of a new vulnerability and the start of active exploitation has been reduced to a matter of hours, leaving defenders with less time to react and respond.
GreyNoise Investigate helps security analysts identify and respond to opportunistic “scan-and-exploit” attacks, providing context about the behavior and intent of IP addresses scanning the internet. Investigate allows security teams to:
With the release of Investigate 4.0, GreyNoise has created a new Trends page that helps security analysts identify and respond to internet attacks targeting specific vulnerabilities. This new page provides two key capabilities:
Taken together, this new Trends functionality allows security teams to quickly understand if a vulnerability is relevant to their organization, and buys them the time they need to put security defenses in place.
Note that GreyNoise continues to be committed to supporting the broader security community via our free Community plan, and this new GreyNoise Trends functionality is included. Community members will be able to subscribe to a single tag to export the Dynamic IP list.
In addition, for severe vulnerabilities with global impact, GreyNoise will selectively make the full functionality of the paid Trends page available to ANYONE who wants to take advantage of it, including both attack visibility and dynamic IP lists.
One important note about GreyNoise Trends - we’ve launched this new capability as Beta code for several reasons:
So please, sign up for a free GreyNoise Community account if you don’t already have one, try out GreyNoise Trends, and let us know what you think. And to get you started, here are a few interesting Trends pages to check out: