Insights

Blog posts in the Insights category.

Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition

This is a follow-up from our October, 2022 post — Sensors and Benign Scanner Activity

Throughout the year, GreyNoise tends to focus quite a bit on the “naughty” connections coming our way. After all, that’s how we classify IP addresses as malicious so organizations can perform incident triage at light speed, avoid alert fatigue, and get a leg up on opportunistic attackers by using our IP-based block-lists.

At this time of year, we usually take some time to don our Santa hats and review the activities of the “nice” (a.k.a., “benign”) sources that make contact with our fleet.

Scanning the entire internet now drives both cybersecurity attack strategies and defense tactics. Every day, multiple legitimate organizations perform mass scanning of IPv4 space to gather data about exposed services, vulnerabilities, and general internet health. In November 2024, we deployed 24 new GreyNoise sensors across diverse network locations to study the behavior and patterns of these benign scanners.

Why This Matters

When organizations deploy new internet-facing assets, they typically experience a flood of inbound connection attempts within minutes. While many security teams focus on malicious actors, understanding benign scanning activity is equally crucial for several reasons:

  1. These scans generate significant amounts of log data that can obscure actual threats
  2. Security teams waste valuable time investigating legitimate scanning activity
  3. Benign scanners often discover and report vulnerable systems before malicious actors

The Experiment

We positioned 24 freshly baked sensors across five separate autonomous systems and eight distinct geographies and began collecting data on connection attempts from known benign scanning services. We narrowed the focus down to the top ten actors with the most tags in November. The analyzed services included major players in the internet scanning space, such as Shodan, Censys, and BinaryEdge, along with newer entrants like CriminalIP and Alpha Strike Labs.

Today, we’ll examine these services' scanning patterns, protocols, and behaviors when they encounter new internet-facing assets. Understanding these patterns helps security teams better differentiate between routine internet background noise and potentially malicious reconnaissance activity. There’s a “Methodology” section at the tail end of this post if you want the gory details of how the sausage was made.

The Results

We’ll first take a look at the fleet size of the in-scope benign scanners.

The chart below plots the number of observed IP addresses from each organization for the entire month of November vs. the total tagged interactions from those sources (as explained in the Methodology section). Take note of the tiny presence of both Academy for Internet Research and BLEXBot, as you won’t see them again in any chart. While they made the cut for the month, they also made no effort to scan the sensors used in this study.

As we’ll see, scanner fleet size does not necessarily guarantee nimbleness or completeness when it comes to surveying services on the internet.

Contact Has Been Made

The internet scanner/attack surface management (ASM) space is pretty competitive. One area where speed makes a difference is how quickly new nodes are added to the various inventories. All benign scanners save for ONYPHE (~9 minutes) and CriminalIP (~17 minutes) hit at least one of the target sensors within five minutes of the sensor coming online.

BinaryEdge and ONYPHE display similar dense clustering patterns, with significant activity bursts occurring around the 1-week mark. Their sensor networks appear to capture a high volume of unique IP contacts, forming distinctive cone-shaped distributions that suggest systematic scanning behavior.

Censys and Bitsight exhibit comparable behavioral patterns, though Bitsight’s first contacts appear more concentrated in recent timeframes. This could indicate a more aggressive or efficient scanning methodology for discovering new hosts.

ShadowServer shows a more dispersed pattern of first contacts, with clusters forming across multiple time intervals rather than concentrated bursts. This suggests a different approach to host discovery, possibly employing more selective or targeted scanning strategies.

Alpha Strike Labs and Shodan.io demonstrate sparser contact patterns, indicating either more selective scanning criteria or potentially smaller sensor networks. Their distributions show periodic clusters rather than continuous streams of new contacts.

CriminalIP presents the most minimal contact pattern, with occasional first contacts spread across the timeline. This could reflect a highly selective approach to host identification or a more focused scanning methodology.

The above graph also shows just how extensive some of the scanner fleets are (each dot is a single IP address making contact with one of the sensors; dot colors distinguish one sensor node from another).

If we take all that distinct data and whittle it down to count which benign scanners hit the most sensors first, we see that ONYPHE is the clear winner, followed by Censys — demonstrating strong but more focused scanning capabilities — with BinaryEdge coming in third.

The chart below digs a bit deeper into the first contact scenarios. We identified the very first contacts to each of the 24 sensor nodes from each benign scanner. ONYPHE shows a concentrated burst of activity in the 6-12 hour window, while Bitsight’s contacts are more evenly distributed throughout the observation period. Censys demonstrates a mixed pattern, with clusters in the early hours followed by sporadic contacts. ShadowServer exhibits a notably consistent spread of first contacts across multiple time windows.

BinaryEdge’s pattern suggests coordinated scanning activity, with tight groupings of contacts that could indicate automated discovery processes. Alpha Strike Labs shows a selective, possibly more targeted approach to first contact, while CriminalIP has minimal but distinct touchpoints. Shodan rounds out the observation set with periodic contacts that suggest a methodical scanning approach.

Speed Versus Reach

While speed is a critical competitive edge, coverage may be an even more important one. It’s fine to be the first to discover, but if you’re not making a comprehensive inventory, are you even scanning?

We counted up all the ports these benign scanners probed over the course of a week. Censys leads the pack with an impressive 36,056 ports scanned, followed by ShadowServer scanning 19,166 ports, and Alpha Strike Labs covering 14,876 ports.

ONYPHE, Shodan, and even both BinaryEdge and Bitsight seem to take similar approaches when it comes to probing for services on midrange and higher ports. All of them, save for CriminalIP, definitely know when you’ve been naughty and tried to hide some service outside traditional port ranges.

Before moving on to our last section, it is important to remind readers that we are only showing a 7-day view of activity. Some scanners, notably Censys, have much broader port coverage than a mere 55% of port space. The internet is a very tough environment to perform measurements in. Routes break, cables are cut, and even one small connection hiccup could mean a missed port hit. Plus, it’s not very nice to rapidly clobber a remote node that one is not responsible for.

Tag Time

The vast majority of benign contacts have no real payloads. Some of them do make checks for specific services or for the presence of certain weaknesses. When they do, the GreyNoise Global Observation Grid records a tag for that event. We wanted to see just how many tags these benign scanners sling our way.

Given ShadowServer’s mission, it makes sense that they’d be looking for far more weaknesses than the other benign scanners. The benign scanner organizations that also have an attack surface management (ASM) practice will also usually perform targeted secondary scans for customers who have signed up for such inspections.

In Conclusion

We hope folks enjoyed this second look at what benign scanners are up to and what their strategies seem to be when it comes to measuring the state of the internet.

If you have specific questions about the data or would like to see different views, please do not hesitate to contact us in our community Slack or via email at research@greynoise.io.

Methodology

Sensors were deployed between 2024-11-19 and 2024-11-26 (UTC) across five autonomous systems and in the IP space of the following countries:

  • Croatia
  • Estonia
  • Ghana
  • Kenya
  • Luxembourg
  • Norway
  • Slovenia
  • South Africa
  • Sweden

The in-scope benign actors (based on total tag hits across all of November):

Both Palo Alto’s Cortex Expanse and ByteSpider were in the original top ten, but were removed as candidates. Each of those services are prolific/noisy (one might even say “rude”), would have skewed the results, and made it impossible to compare the performance of these more traditional scanners. Furthermore, while ByteSpider may be (arguably) benign, it has more of a web crawling mission that differs from the intents of the services on the rest of the actor list.

We measured the inbound traffic from the in-scope benign actors for a 7-day period.

Unfortunately, neither Academy for Internet Research and BLEXBot reached out and touched these 24 new sensor nodes, therefore have no presence in the results.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition

This is a follow-up from our October, 2022 post — Sensors and Benign Scanner Activity

Throughout the year, GreyNoise tends to focus quite a bit on the “naughty” connections coming our way. After all, that’s how we classify IP addresses as malicious so organizations can perform incident triage at light speed, avoid alert fatigue, and get a leg up on opportunistic attackers by using our IP-based block-lists.

At this time of year, we usually take some time to don our Santa hats and review the activities of the “nice” (a.k.a., “benign”) sources that make contact with our fleet.

Scanning the entire internet now drives both cybersecurity attack strategies and defense tactics. Every day, multiple legitimate organizations perform mass scanning of IPv4 space to gather data about exposed services, vulnerabilities, and general internet health. In November 2024, we deployed 24 new GreyNoise sensors across diverse network locations to study the behavior and patterns of these benign scanners.

Why This Matters

When organizations deploy new internet-facing assets, they typically experience a flood of inbound connection attempts within minutes. While many security teams focus on malicious actors, understanding benign scanning activity is equally crucial for several reasons:

  1. These scans generate significant amounts of log data that can obscure actual threats
  2. Security teams waste valuable time investigating legitimate scanning activity
  3. Benign scanners often discover and report vulnerable systems before malicious actors

The Experiment

We positioned 24 freshly baked sensors across five separate autonomous systems and eight distinct geographies and began collecting data on connection attempts from known benign scanning services. We narrowed the focus down to the top ten actors with the most tags in November. The analyzed services included major players in the internet scanning space, such as Shodan, Censys, and BinaryEdge, along with newer entrants like CriminalIP and Alpha Strike Labs.

Today, we’ll examine these services' scanning patterns, protocols, and behaviors when they encounter new internet-facing assets. Understanding these patterns helps security teams better differentiate between routine internet background noise and potentially malicious reconnaissance activity. There’s a “Methodology” section at the tail end of this post if you want the gory details of how the sausage was made.

The Results

We’ll first take a look at the fleet size of the in-scope benign scanners.

The chart below plots the number of observed IP addresses from each organization for the entire month of November vs. the total tagged interactions from those sources (as explained in the Methodology section). Take note of the tiny presence of both Academy for Internet Research and BLEXBot, as you won’t see them again in any chart. While they made the cut for the month, they also made no effort to scan the sensors used in this study.

As we’ll see, scanner fleet size does not necessarily guarantee nimbleness or completeness when it comes to surveying services on the internet.

Contact Has Been Made

The internet scanner/attack surface management (ASM) space is pretty competitive. One area where speed makes a difference is how quickly new nodes are added to the various inventories. All benign scanners save for ONYPHE (~9 minutes) and CriminalIP (~17 minutes) hit at least one of the target sensors within five minutes of the sensor coming online.

BinaryEdge and ONYPHE display similar dense clustering patterns, with significant activity bursts occurring around the 1-week mark. Their sensor networks appear to capture a high volume of unique IP contacts, forming distinctive cone-shaped distributions that suggest systematic scanning behavior.

Censys and Bitsight exhibit comparable behavioral patterns, though Bitsight’s first contacts appear more concentrated in recent timeframes. This could indicate a more aggressive or efficient scanning methodology for discovering new hosts.

ShadowServer shows a more dispersed pattern of first contacts, with clusters forming across multiple time intervals rather than concentrated bursts. This suggests a different approach to host discovery, possibly employing more selective or targeted scanning strategies.

Alpha Strike Labs and Shodan.io demonstrate sparser contact patterns, indicating either more selective scanning criteria or potentially smaller sensor networks. Their distributions show periodic clusters rather than continuous streams of new contacts.

CriminalIP presents the most minimal contact pattern, with occasional first contacts spread across the timeline. This could reflect a highly selective approach to host identification or a more focused scanning methodology.

The above graph also shows just how extensive some of the scanner fleets are (each dot is a single IP address making contact with one of the sensors; dot colors distinguish one sensor node from another).

If we take all that distinct data and whittle it down to count which benign scanners hit the most sensors first, we see that ONYPHE is the clear winner, followed by Censys — demonstrating strong but more focused scanning capabilities — with BinaryEdge coming in third.

The chart below digs a bit deeper into the first contact scenarios. We identified the very first contacts to each of the 24 sensor nodes from each benign scanner. ONYPHE shows a concentrated burst of activity in the 6-12 hour window, while Bitsight’s contacts are more evenly distributed throughout the observation period. Censys demonstrates a mixed pattern, with clusters in the early hours followed by sporadic contacts. ShadowServer exhibits a notably consistent spread of first contacts across multiple time windows.

BinaryEdge’s pattern suggests coordinated scanning activity, with tight groupings of contacts that could indicate automated discovery processes. Alpha Strike Labs shows a selective, possibly more targeted approach to first contact, while CriminalIP has minimal but distinct touchpoints. Shodan rounds out the observation set with periodic contacts that suggest a methodical scanning approach.

Speed Versus Reach

While speed is a critical competitive edge, coverage may be an even more important one. It’s fine to be the first to discover, but if you’re not making a comprehensive inventory, are you even scanning?

We counted up all the ports these benign scanners probed over the course of a week. Censys leads the pack with an impressive 36,056 ports scanned, followed by ShadowServer scanning 19,166 ports, and Alpha Strike Labs covering 14,876 ports.

ONYPHE, Shodan, and even both BinaryEdge and Bitsight seem to take similar approaches when it comes to probing for services on midrange and higher ports. All of them, save for CriminalIP, definitely know when you’ve been naughty and tried to hide some service outside traditional port ranges.

Before moving on to our last section, it is important to remind readers that we are only showing a 7-day view of activity. Some scanners, notably Censys, have much broader port coverage than a mere 55% of port space. The internet is a very tough environment to perform measurements in. Routes break, cables are cut, and even one small connection hiccup could mean a missed port hit. Plus, it’s not very nice to rapidly clobber a remote node that one is not responsible for.

Tag Time

The vast majority of benign contacts have no real payloads. Some of them do make checks for specific services or for the presence of certain weaknesses. When they do, the GreyNoise Global Observation Grid records a tag for that event. We wanted to see just how many tags these benign scanners sling our way.

Given ShadowServer’s mission, it makes sense that they’d be looking for far more weaknesses than the other benign scanners. The benign scanner organizations that also have an attack surface management (ASM) practice will also usually perform targeted secondary scans for customers who have signed up for such inspections.

In Conclusion

We hope folks enjoyed this second look at what benign scanners are up to and what their strategies seem to be when it comes to measuring the state of the internet.

If you have specific questions about the data or would like to see different views, please do not hesitate to contact us in our community Slack or via email at research@greynoise.io.

Methodology

Sensors were deployed between 2024-11-19 and 2024-11-26 (UTC) across five autonomous systems and in the IP space of the following countries:

  • Croatia
  • Estonia
  • Ghana
  • Kenya
  • Luxembourg
  • Norway
  • Slovenia
  • South Africa
  • Sweden

The in-scope benign actors (based on total tag hits across all of November):

Both Palo Alto’s Cortex Expanse and ByteSpider were in the original top ten, but were removed as candidates. Each of those services are prolific/noisy (one might even say “rude”), would have skewed the results, and made it impossible to compare the performance of these more traditional scanners. Furthermore, while ByteSpider may be (arguably) benign, it has more of a web crawling mission that differs from the intents of the services on the rest of the actor list.

We measured the inbound traffic from the in-scope benign actors for a 7-day period.

Unfortunately, neither Academy for Internet Research and BLEXBot reached out and touched these 24 new sensor nodes, therefore have no presence in the results.

From Help Desk to CISO: How Communication Shapes Security Success

Over 220 cybersecurity professionals recently shared what they believe to be the most undervalued skill in our industry: the ability to communicate effectively. This revelation came from a Storm⚡️Watch podcast poll and the ensuing discussion highlighted just how critical this "soft skill" truly is.

The crew shared stories that will resonate with anyone who's had to bridge the gap between technical complexity and business reality. Emily, coming from incident response, learned the hard way that executives care less about IOCs and more about how security issues translate to lost deals and damaged relationships. Himaja developed her communication approach by studying how reporters digested her technical reports, using their follow-up questions as a compass for future messaging.

The help desk trenches proved to be an excellent training ground for Kimber, who discovered that success often meant quickly determining whether someone needed visual aids or step-by-step instructions. This adaptability served her well in product management, where she learned that sometimes you need to let people vent before any productive conversation can occur.

Glenn's journey from academia to a customer-facing vendor role emphasized that becoming an effective communicator isn't accidental. It requires intentional effort and constant refinement, especially when dealing with audiences ranging from fresh-faced students to grant-wielding researchers.

The shift to remote work has only amplified the importance of clear communication. Text-heavy platforms like Slack have introduced new challenges in conveying nuance and managing generational differences in communication styles. The solution isn't just about choosing the right words — it's about knowing when to escalate from text to voice, how to distill complex reports into actionable insights, and finding the right balance between professional and personable.

In an industry stereotypically populated by technical "lone wolves", the reality is that cybersecurity's effectiveness hinges on collaboration and relationship building. Whether you're convincing executives to fund critical defenses or helping colleagues understand emerging threats, the ability to connect, explain, and persuade is as crucial as any technical skill.

The path to improved communication isn't about memorizing presentation techniques or mastering email templates. It's about developing emotional intelligence, learning to read your audience, and adapting your message while maintaining its essential truth. In the end, cybersecurity professionals may wield sophisticated tools, but our most powerful asset is the ability to make complex ideas accessible and actionable.

There are many more insights from the full discussion. It’s well-worth a listen.

New Report Reveals Hidden Risks: How Internet-Exposed Systems Threaten Critical Infrastructure

Critical infrastructure powers the systems we rely on every day — electricity, clean water, transportation. But what happens when these systems are exposed to the internet, left vulnerable to remote attacks? As a new Censys report reveals, this is the growing reality, with 145,000 industrial control systems (ICS) exposed, including thousands of unsecured human-machine interfaces (HMIs).

These findings highlight a growing problem: internet-exposed HMIs, designed to make critical systems manageable, are becoming prime targets for attackers. Often unprotected, these interfaces give malicious actors direct access to operations making the implications profound — not just for cybersecurity professionals, but for society at large. 

What the Censys Report Tells Us

The Censys report uncovers significant exposure: 

  • Thousands of HMIs exposed online: These systems are often accessible without authentication, making them easy entry points for attackers.
  • Direct access to ICS environments: By exploiting HMIs, attackers can bypass ICS protocols entirely and potentially manipulate critical systems. 
  • Concentration of exposure: North America accounts for 38% of global ICS exposures, with the U.S. hosting over one-third of these systems. 

Real-world examples in the report, such as attacks in Pennsylvania and Texas, illustrate how attackers used exposed HMIs to manipulate water systems. These cases didn’t require advanced ICS expertise — just access to an insecure HMI. 

Why This Matters

For years, ICS security has focused on protecting specialized protocols like Modbus and DNP3. But the Censys report highlights the growing risk posed by low-hanging fruit like HMIs and remote access points, which attackers can exploit to bypass more complex systems entirely. 

What Makes HMIs So Risky? 

  1. Ease of Access: HMIs are often misconfigured, left exposed, and lack even basic authentication.
  1. Direct Operational Control: Unlike protocols that require expertise to exploit, HMIs provide a user-friendly interface to manage critical systems — making them an ideal target. 
  1. Rapid Targeting by Attackers: Exposed HMIs are frequently scanned and probed within moments of discovery, potentially making them highly vulnerable. 

GreyNoise’s Findings on HMI Exposure

During the Summer of 2024, GreyNoise set up sensors emulating internet-connected HMIs to understand the attack traffic they receive. The results reinforce the urgency of securing these systems: 

  • Rapid Targeting: Internet-connected HMIs were probed and scanned more quickly than baseline control sensors. Over 30% of IPs that touched the HMIs before a typical GreyNoise sensor were later identified as malicious. 
  • Focus on Remote Access: Contrary to expectations, attackers primarily targeted common Remote Access Service (RAS) protocols rather than ICS-specific communication protocols. Virtual Network Computing (VNC) was of particular interest to threat actors. 

These findings align with the Censys report, demonstrating that HMIs and remote access points are critical insecurities that need immediate attention

What Defenders Can Do Now

The Censys report and GreyNoise findings are clear: defending ICS environments requires a shift in focus. Here are key steps to take:

  1. Identify and Secure Exposed Systems: Conduct a thorough inventory of all internet-facing systems, especially HMIs, and remove unnecessary exposure. 
  1. Strengthen Access Controls: Implement strong authentication, network segmentation, and VPNs to prevent unauthorized access to HMIs and remote access points. 
  1. Monitor for Reconnaissance: Attackers often scan systems before exploitation. Monitoring this activity can provide early warning signs and help prioritize defenses. 
  1. Focus on Practical Solutions: While protecting ICS protocols is still important, prioritize low-complexity entry points like HMIs and RAS that attackers are actively targeting. 

Acting on the Wake-Up Call

The exposures highlighted in the Censys report aren’t a technical problem — they’re societal. Critical infrastructure is the backbone of our modern world, and the risks posed by exposed systems are too great to ignore. The time to act is now: secure the basics, monitor for threats with real-time intelligence, and close the gaps attackers are exploiting.

GreyNoise’s Commitment to ICS/OT

GreyNoise is dedicated to expanding our visibility into ICS/OT environments by growing our fleet of sensors and profiles. As we enhance our coverage in 2025, we aim to provide even deeper insights to help defenders stay ahead of emerging threats. Contact us to learn more.

U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now

A joint U.S. and UK advisory has identified 25 vulnerabilities tied to an exploitation campaign by Russia state-sponsored threat actors, specifically APT 29 — the group behind the infamous SolarWinds hack. GreyNoise actively tracks 12 of the 25 vulnerabilities mentioned in the advisory. To provide real-time, actionable context, GreyNoise has detected that nine of these vulnerabilities are being actively probed by attackers, offering critical insights for organizations to prioritize their defenses. 

Executive Summary 

  • The U.S. and UK governments issued a joint advisory warning of Russian state-sponsored cyber threats, specifically from APT 29, the group responsible for the SolarWinds hack.  
  • The advisory identifies 25 CVEs across major platforms (Cisco, Citrix, Microsoft, etc.) that are being opportunistically scanned by attackers. 
  • Tracking 12 of the 25 CVEs in the advisory, GreyNoise’s real-time intelligence shows nine of these vulnerabilities are currently experiencing active probing.
  • The advisory urges organizations to patch vulnerabilities to mitigate the threat and prevent potential exploitation

Given the real-time nature of GreyNoise’s observations, the set of actively targeted vulnerabilities is likely to change over time. Please check the GreyNoise Visualizer for the latest information. 

What GreyNoise Is Seeing

GreyNoise observes internet traffic via its global network of sensors and honeypots, allowing it to track and classify behavior as malicious or benign. 

While the advisory outlines 25 vulnerabilities, GreyNoise is uniquely positioned to provide real-time insights, identifying the nine CVEs currently being probed. These active scans are part of mass, opportunistic efforts, a tactic commonly used by threats actors like APT 29 (Cozy Bear), although GreyNoise does not attribute malicious activity directly. 

12 GreyNoise-Tracked CVEs in the Advisory — Nine Actively Probed Right Now 

Of the 12 GreyNoise-tracked CVEs mentioned in the joint advisory, GreyNoise observes exploitation or reconnaissance activity across the following: 

  1. CVE-2023-20198 — Cisco IOS XE Web UI Privilege Escalation 
  2. CVE-2023-4966 — Citrix NetScaler ADC Buffer Overflow
  3. CVE-2021-27850 — Apache Tapestry Deserialization of Untrusted Data
  4. CVE-2021-41773 — Apache HTTP Server Path Traversal
  5. CVE-2021-42013 — Apache HTTP Server Path Traversal
  6. CVE-2018-13379 — Fortinet FortiOS SSL VPN Path Traversal 
  7. CVE-2023-42793 — JetBrains TeamCity Authentication Bypass
  8. CVE-2023-29357 — Microsoft SharePoint Server Privilege Escalation
  9. CVE-2023-35078 — Ivanti Endpoint Manager Mobile Authentication Bypass

These vulnerabilities cover a wide range of products critical to business operations and infrastructure, making this real-time data invaluable for defenders to prioritize patching. 

Mass Opportunistic Scanning in the Spotlight

In the joint advisory, the agencies highlighted the threat of mass opportunistic scans and the focus thereof by Russian intelligence: 

“This mass scanning and opportunistic exploitation of vulnerable systems, as opposed to more targeted operations, increase the threat surface to include virtually any organization with vulnerable systems. 

The SVR [Russian Foreign Intelligence] takes advantage of opportunistic victims to host malicious infrastructure, conduct follow-on operations from compromised accounts, or to attempt to pivot to other networks.”

The advisory comes at a time when attackers are increasingly relying on mass opportunistic scanning to compromise organizations, making it critical that organizations leverage real-time intelligence showing when and where attackers are engaged in reconnaissance and exploitation activity

Recommendations to Protect your Organization

  1. Patch Immediately: Ensure the nine vulnerabilities identified by GreyNoise as being actively probed are patched as soon as possible.
  2. Monitor Real-Time Activity: Stay vigilant by leveraging real-time intelligence, which can help organizations track shifts in attacker activity. 
  3. Strengthen Defenses: Take steps to harden security controls, such as deploying firewall blocklists and reinforcing access control policies, to mitigate the risk of successful exploitation.

For more details, read the full U.S. and UK report here

Phishing and Social Engineering: The Human Factor in Election Security

(This is part three in our "Understanding the Election Cybersecurity Landscape" series.)

As we rapidly approach the 2024 U.S. elections, the human element remains one of the most vulnerable aspects of our electoral system. While technological defenses continue to evolve, state actors and cybercriminals in general are increasingly turning to phishing and social engineering tactics to exploit human psychology and gain unauthorized access to sensitive information or systems. These attacks pose a significant threat to election integrity by targeting election officials, campaign staff, and voters alike.

The Anatomy of Election-Related Phishing Attacks

Phishing attacks during election seasons often exploit the heightened emotions and time pressures associated with political campaigns. Attackers craft convincing emails, text messages, or social media posts that appear to come from trusted sources such as election boards, political parties, or candidates themselves. These messages typically create a sense of urgency or importance to prompt quick, unthinking responses from targets.

For example, an election official might receive an email that appears to be from a voting machine vendor, claiming there's a critical security update that needs immediate attention. The email could contain a malicious link or attachment that, when clicked, installs malware or captures login credentials. Similarly, voters might receive text messages with false information about polling place changes or registration requirements, containing links to fraudulent websites designed to steal personal information.

Social Engineering: Exploiting Trust and Authority

Social engineering attacks go beyond simple phishing by leveraging more complex psychological manipulation. These attacks often involve multiple touchpoints and can unfold over extended periods, making them particularly insidious.

In the context of elections, a social engineering attack might involve an attacker posing as an IT support technician, contacting county election workers with offers of assistance. Over time, the attacker builds trust and may eventually request remote access to systems or sensitive information under the guise of providing support. This type of attack exploits the often-overworked and under-resourced nature of many local election offices.

Another common tactic is impersonating authority figures. An attacker might pose as a high-ranking election official or party leader, using this perceived authority to pressure lower-level staff into bypassing security protocols or divulging confidential information.

The Cascading Impact on Election Security

The consequences of successful phishing and social engineering attacks can be far-reaching. A single compromised account or system can serve as an entry point for broader network infiltration, potentially leading to:

  • Disruption of election management systems, including those that are responsible for updating public-facing results on and after election day
  • Theft or manipulation of voter registration data
  • Unauthorized access to voting machine software or configurations
  • Leaks of sensitive campaign strategies or communications
  • Spread of disinformation from trusted sources

Moreover, even unsuccessful attacks can erode public confidence in the electoral process. The mere perception that election systems or officials might be compromised can fuel doubts about election integrity, which could be especially problematic this year.

Defending Against the Human Factor

Mitigating the risks posed by phishing and social engineering requires a multi-faceted approach that combines technological solutions with robust human training and awareness programs.

Technical Safeguards

  • Implement strong email filtering and anti-phishing tools
  • Use multi-factor authentication for all critical systems
  • Regularly update and patch software to address known vulnerabilities
  • Employ network segmentation to limit the potential spread of breaches

Human-Focused Defenses

  • Conduct regular, scenario-based training for election officials and staff
  • Develop clear communication protocols for sharing sensitive information
  • Establish verification procedures for requests involving system access or data transfers
  • Create a culture of security awareness where staff feel empowered to question suspicious or urgent requests

Public Education

  • Launch voter education campaigns on recognizing election-related phishing attempts
  • Provide clear, authoritative sources for election information
  • Encourage critical thinking and verification of election-related messages
  • Ensure there is a clear way for voters to recognize legitimate municipal communications, and provide straightforward ways for them to validate potentially illegitimate ones

The Road Ahead

As we move ever closer to the 2024 elections, the sophistication of phishing and social engineering attacks is likely to increase. The rise of AI-generated content, including deepfakes, will make it even more challenging to distinguish legitimate communications from fraudulent ones (something we will cover in the final installment).

However, by focusing on the human element – both in terms of vulnerabilities and strengths – we can build a more resilient election security ecosystem. Empowering election officials and voters with knowledge and critical thinking skills is our best defense against these evolving threats.

The integrity of our elections depends not just on secure technology, but on a vigilant and informed populace. By recognizing the central role of human factors in election security, we can work towards elections that are not only technologically sound but also trusted and resilient in the face of increasingly sophisticated attacks.

Challenging Assumptions: Enhancing the Understanding of Securing Internet-Exposed Industrial Control Systems

Censys and GreyNoise teamed up for the last three months to shed new light on the real-world threats facing internet-exposed industrial control systems (ICS). At LABSCon 2024, they shared their findings, challenging some long-held assumptions about ICS security.

Earlier this year, Censys researchers identified over 40,000 internet-connected ICS devices in the U.S., including over 400 human-machine interfaces (HMIs). Many of these interfaces required no authentication at the time of observation. HMIs provide easy-to-understand and easy-to-manipulate interfaces, which make them low-hanging targets for threat actors seeking to disrupt operations. Given the relative ease of manipulation, we were curious about the actual attack traffic such interfaces receive.

To conduct preliminary research, GreyNoise set up hyper-realistic emulations of internet-connected HMIs for critical control systems, camouflaging them by geography and ASNs. Glenn Thorpe, Sr. Director, Security Research & Detection Engineering at GreyNoise analyzed forty-five days of data for these surprising and concerning findings:  

  1. Rapid Targeting: Internet-connected HMIs were probed and scanned more quickly than baseline control sensors. Over 30% of IPs that touched the HMIs before a typical GreyNoise sensor were later identified as malicious.
  1. Focus on Remote Access: Contrary to expectations, attackers primarily targeted common Remote Access Service (RAS) protocols rather than ICS-specific communication protocols. Virtual Network Computing (VNC) was of particular interest to threat actors.

Implications for ICS Security

This research highlights a potential disconnect between perceived risks and actual threat actor behavior toward internet-exposed ICS. While the industry has long focused on securing ICS-specific communication protocols, the more pressing threat may lie in more common, easily exploitable entry points like remote access services. The swift targeting suggests a prioritization for probing such devices online.

This research underscores the critical importance of securing remote access services as a frontline defense for ICS environments. The relative ease of targeting these generic entry points may often render the exploitation of specialized ICS protocols unnecessary.

GreyNoise and Censys intend to continue this research to learn more based on these experimental findings.

The Role of State-Sponsored Actors in Election Interference

(This is part two in our "Understanding the Election Cybersecurity Landscape" series.)

State-sponsored actors play a critical role in election interference, employing a range of tactics to undermine the integrity of the electoral process. These actors, often backed by powerful nations like Russia, China, and Iran, have the resources and motivation to conduct sophisticated attacks that can erode public trust in elections.

Tactics and Techniques

State-sponsored actors engage in various activities interfering with elections, including cyberespionage, disinformation campaigns, and direct attacks on election infrastructure. Cyberespionage involves the theft of sensitive information, such as voter data or campaign communications, which can be used to influence public opinion or blackmail candidates. Disinformation campaigns, often conducted through social media, aim to spread false or misleading information to manipulate voter perceptions and sow discord. For example, Russia has been known to use fake personas and highly networked accounts to spread hyper-partisan themes effectively and quickly.

Direct attacks on election infrastructure are also a concern, as they can disrupt the voting process and undermine the integrity of election results. This includes attempts to gain physical or digital access to election systems, which can compromise their confidentiality, availability, or integrity. For instance, the Justice Department recently indicted two Russian propagandists associated with the state-funded media outlet RT for allegedly engaging in money laundering and channeling nearly $10 million to a right-leaning media organization.

We've also seen evidence of a recent suspected Iranian attack against the campaign of Republican presidential nominee Donald Trump, potentially resulting in the theft of internal campaign documents. The FBI is investigating the matter, as well as attempts to infiltrate President Joe Biden's reelection campaign, which became Vice President Kamala Harris' campaign after Biden dropped out of the race.

Impact and Implications

The activities of state-sponsored actors in election interference have significant implications for democratic societies. By undermining public trust in the electoral process, these actors can erode the legitimacy of governments and create social divisions. For example, research suggests that election interference campaigns can intensify internal divisions within a target state, making it harder for the political establishment to agree on priorities, implement policy, and respond to challenges from foreign actors.

Countermeasures

To counter the threats posed by state-sponsored actors, it is essential to understand their methods and recognize the signs of such interference. This includes investing in cybersecurity efforts for political campaigns, encouraging social media companies to remove deceptive or hateful posts, and passing legislation requiring online political ads to adhere to certain standards of truthfulness. Additionally, election officials should take steps to harden infrastructure against common attacks, utilize account security tools, and rehearse incident response plans.

What Can You Do?

Understanding the methods of state-sponsored actors and recognizing the signs of such interference is crucial in developing robust defenses. By investing in cybersecurity, promoting transparency in political advertising, and enhancing election infrastructure security, we can mitigate the risks posed by these actors and protect the integrity of democratic elections.

We've put together the following list of resources to help folks further understand and defend against this very real and present threat:

  • Election Cybersecurity Landscape: The global election cybersecurity landscape is characterized by diverse targets, tactics, and threats, with state-sponsored actors posing the most serious cybersecurity risk to elections.
  • Hybrid Warfare: Election interference is often a key tactic of hybrid warfare campaigns, which seek to exacerbate internal divisions within a target state through tactics such as disinformation and cyberattacks.
  • Election Security Measures: Election officials should take steps to harden infrastructure against common attacks, utilize account security tools, and rehearse incident response plans to protect against cyber, physical, and operational security risks.
  • Countering Foreign Interference: Countering foreign interference in U.S. elections requires understanding how adversaries exploit fault lines within society and using strategies such as collecting open-source intelligence on social media and releasing public service announcements to warn about strategic threats.

Recent Influence Operations: Recent foreign influence operations have been identified, including those perpetrated by Russia, China, and Iran, which have been accused of conducting complex campaigns to manipulate U.S. politics.

Unveiling Vulnerability Insights from the CISA KEV Catalog at BSidesLV

Last week at BSidesLV, I had the privilege to explore the complexities of the CISA's Known Exploited Vulnerabilities (KEV) Catalog. This vital resource aids organizations in understanding which vulnerabilities are actively exploited and how to prioritize remediation efforts effectively. 

Here, I’ll share three key insights from my analysis that can enhance vulnerability management strategies.

The full talk (it's only 20 minutes, but I clearly could have used 30!) can be found here, and the slides and dataset used can be found here.

The Decreasing Age of CVEs Added to KEV

The average age of CVEs added to the KEV decreases over time. In 2023, which we consider the first full baseline year, most vulnerabilities were added within the first week of their assignment. This trend suggests not only are vulns being exploited faster (we know this) but also improved information sharing and partnerships between CISA and other organizations.

Additionally, the shift towards younger CVEs being added to KEV is encouraging as it indicates that the security community is becoming more proactive in identifying exploitation. For organizations, this means staying vigilant and ready to respond quickly to newly disclosed vulnerabilities, as they're more likely to be added to the KEV shortly after discovery.

The Fluidity of the "Known Ransomware Campaign Use" Field

A lesser-known aspect of the KEV data is that it's not static. 

In October 2023, CISA added a field called "known ransomware campaign use" to the catalog. We found that this field is updated silently and can change from "unknown" to "known" without fanfare. From October 2023 → July 2024, this field was updated 41 times.

Research suggests that vulnerabilities flagged for known ransomware use are patched 2.5 times faster; this makes sense given the significant financial and operational impacts of ransomware attacks. Organizations should pay close attention to this field and regularly check for updates. It goes without saying that if a vulnerability in your environment is flagged for known ransomware use, it should be prioritized for patching immediately.

Prioritization Insights from within the KEV Data

Another interesting finding is that by considering two data points from within the KEV, you can discern a “level of concern” that organizations can use to make more informed decisions about which vulnerabilities to address first when resources are limited.

1. The time that is given to fix the vulnerability.

Early on, the time to fix a vulnerability was either 14 or 180 days. Shortly after the Russia/Ukraine war, CISA seemed to adjust to a 21-day fixed period. However, if you look at the bottom right of the plot, you'll notice that there have been a handful of vulnerabilities with even shorter fix timelines in the last year.

2. The day of the week the vulnerability was added to the KEV.

Interestingly, the day of the week a vulnerability is added can be telling. In the past year+, there have only been two drops on a Friday, and both had a time to fix of 7 days (a time to fix of 7 days has only happened six more times). Overall, the time to fix has standardized to 21 days for most entries, but shorter timeframes indicate higher-priority vulnerabilities. 

To summarize, although the KEV catalog is mainly intended for government use, it provides valuable insights for prioritizing vulnerabilities. Cybersecurity professionals can enhance their remediation efforts by analyzing patterns such as vendor dominance, time given to fix, the day of the week an issue was added, and any changes to the ransomware field.

Again, the full talk can be found here, and the slides and dataset can be found here.

Understanding the Election Cybersecurity Landscape

As we edge closer to the 2024 U.S. elections, the cybersecurity landscape surrounding this crucial event is more complex and dynamic than ever. The sheer variety of targets, tactics, and threats highlights the immense challenge of securing our democratic process. From state-sponsored entities to cybercriminals and hacktivists, a multitude of actors are ready to exploit any vulnerabilities they can find. Understanding this broad landscape is essential for grasping the challenges we face and appreciating the efforts required to safeguard our elections.

To help reduce any confusion, and provide some solid guidance, we’ve put together a multipart series that we’ll be releasing over the coming weeks. The goal is to help folks understand what’s truly at-risk, along with helpful things you can do to join in the efforts to maintain and increase the cyber safety and resilience of America’s elections. We’re starting, today, with an overview of who and what is truly at risk, along with a high-level review of the adversaries and tactics in play. Over the remaining series, we’ll tackle:

  • the role of state-sponsored actors in election interference
  • phishing and social engineering
  • the threat of deepfakes and disinformation campaigns

Let’s dive in!

The Targets

When we think about election security, our minds often jump to voting machines and voter registries. While these are certainly critical, the attack surface extends far beyond them. Political campaigns, for instance, rely heavily on digital infrastructure, including websites, email systems, and databases. These elements are prime targets for cyber intrusions and disinformation campaigns designed to disrupt operations and erode public trust. Political parties, too, are vulnerable, with adversaries seeking to steal sensitive information or create chaos within their ranks.

News and social media platforms also play a crucial role in the election process. Unfortunately, they are frequently exploited to spread disinformation and sow discord among voters. Manipulating these platforms can have far-reaching consequences, influencing public opinion and undermining the democratic process. Election management systems, responsible for counting, auditing, and reporting results, are also critical targets. Ensuring the integrity of these systems is paramount to maintaining the credibility of the electoral outcome.

The Tactics

The tactics employed by threat actors are as diverse as the targets they pursue. Traditional cyber intrusions, such as phishing and spear phishing, remain prevalent, allowing adversaries to gain unauthorized access to sensitive systems and data. Distributed denial of service (DDoS) attacks aim to disrupt the availability of critical election-related websites and services, potentially causing widespread confusion and delays. Ransomware, which involves encrypting critical data and demanding payment for its release, poses a significant threat to election infrastructure, with the potential to cripple essential operations.

While most voting machines are not directly connected to the internet, they are still vulnerable to internet-based attacks through indirect means. For example, voting machines must accept electronic input files from other computers, such as ballot definition files prepared on Election Management System (EMS) computers. If these EMS computers are compromised, they can introduce fraudulent data or malicious code into the voting machines. This indirect connection to the internet creates a potential attack vector that sophisticated adversaries could exploit.

Recently, the rise of deepfakes and disinformation has added a new layer of complexity to the cybersecurity landscape. The use of AI-generated content to mislead voters and manipulate public opinion has become increasingly sophisticated, making it harder to discern truth from falsehood. These tactics are not only disruptive, but also corrosive, eroding trust in the electoral process and the institutions that support it.

The Actors

The actors behind these threats are varied, each with distinct motivations and capabilities. State-sponsored actors, including nations such as Russia, China, Iran, and North Korea, have been identified as significant threats. These entities aim to undermine U.S. elections to destabilize the country and influence its policies. Their sophisticated operations often involve a combination of cyber intrusions, disinformation campaigns, and other tactics designed to achieve strategic objectives.

Cybercriminals, on the other hand, are typically motivated by financial gain. They may deploy ransomware or sell stolen data on the “dark web”, exploiting vulnerabilities for profit. Hacktivists, driven by ideological beliefs, seek to promote their political agendas by disrupting election processes or exposing perceived injustices. While their methods may differ, the impact of their actions can be equally damaging.

The Importance of Vigilance

Understanding the broad landscape of election cybersecurity threats plays a significant role in helping us grasp the complexity and scope of the challenges faced. This knowledge helps the public appreciate the efforts required to secure elections and underscores the importance of vigilance and proactive measures. 

As we approach the 2024 elections, enhanced security measures, such as implementing multifactor authentication and conducting regular vulnerability assessments, are vital. Public awareness and education about common disinformation tactics can help mitigate the impact of false information. At the same time, collaboration and information sharing between federal, state, and local agencies, as well as private sector partners, are essential for a coordinated response to emerging threats.

By comprehending and addressing the diverse array of threats, tactics, and actors in the election cybersecurity landscape, we can better protect the integrity of our democratic processes and ensure that every vote counts.

Cybersecurity in the Age of AI: What Experts are Saying

The cybersecurity market is undergoing a noticeable shift with the integration of AI, transitioning from using AI as a replacement for Googling to leveraging its advanced capabilities in pattern recognition and anomaly detection. Currently, there are many questions about what AI can truly achieve today and what the future holds. To address this, we assembled a panel of seasoned security professionals for an open discussion on the real potential of AI in cybersecurity and what is merely adding to the noise.

On Thursday, May 30th, GreyNoise is hosting a live webinar “AI for Cybersecurity: Sifting the Noise.” To give you a taste of what’s to come, we have asked each of our presenters a key question touching on one of the many topics we will explore in the discussion, let’s dig into their answers below:

Bob Rudis, VP of Data Science and Research

Q: What do you think is currently the biggest lie about AI?

A: The biggest misconception is that AI (particularly LLMs/GPTs) is seen as more than just a tool. Unlike traditional machine learning or a dictionary/thesaurus, these AI systems are marketed as intelligent actors or companions. However, they are simply tools that excel at understanding human input and generating responses based on vast amounts of data. Their perceived intelligence comes from their ability to produce useful outputs by recognizing patterns in data, not from any inherent understanding or consciousness.

Daniel Grant, Principal Data Scientist

Q: What AI advancement in the past few years are you most excited about?

A: The most obvious advancement is the development of highly capable LLMs. Just a few years ago, getting GPT-2 to produce coherent text was a challenge. Now, we have 70-billion parameter models that can run on laptops and chatbots that can pass the Turing test at your local Toyota dealership. Another exciting advancement is the improved quality of vector databases, which allow for direct, real-time access to entire datasets, reducing the need for compact machine learning models.

Ron Bowes, Security Researcher

Q: What's the most surprising thing an AI you've used has surfaced?

A: At GreyNoise, we developed a tool called Sift, which runs traffic seen by honeypots through magic machine-learning algorithms to help us (and customers!) see what attackers are up to each day.

One exploit that stood out to me a couple months ago was an attempt to exploit F5 BIG-IP that I wrote about on our Labs Grimoire blog. I'd recently spent time tidying up our F5 BIG-IP rules, since there's a lot of overlap between the various vulnerabilities and exploits (that is, several different vulnerabilities use very similar-looking exploits, and some of our older tags were mixing them up). One of the vulnerabilities I ran into was an exploit for CVE-2022-1388 (auth bypass), chained with CVE-2022-41800 (authenticated code execution, which I initially discovered and reported).

What was particularly interesting about that one is that they used the proof of concept (PoC) from the original CVE-2022-41800 disclosure, which I had designed to look super obvious, instead of using the actual exploit we also released. Not only that, but because CVE-2022-41800 is an *authenticated* RCE, they combined my PoC with a separate authentication-bypass vulnerability (CVE-2022-1388), which already had an RCE exploit that didn't require a secondary vulnerability. So, not only did they use the super obvious PoC, its usage was entirely unnecessary as well!

Presumably, the point of using this unusual combination was to avoid detection, but instead they just stood out more!

---

If these insights pique your interest, join us on Thursday for the live event where you can ask your own questions to our expert panel.

Honeypots Are Back: The Movie: The Blog

GreyNoise was founded to see what others don’t. That quest led us to build a unique global network of thousands of sensors across hundreds of strategically selected points of presence, giving cybersecurity practitioners unparalleled insight into online activity, whether malicious or benign. 

And in 2023, we saw something new.

In the second quarter of 2023 GreyNoise researchers observed a substantial change in internet scanning behavior. Malicious inventory scans significantly reduced in frequency and scale, and the vast majority of these types of scans now come from benign sources. This, along with the speed at which compromises follow vulnerability announcements, strongly suggests more capable attacker groups have implemented their own form of “attack surface monitoring”, to avoid tripping existing defenses. Attackers are now less likely to risk their reconnaissance infrastructure being detected and flagged prior to establishing confidence in a successful attack path.

A change in attacker behavior is rendering current defenses less effective. But an established technique is ready to rise to the challenge. Honeypots are back.

With attackers routing around observation and detection, traditional third-party threat intelligence cannot provide the targeted attack visibility that defenders need. A first-party, honeypot-based approach is ready to step into the breach.

While honeypot programs have traditionally struggled with deployment, operation, and data analysis, new technology is changing the game. Advances in infrastructure automation, network traffic shaping, cloud computing, and artificial intelligence make it possible to consistently identify novel attacks and reveal attacker infrastructure. New honeypot networks are easy to deploy, with flexible impersonation, believable personas, and automated analysis. Whether on an organization’s perimeter or deployed across the globe, they provide the insights defenders need to protect key systems before a breach. 

At GreyNoise, we haven’t just focused on tech leadership — we’ve brought in thought leadership as well. In order to educate the market about these new challenges, and how honeypots can help tackle them, our deception and intelligence experts Andrew Morris and Bob Rudis have published the Honeypots Are Back report. This report:

  • Breaks down targeted attacks
  • Compares third- and first-person threat intelligence
  • Discusses traditional honeypot challenges
  • Establishes a new honeypot maturity framework
  • Provides a security checklist for defenders to implement this necessary capability

To dive deeper into each of these topics, read the report here. To see a demonstration of the new honeypot capabilities under development at GreyNoise today, watch our on-demand honeypot webinar here. And if you’re ready to discuss standing up a mature honeypot network in your own environment, talk to our team

Governments Have Zero Reason To Be Flipping Mad About Open Source SDR Tech

Software-defined radio (SDR) technology has been a transformative force in the world of wireless communications, enabling users to transmit and receive radio signals across a wide range of frequencies using software-controlled hardware. However, this innovative tool has recently come under scrutiny in Canada due to its misuse in auto thefts. As researchers at GreyNoise, we believe that the Canadian government's response to this issue, which leans towards a ban on open-source SDR technology, is not only harsh but also ineffective.

The Canadian government's recent actions, as outlined in the "Federal action on combatting auto theft" document, focus on — in theory — enhancing the capacity of the Canada Border Services Agency (CBSA) to combat auto theft. However, this policy indirectly touches upon the broader implications for SDR technologies. It mentions the goal of banning devices used to steal vehicles by copying wireless signals for remote keyless entry, which could include devices like the Flipper Zero.

The same hardware components and features that make a Flipper Zero are those found in nearly every modern mobile phone, and other consumer-grade devices. It is more than a stretch to blame any problems solely on the availability of such components under the brand name of “Flipper Zero” rather than, say, Apple/Samsung, or more directly comparable devices, such as the Lime SDR.

Open-source SDR hardware and software have revolutionized modern radio communications, enabling innovation and democratizing what had previously been expensive and proprietary. SDRs are capable of performing a wide range of communication functions that were traditionally executed by hardware components. Thanks to this innovation, we can now use software to access any part of the spectrum in any way. This has enabled rapid adaptation of new communication standards and technologies without the need for physical modifications or replacements of the radio hardware.

Banning or severely restricting this technology will stifle innovation and hinder new development. SDRs play a crucial role in research and development within telecommunications, as they help foster testing and development of new protocols and systems efficiently and — even more importantly — cost-effectively.

Moreover, SDRs are instrumental in security research, allowing cybersecurity professionals to analyze and understand wireless communications, including potential vulnerabilities. This knowledge is crucial for developing more secure communication systems.

The auto industry and other industries that rely on electronic locks and remote keyless entry systems are absolutely potential targets for exploitation using SDR technology. However, the solution should not be to ban or overly restrict SDRs, but to enhance the security of these systems. Industries using electronic locks should invest in robust security measures, including encryption and secure authentication protocols, to safeguard against unauthorized access.

Rather than impose overly broad restrictions on technologies like SDR, which 100% have legitimate and beneficial uses, efforts should focus on enhancing the security of vulnerable systems. This includes:

  • Implementing Strong Encryption: Ensuring that all wireless communications, especially those used in critical systems like automotive locking mechanisms, are protected by strong encryption to prevent unauthorized interception and manipulation.
  • Secure Authentication Protocols: Adopting secure authentication methods that resist replay attacks and other common tactics attackers use.
  • Regular Security Audits: Conduct regular security assessments to identify and mitigate potential vulnerabilities in wireless communication systems.
  • Public-Private Collaboration: Encouraging collaboration between government agencies, industry stakeholders, and the cybersecurity community to share knowledge and best practices for securing wireless communications.

While government officials may view this new policy as an “easy button” way out of a current threat, it is far from a panacea and will not solve the problem.

Why not treat the current situation as a simple “recall” problem? Automobiles regularly have systemic issues that require a recall and manufacturer remediation. Rather than criminalize a technology category essential to future innovation (this policy would not be limited to just the “Flipper Zero”), have the manufacturers design a more secure solution and issue a recall. This makes future wireless security systems more robust and protects the owners and operators of current technology.

By focusing on enhancing vehicle security, the government can protect consumers without stifling the growth and development of open-source technologies that have far-reaching benefits. It is crucial to strike a balance between security and innovation, ensuring that the measures taken do not inadvertently harm the broader tech community and the positive advancements it brings to society.

Decoding Mass Exploitation in 2023: A GreyNoise Perspective

The GreyNoise Labs team recently released a report on stats and trends the research team observed over the course of 2023. Here's a breakdown of some of the key elements gleaned from the data, with much more to be found in the original tome.

Overall Impressions From 2023

In 2023, our massive network of fake computers and services continued to lure attackers into revealing their tactics. Throughout the year, our researchers and platform helped provide many useful insights for the cybersecurity community. We do this simply to make the internet a safer place. This year saw our epic community increasingly institutionalize our observations, with our fellow security vendor partners integrating more of our data than ever. Government agencies and news media regularly cited our observations, a testament to the value of our work.

However, 2023 also marked the first time we directly observed attackers deliberately changing their behaviors to avoid our specific detection capabilities. We also noted that the time between software vulnerabilities becoming public and attackers using them at large scale continues to decrease. Yet, our approach to respond continues to be effective. In 2024, and beyond, we will continue to make our detection network larger and smarter, and share the attacker behaviors we observe with the world as quickly as possible.

Notable Exploits of 2023

Among the 242 Common Vulnerabilities and Exposures (CVEs) we covered in 2023, some stood out for their impact. The Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362) was exploited by the Cl0p ransomware group, leading to data breaches in over 2.6K organizations and affecting ~90 million individuals. The Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability (CVE-2023-4966; a.k.a., CitrixBleed) allowed threat actors to hijack authenticated sessions, bypassing multifactor authentication and password requirements. And, the PaperCut MF/NG Improper Access Control Vulnerability (CVE-2023-27350) was exploited by the Bl00dy Ransomware Gang, targeting vulnerable PaperCut servers, particularly within Education, but also in other sectors.

GreyNoise and CISA KEV: A Symbiotic Relationship

GreyNoise researchers are huge fans of CISA’s Known Exploited Vulnerabilities (KEV) catalog. In 2023, 67 of our tags had corresponding entries in CISA’s KEV catalog, 34% of which were also known to be associated with ransomware attacks. We meet or beat CISA nearly 63% of the time when it comes to having a published tag for a CVE that enters their catalog. This makes it much easier for federal agencies to meet or exceed remediation time requirements. It’s also helpful in the same way if your organization is tracking with KEV.

The Reality of Spillover in Nation State Conflicts

We cannot let 2023 go into the record books without some mention of the part that nation state conflicts have had on the mass exploitation landscape. The present major conflicts between Russia/Ukraine, Israel/Hamas, and other regional hostilities play out in both kinetic/physical (guns/bombs) and cyber fields. The evolution of nation state conflicts is also putting virtually every organization in the crossfire. No matter where adversaries aim their attacks, GreyNoise is there. No matter how many packets they sling, our systems analyze them instantly, enabling us to identify and communicate even the oddest trends and anomalies.

Want To Learn More?

The GreyNoise platform, including our aforementioned vast sensor network, is designed to identify these probes and attacks with pinpoint precision at the very moment they occur. This gives defenders the tools and data they need to stop attacks before they start, plus buy time to focus on patching, mitigation, and response.

Dive into our report and don't hesitate to drop us a note or question in our community Slack or via email (research@greynoise.io).

Weathering 2024: Storm Watch Predictions for the Year Ahead

Dear Storm Watch hosts,

As we approach the new year, I'm curious about what the future holds for cybersecurity. What are your predictions for 2024? Do you have any hot takes on the emerging trends and potential threats in the digital security landscape?

Sincerely,

Curious about Cybersecurity

--

Kimber Duke, GreyNoise Product:

My 2024 hot takes are influenced by the upcoming election year potential for insanity. We know that this year is going to be fraught with geopolitical situations, making for a tumultuous news cycle that will have us feeling exhausted starting in January. We can definitely expect to be overwhelmed by the sheer amount of news coming out about impending threats from nation-state APTs, and I look forward to seeing what kind of influence this election cycle will have on regulations surrounding ICS, IoT, and supply chain. We've nailed the security onion, but how much more can CISA and the government agencies influence technology beyond the everyday user facing situations?

On a lighter and brighter note, I expect in response to rising rates of targeted attacks rather than opportunistic ones, enterprises will have a renewed interest in deception technology. While this might sound self-serving coming from a GreyNoise product manager, you can already see the rise of interest in honeypots at local conference talks, the concept of canaries becoming central to EDR programs, and the idea that maybe we're getting too many alerts on all the wrong things. Deception engineering will be an addition to the 2024 enterprise security stack because it fast forwards to how your crown jewels are most easily exploited and who wants them. 

Finally, 2024 will be the year of high conference attendances. Information sharing is absolutely broken since the downfall of Twitter, and people are looking for how they can keep in touch with everyone whether it be on Discord, Mastodon, or Reddit. I expect a record Defcon attendance year because of this feeling of isolation everyone is experiencing. Taking the time to reconnect with your network and sharing what you know will be crucial since our communities are in an isolated state, but I hope to see more people connecting in person because of our changing communication tides. 

Emily Austin, Censys Research:

I'll start with what is perhaps the most mundane of my predictions. I think back office software will continue to be a popular target for financially-motivated threat actors in 2024. This was the year of file transfer tool hacks, and while I think we'll continue to see fallout and disclosures from these hacks into 2024, I won't be surprised to see other B2B software come into threat actors' sights. Many of these systems are improperly exposed to the Internet, providing a relatively simple initial access vector.

Over the last few years, we've seen geopolitical and hacking events become increasingly intertwined on the global stage, and I think we'll see that continue in 2024. Nation states may be interested in cyber capabilities to gain intelligence or disrupt adversary infrastructure, but I think we'll also continue to see activity from ideologically-motivated hacktivist groups. Volt Typhoon, the IT Army of Ukraine, and the recent attacks on Israeli-manufactured water PLCs are just a few examples that come to mind.

Finally, I'm interested in the effects of AI on misinformation and disinformation campaigns. I'm not convinced AI will make a tremendous difference in the effectiveness of such propaganda, because it's arguably already been quite effective. Rather, I think the availability of powerful AI-driven tools will facilitate actors' ability to generate deceptive content faster, and at a much broader scale.

The TL;DR of my predictions is: a lot more of the same, but turn it up to 11.

Glenn Thorpe, GreyNoise Labs:

In 2024, we will see a continuation of the key cybersecurity trends we observed in 2023. The ongoing kinetic and cyber wars, highly disruptive ransomware campaigns, increased legal scrutiny of the CISO role, and the rapid mainstream adoption of artificial intelligence will all persist. 

However, there will be one major difference in 2024 – an exponential increase in the use of AI across the board. Both attackers and defenders will race to weaponize AI, ushering in a new era of sophisticated threats and defenses powered by machine learning.  

Wartime cyber operations are unlikely to cease even if kinetic conflicts end, as state and non-state actors have heavily invested in offensive capabilities.  They will have a chest full of perishable vulnerabilities ripe for exploitation in the aftermath. While peace treaties may be signed, cyber peace will lag behind.

Ransomware will also continue unabated until the infrastructures supporting it disappear. Cybercriminals will keep using tried-and-tested social engineering tactics as long as organizations and individuals remain vulnerable. Tighter cyber insurance policies will raise the stakes further.

And for those already fatigued by the AI hype cycle in 2023 – brace yourselves. 2024 will see AI go (even more) mainstream as organizations feel extreme pressure to deploy the latest models; in both their own services and in delivering their services. CISOs will undertake a delicate balancing act, racing to enable AI innovation while ensuring robust protections are built-in by design. AI security emerges as a top priority, much like mobile security during the BYOD era.  

The stage is set for an eventful year ahead. As AI transforms both offense and defense, the cat-and-mouse game will intensify. But with careful planning and responsible AI adoption, cyber defenders can gain an edge over attackers in 2024. 

As my hot take: we’re going to be hearing a LOT more about how cyberattacks physically affect quality of life; including loss of life. 

Bob Rudis, GreyNoise Labs:

AI Gone Wild

We've all seen how AI can be a force for good, but in 2024, we're going to see it go further rogue than it has already gone in 2023. Cybercriminals are going to level up their efforts at using AI to launch attacks that are so sophisticated, they'll make the Death Star look like a kid's toy. We're talking deepfakes that are indistinguishable from reality, and spear phishing attacks that could fool even the most vigilant among us. It's going to be like Skynet, but instead of killer robots, we'll have killer emails and deepfakes.

As a slide into the next prediction, we'll also see actors on all sides (internally and abroad) use AI to try to influence the 2024 U.S. POTUS election 

Election Espionage Extravaganza

With the POTUS election coming up, we're going to see nation-state cyber activity go through the roof. But instead of the usual attacks and ransomware, they will focus on espionage and information theft. Think James Bond, but with more keyboards and fewer martinis. The election will be a prime target, with everything from disinformation campaigns to direct attacks on election infrastructure. Unfortunately, this will be all-too-easy thanks to the level of sophistication in even the most banal attacker toolkits today. It's going to be a wild ride.

The Year of the Tattletale

In 2024, organizations will be forced to spill the beans about their cyber breaches. This will be driven by regulatory changes, a spate of at least three-to-five punishing breaches at well-recognized organizations (one of which will impact a major financial services firm and cause major market distress for days), and the realization that transparency is key to maintaining trust and stability. So, get ready for a year of juicy cyber gossip as companies are forced to air their dirty laundry in public.

--

Be sure to tune into Storm Watch every Tuesday to stay up to date on all breaking cyber news and expert insights into emerging threats.

Getting A Leg Up On Initial Access Ransomware With CISA KEV and GreyNoise Tags

The Cybersecurity and Infrastructure Security Agency (CISA) has added a field to their Known Exploited Vulnerabilities (KEV) catalog that denotes if a KEV CVE has been used in ransomware attacks. Over two hundred KEV CVEs fall into this category, 75 of which (~35%) have corresponding GreyNoise tags. GreyNoise's planetary fleet of sensors are designed to catch remote Initial Access attacks, and most ransomware exploits in KEV fall outside this category.

The addition of this ransomware designation has proven to be valuable for defenders. It provides a critical data point that may help them gain traction for interrupting normal operations so that teams can focus on patching and applying mitigations to prevent a potentially devastating incident from occurring.

As the chart below shows, GreyNoise meets or beats KEV when it comes to having detections and actionable intelligence available after a CVE has been published. Since many ransomware gangs hide their activities in the same compromised devices that GreyNoise tracks daily, this gives organizations that use GreyNoise IP intelligence block lists a significant advantage over those that do not. You can effectively negate the onslaught of the majority of opportunistic ransomware attacks and campaigns of initial access brokers by using the hourly updated telemetry provided by the GreyNoise platform.

Extending Your Lead

To stay even further ahead of our combined adversaries, GreyNoise account holders can join in the fight by sifting through the novel daily clusters of malicious events that assault our fleet every minute of each day.

We’ve talked about Sift before, and the GreyNoise Labs and Design teams recently enhanced the user experience, streamlining the user interface and integrating more tools to make it easier to spot potentially new and malicious traffic.

Know. More. Noise

Not a GreyNoise customer — yet? See how much time GreyNoise may be able to save your organization, and how many hours your defenders can save with our ROI calculator.

Sign up and take our platform for a free enterprise trial to see all the features and data available.

Unveiling the Deceptive World: Honeypots vs Honeytokens

At GreyNoise, when we talk about honeypots, we sometimes get questions about honeytokens and how they differ. This may come from some of the great contributors to this space, making things like honeytokens widely available to experiment with (yay!). Setting up and deploying realistic and diversified honeypots is trickier, but there are still great contributors in closed and open-source projects.

Despite each's similar purpose of early threat detection, honeypots and honeytokens vastly differ in deployment, interaction, and scope. Let's delve into the various aspects contributing to the misunderstanding and clarify the distinctive features of each.

The Origin: First Generation Honeypots & Honeytokens

The concept of a honeypot as a security tool emerged in the early 1990s. Initially, honeypots were used mainly for detecting attackers in networks. The first honeypots were simple to fingerprint as they were fundamentally traps that were easy for experienced hackers to recognize and avoid.

In 1998, Fred Cohen, a renowned computer scientist credited with introducing the term "computer virus," developed and released the Deception Toolkit. This was a basic honeypot tool designed to mimic vulnerabilities, giving the appearance of a vulnerable system.

The term "honeytoken'' originated from a mailing list in 2003 and is credited to Augusto Paes de Barros. In a discourse with Lance Spitzner, founder of the Honeynet project, Paes de Barros discussed the possibility of expanding detection to articles such as accounts, documents, info, etc.

 

Now let’s take a look at a little more about each individually.

Exploring the Facets of Honeypots:

1. Definition and Purpose:

What is a Honeypot? A honeypot is a security tool designed to mimic vulnerable systems with the intent to attract attackers. The goal is to analyze attacker activities and methodologies, which can include things like identifying if critical vulnerabilities are currently being exploited in the wild.

2. Deployment and Interaction:

Emulation and Monitoring: Honeypots are deployed as bogus systems or networks, luring attackers into a controlled environment where their actions are monitored, providing deep insights into their strategies and tactics.

3. Scope:

Network-Centric: Honeypots, focusing predominantly on network or system levels, adeptly detect diverse attacks, including unauthorized access and exploitation.

Deciphering the Role of Honeytokens:

1. Definition and Purpose:

What is a Honeytoken? A honeytoken is a decoy entity seamlessly blended into a system or data. Any interaction with a honeytoken is a clear indication of unauthorized access, promptly alerting organizations to potential breaches. It can be as simple as phony credentials to deceptive database entries. Various forms of honeytokens fortify systems against unauthorized infiltrations.

2. Deployment and Interaction:

Seamless Integration and Alert: Honeytokens, embedded within data or systems, act as silent sentinels, triggering alerts upon unauthorized access, without any interaction with the attacker.

3. Scope:

Data-Centric: Positioned at the data or information level, honeytokens adeptly detect illicit data access and insider threats.

Honeypots vs Honeytokens: A Comparative Glance:

Diverse in Deployment and Interaction:

While honeypots provide a more robust surface for attackers to interface with, thus providing extensive insights into attacker strategies, honeytokens silently monitor and alert organizations to unauthorized data interactions.

Varied in Scope:

Honeypots primarily emphasize network or system-level security, whereas honeytokens accentuate data-level protection, guarding against unauthorized access and breaches.

In Conclusion: The Convergence of Complementary Techniques:

In the mosaic of cybersecurity, honeypots, and honeytokens emerge as complementary, not competing, technologies. Honeypots, with their interactive and comprehensive insight into attacker behavior, coupled with the silent and alert-focused honeytokens, create a robust, multi-layered defense strategy. Organizations leveraging both are poised to significantly enhance their cybersecurity posture, staying ahead in the perpetual battle against cyber adversaries.

The intertwined utilization of honeypots and honeytokens reflects the evolving dynamism and complexity of cybersecurity, reinforcing the need for diverse, innovative, and integrated defense strategies to navigate the challenging cyber terrain effectively.

Want to learn more? Sign up for a free GreyNoise account to explore real data captured across our extensive network of honeypots.

MSSPs' Playbook for Success: Balancing Automation and Human Expertise

When it comes to threat intelligence and security operations automation, managed security service providers (MSSPs) face some pretty unique challenges. In our recent webinar, we had the pleasure of hosting two MSSP leaders, Alan Jones and Corey Bussard, who shared their own automation journey. They talked about the hurdles they encountered at the beginning, the value automation brought to the table, and how it has impacted the human element of cybersecurity. Let's dive right in.

 The Problem: Alert Overload

One of the biggest challenges is the overwhelming number of alerts generated by various security tools.  A significant portion of this alert noise originates from inadequate or improperly adjusted threat intelligence feeds. Instead of offering valuable context, many threat intel feeds end up exacerbating false positives and increasing the workload for analysts.  Because MSSPs manage a large number of clients, this challenge is amplified compared to your average company.

The Solution: Trusted Threat Intel + Automation + Human Expertise

In order to overcome the overwhelming amount of noise, these MSSPs recognized the need for improved threat intelligence sources to validate alerts, as well as workflow automation. By validating threat intelligence from trusted providers like GreyNoise, they were able to effectively reduce false positives by swiftly eliminating non-malicious alerts. The implementation of automation for these repetitive analyst tasks and interactions with security tools resulted in a significant boost in overall efficiency.

Key Learnings:

  • Leverage threat intel to validate alerts, not just enrich them. Focus on reducing noise instead of increasing it.
  • Streamline repetitive workflows and tool interactions through automation. This will free up your skilled analysts for non-routine incidents.
  • While cost savings are important, they are not the sole measure of success. It's equally important to assess improvements in the time to resolution (MTTR), capacity gains, and analyst churn.

By combining automation with high-fidelity threat intelligence, these MSSPs were able to streamline their operations and empower their analysts to focus on the most critical threats.

A big thank you goes out to Alan and Corey for graciously sharing their automation journey. They did an exceptional job of explaining the immense value of automation, as well as underscoring the crucial role that the human element plays in their success. We highly encourage you to watch the full webinar on-demand and gain valuable insights from these industry leaders.

mssp-webinar-cta

Top 3 Benefits MSSPs & MDRs Receive With GreyNoise

“If we had budget cuts we’d turn off someone else in favor of GreyNoise. We could not get the same answers in the same time elsewhere.”

– Director of Cyber Operations at 5,001-10,000 employee company

Many traditional threat intelligence solutions used by MSSPs can have an unintended consequence of creating more noise for your security operations center (SOC) – GreyNoise changes that. We collect and analyze internet wide scan and attack traffic, and label noisy IPs and network activity (whether it's common business services, or scanners crawling/exploiting the internet) to help SOC teams spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats.

GreyNoise integrates seamlessly into over 50 different security tools, eliminating the need for security professionals to adapt to new dashboards, switch between multiple platforms, or navigate additional graphical user interfaces. This enables MSSPs to materially improve their security operations and workflows, often saving them hours of analyst time per week and upwards of 25% on costs.

In our last post, we introduced three critical ways MSSP and MDR customers benefit from GreyNoise: 1) reduce costs 2) improve scalability and 3) beat the adversary. 

In this post, we will take a deeper look at exactly HOW existing GreyNoise MSSP customers are realizing these benefits.

1. Reduce Costs

As threat landscapes evolve, so does the cost of staying ahead. More security alerts often result in a need for more headcount, and when MSSPs are already operating on narrow margins – this becomes quite the challenge.  

Over at Ideal Integrations, a well-known regional MSSP, they faced two costly challenges:

  1. An expensive alert problem: The sheer volume of security alerts their teams were ingesting was overwhelming, compounded by a high rate of false positives – all of which was costing them time, money, and quality of service.
  1. Difficulty in IP investigations: Understanding an IP address and its relation to broader threat patterns is crucial – and their existing tooling was not providing this level of trusted, reliable context fast, causing an overall inefficient analyst workflow and a drain on resources.

By integrating GreyNoise into Swimlane, their Security Orchestration, Automation & Response platform (SOAR), the Ideal Integrations team was now able to take each alert, ask GreyNoise (via API) for a temperature check on that IP Address, and immediately enrich it with GreyNoise-provided context – enabling a trusted, reliable verdict quickly. With the decision and reasoning directly available in their alert systems, the analysts no longer needed to bounce between different platforms to collate results, streamlining the incident response process. 

“We used to take around 15 - 45 minutes to investigate each event to find out if the intelligence was accurate, and finally make a determination as to a verdict. That is time we now save with GreyNoise, per event, and it adds up very quickly to help justify any expense. It allowed us to pivot our efforts to higher level tasks, and saved us from having to hire exponentially more analysts just to keep up with the inbound events.” 
— VP of Security Services, Ideal Integrations

2. Improve Scalability

In today's market, scaling is not enough. For MSSPs in particular, it is all about scaling sustainably – growing your customer base without increasing your costs.

Hurricane Labs, a leading Splunk MSSP shop, had brought together a team of Splunk ninjas who were second-to-none in managing the Enterprise Security and Phantom deployments on behalf of their customers. However, as they added more detections and new customers, they naturally saw their alert volumes grow.

To enrich and filter out noisy alerts in both Splunk and Phantom, Hurricane Labs installed the GreyNoise integration into their customers’ Splunk environments and added it to the workflows for various detections. The logic was straightforward: if something in the search results matched GreyNoise, exclude. 

For a normal enterprise business, the SOC manager has a couple of choices to handle alerts: he or she can hire a person, or spend money on a product that improves alert quality. But for an MSSP, the margins are often paper thin – and that’s where GreyNoise is even more valuable.

“Any single analyst can handle, say, 20 alerts per day. But a product like GreyNoise can triage alerts for every one of our customers. So as we add more customers, GreyNoise scales in a way a person can’t.”
— Director of Managed Services, Hurricane Labs

3. Beat the Adversary

The adversary is evolving its tactics and techniques faster than ever, making it critical for MSSPs and MDRs to have sufficient tooling and insights to stay ahead. One part of this equation is the need for explainability and context paired with threat intelligence, and the other is visibility into emerging vulnerabilities and associated attack vectors – especially with “vulnerability exploit” now cited as a top attack vector (Verizon DBIR).

MSSPs like Layer 3 Communications & Ideal Integrations leverage GreyNoise data to help them prioritize threats and vulnerabilities based on the absence or presence of “in the wild” exploitation. During the height of vulnerability events, GreyNoise also serves critical in providing customers with the “most comprehensive set of intelligence” through high fidelity blocklists. Organizations can prevent noisy scanners from hitting their perimeter from the onset, effectively shutting them out, and giving themselves time to patch when there is an emerging exploit.  This allows GreyNoise MSSP and MDR customers to tighten the window of opportunity for attackers and ultimately improve the overall security posture of their end clients.

Conclusion

With a unique suite of tools and insights, GreyNoise is truly an opportunity for every MSSP and MDR to transform their offerings with a threat intelligence solution that pays for itself.


That is why we are excited to invite you to our upcoming webinar, "Alerts, Automation, & Analysts: How MSSPs Can Leverage Automation to Reduce Alerts & Maximize their Analysts." This webinar will feature an expert panel of MSSP & MDR leaders from real GreyNoise customers, providing valuable insights and strategies. 

Don't miss out on this opportunity to learn from industry experts real-time, and see how GreyNoise is shaping the future of sustainable, scalable and innovative cybersecurity service delivery.

Webinar Event for Alerts, Automation, & Analysts: How MSSPs Can Leverage Automation to Reduce Alerts & Maximize their Analysts.

No blog articles found

Please update your search term or select a different category and try again.

Get started today