One of the things that I was really excited about when I joined GreyNoise was the amount of data gathered by our sensor network and how it could be used in other ways outside of the traditional SOC efficiency use case. I spend a lot of time working with GreyNoise data, and inevitably, finding some thread to pull at that leads me down a rabbit hole. Our sensors see hosts that are scanning for known CVEs and misconfigurations end everything in between, but with the introduction of IP Similarity, we’re now able to group IPs by how they are operating, providing intelligence on botnets or even infrastructure used by adversaries. 

Prior to this feature, users would have to look through GreyNoise data and extract this manually. Now, using a combination of ports, requests, and fingerprint data the new IP similarity feature does the work for you. In preparation for a meeting the other day, I was looking through some of the ICS tags published on GreyNoise and reading up on the Tridium NiagraAX Fox ICS Scanner, which is always interesting to look at who’s scanning for it, as well as the results on Shodan/Censys since they typically provide details about the building they are located in.

GreyNoise Unknown IP

Digging into the results, there were a couple of IPs that stood out immediately, especially the ones that were classified as unknown. If you’re not familiar with GreyNoise, these are IPs that we’ve observed scanning the internet but haven’t seen any malicious activity from. There were a number of IPs that were scanning for ICS tags, and several in particular seemed to be opportunistically scanning for really any kind of SCADA device exposed to the internet. In this case, there is a JA3 fingerprint that we can pivot on, but the hash 19e29534fd49dd27d09234e639c4057e returns over 7,000 results.

That’s still a lot of information to parse through, and we could use a combination of requests and tags, but by using IP similarity and filtering down to a confidence score of 95% or greater, we can quickly find 8 other IPs that have been active in the last month all performing similar reconnaissance. This now gives us a way to start further investigating infrastructure and better understand what these IPs are targeting. 

Coming from the SOAR world, we were always looking for sources that could be used to make better decisions when automating responses or threat hunting. IP similarity now makes it even easier to identify common infrastructure and botnets in order to further hunt based on the data. It also makes it easy to create a blocklist since we know that these IPs have all recently had very similar scan behaviors. 

I’m really excited about the different ways people are going to be using IP similarity and the benefits they will get from this new feature. Try IP Similarity for free with our enterprise trial** or contact us for a demo.

(**Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account