Yesterday, GreyNoise reached a fun and significant milestone after publishing our 1,337th tag. 1337 is a cherished number in hacker culture, as it is a numerical shorthand for "leet", which itself stands for "elite". This term has deep roots, going all the way back to the 80's when one had to make modems scream to access bulletin board systems (now, we humans are the ones screaming whenever we go online to see what fresh hades awaits us each day).
What makes this milestone even more significant is how it was achieved.
The chart, below, shows the cumulative sum of tag counts by year. While there was a modest improvement in intra-year tag creation from 2022 to 2023, we're just into the first few weeks of Q2 in 2024 and are almost at the total tag count for 2023.
We will almost certainly blow past 2023's tag count well-before the end of Q2, and this has all been made possible by our focused and practical use of AI. This system helps our incredible detection engineers quickly triage the millions of events our sensor fleet absorbs every day. With it, they discover and tag novel payloads to help inform and protect our customers, community, and the internet as a whole. The application that fuels this work is called Sift, and we've waxed poetic about it quite a bit over the past few months.
This boost to the tag inventory has also meant an increase in CVE coverage.
(Since it most likely drew your attention, the jumps in 2022 were due numerous factors, including the increase in Russian hostilities towards Ukraine.)
60% of 2024 tags are based on CVEs, and — along with plenty of "modern" vulnerabilities — Sift has helped us catch exploitation attempts of some very old CVEs, too:
I'm incredibly proud of our team of data scientists, security researchers, and detection engineers. Their leet expertise powers the detections that folks rely on every day, and we hope you'll join in our celebration of achieving this epic milestone!
To learn more about GreyNoise tags and how they differ from "traditional" detections, check out our Tags Webinar Series.
While we may not know when the agentic SOC will arrive, we do know it will need timely and accurate intelligence to make good decisions. To provide that intel, we’re making the GreyNoise MCP Server available today, enabling easy integration of GreyNoise intel by Model Context Protocol (MCP) compatible AI agents.
When an AI agent sees an IP address or CVE in a workflow, it can query GreyNoise in real time and learn:
Whether that IP is a benign mass scanner (safe to deprioritize),
A known hostile source actively exploiting CVEs (requires escalation), or
Completely absent from GreyNoise data (possibly targeted activity worth deeper investigation).
This grounding mitigates the risk of hallucinations and prevents agents from treating every alert equally, enabling more realistic, risk-based automation.
Practical Uses in the SOC
With GreyNoise data inside the reasoning loop, agents can handle several critical tasks more effectively:
Noise Reduction and Alert Triage GreyNoise filters out the background chatter of benign scanners and research infrastructure.
Exploitation Awareness and Vulnerability Prioritization When GreyNoise tags indicate active exploitation of a CVE, agents can prioritize remediation workflows accordingly.
Incident Response and Threat Hunting By pivoting on ASN, domain, and behavioral tags, agents can connect what appear to be isolated alerts to larger coordinated activity and trigger or suggest containment actions (e.g., pushing firewall blocks, updating IPS rules) in a way that minimizes false positives.
Continuous Monitoring and Risk Awareness Agents can watch GreyNoise observations in near real time, flagging when exploitation patterns overlap with an organization’s technology stack or internet-facing services.
Why GreyNoise Data Fits Agentic Workflows
SOC teams already use GreyNoise to separate background scanning from true threats. What changes with the MCP Server is that the same logic is now available directly to AI agents.
Real-Time Intel: Agents query GreyNoise live, ensuring their decisions reflect the latest activity rather than cached or stale data.
Behavioral Tags: Exploit attempts and reconnaissance behaviors are labeled, allowing agents to reason in higher-level terms than raw IPs and ports.
Analyst-Equivalent Context: GreyNoise fields—classification, CVE tags, first/last seen, ASN, sensor hit counts—mirror the attributes human analysts check when validating alerts.
This combination makes GreyNoise data especially well-suited to agentic SOC environments, where decisions need to be fast but also defensible.
Lighten the Work of Creating Intel Reports
Let’s say your manager wants an intelligence report, perhaps regarding an external threat, a set of IP addresses, or a vulnerability. For example, I may need to create a report based on a CVE, so I open Claude with the GreyNoise MCP server installed and enter the prompt:
Notice how Claude is making several calls to the GreyNoise MCP server as well as other sources so that it can combine these sources into a report.
Because of the GreyNoise MCP, the report includes details about IP address counts and recent surges in activity. Adding more to the prompt, such as “Tell me about the source geography of the attacks”, causes Claude to generate a much more detailed report. With minimal effort, you can write a prompt that creates just the report that you need. You can even ask for vendor risk reports and threat hunting plans. It’s a great way to reliably use AI to lighten your workload.
Final Thoughts
Agentic SOCs are still an emerging concept, but the risks can be mitigated and the value better realized if AI agents make decisions grounded in trustworthy data. The GreyNoise MCP Server provides a way to embed that grounding directly into agentic workflows.
For security teams, this doesn’t mean replacing analysts—it means giving agents access to the same noise-filtering and exploitation-awareness that practitioners already rely on, so that automation can act responsibly at scale.
Indeed, analysts can make great use of the MCP just by interacting with an LLM application that supports MCP, such as Claude. Conduct research. Look into trends. Generate reports. It’s as easy as it is fun.
In today’s threat landscape, speed isn’t optional — it’s existential. As attacks get faster, so too must your defense.
Attackers increasingly leverage automation, AI, and vast, ephemeral infrastructure to launch mass exploitation campaigns that scan, breach, and pivot within minutes — sometimes before a CVE is even publicly disclosed. Defenders, meanwhile, are often stuck pulling data manually, querying APIs, or waiting for threat feeds to update.
That’s the speed gap that attackers exploit. Today, we're launching a series of new capabilities to help defenders close that gap. These new capabilities help security teams leverage real-time threat intel to detect, block, and respond faster than ever before
The Speed Problem: Why Traditional Threat Intelligence Isn’t Fast Enough
The game has changed:
Automation is everywhere: Bots and AI-driven tools are running scans and exploitation campaigns at machine speed.
Volume is relentless: Millions of IP addresses rotate constantly in mass scanning campaigns.
Yet many defenders still operate in batch mode: querying APIs, pulling feeds manually, or reacting only after the damage is done. GreyNoise is flipping that script. We’re giving defenders real-time, automation-ready intelligence — designed to meet the speed, volume, and precision required by modern security teams.
What’s New from GreyNoise
1. Real-Time Dynamic Blocklists
Stop mass exploitation at the edge — before it gets in.
GreyNoise-verified malicious IPs involved in opportunistic reconnaissance and exploitation are delivered in real time, designed to be integrated directly into your perimeter defenses.
Updated dynamically, second by second
Tuned for high confidence and low false positives
Compatible with firewalls, WAFs, and other edge devices
Subscribe once, get live protection — no manual updates required
Use it to:
Auto-block mass scanners and exploit attempts within seconds of detection
Proactively protect exposed assets before CVEs are weaponized
Harden your perimeter against “spray and pray” campaigns
2. GreyNoise Feeds
Threat intelligence that comes to you — automatically.
Say goodbye to the delays caused by polling APIs. Our new push-based data delivery means GreyNoise intelligence is streamed directly to your systems via webhooks — the moment we detect something new.
Real-time threat indicators, no polling delay
Zero lag between detection and delivery
Seamless integration into existing platforms and workflows
In security, minutes (even seconds) matter. Push-based intelligence closes the speed gap between attack and defense.
3. SOAR Integrations for Response Automation
From detection to action — with zero manual steps.
GreyNoise now integrates natively with leading SOAR platforms–such as Splunk SOAR, Palo Alto Networks XSOAR, IBM QRadar SOAR–to help teams turn intelligence into action, instantly and automatically.
Automate key workflows like:
Blocking malicious IPs without analyst intervention
Enriching IP data during incident investigations
Triggering alerts or playbooks when mass exploitation campaigns are detected
The result:
Faster containment
Consistent, repeatable response
More time for your analysts to focus on what matters
Why This Matters
These launches are part of GreyNoise’s commitment to empowering defenders with:
Speed: Intelligence and action in real time — because modern threats don’t wait.
Automation: Automate your security with reliable, real-time intelligence and reduced risk of false positives.
Integration: Delivered where you already work — firewalls, SOARs, SIEMs, and more.
Noise Reduction: High-confidence signals only — no alert fatigue, no chasing ghosts
Who It’s For
These new capabilities are built for:
Security operations teams seeking to automate blocking rules in near real time with reliable and actionable intelligence about IP addresses exploiting exposed vulnerabilities. Real-Time Dynamic Blocklists and SOAR integrations enable this automation use case.
Incident responders who need to quickly understand the extent of an incident by narrowing in on the malicious network traffic that have exploited a vulnerability. Realtime updates through Feeds and SOAR integrations enable rapid responses.
Threat intel teams looking for real-time context on emerging discovery and exploitation attempts tied to high priority risks as well as intel that enables immediate investigations to discover damages caused before vulnerability disclosures. Subscribing to web hook feeds ensures that intel teams stay updated in real time.
Modern Attacks Move Fast. Your Defense Should Too.
GreyNoise is building the future of threat intelligence for defenders who don’t have time to wait.
All of my friends (and my bathroom scale, honestly) will tell you that I love tortillas. Not just any tortillas, however…they have to be homemade. I make sure we have homemade tortillas every week and keep them in the fridge. They are better than anything you can buy in a store, and they are simply amazing when they are hot off the comal. My kids know this; when they see the comal on the stove, they make a point of hanging around the kitchen to snag one (often a few!) while they are fresh because they understand that freshness is everything for tortillas.
It turns out the same is true for vulnerability intelligence!
In just the first 6 months of 2024, we’ve seen over 2,000 remotely exploitable, no-authentication-necessary CVEs be published. These are the kinds of vulnerabilities that are exploited on the Internet - via APTs and criminals or botnets driving mass exploitation - every minute of every day. This is a huge amount to deal with, and what we’ve seen this year is that they are occurring more frequently on edge devices that don’t have many mitigating controls to protect them. When these things happen, it forces security teams to drop what they are doing and scramble for a fix.
There are many existing vulnerability prioritization solutions that can help by including information like “Known Exploits Available” or “In the Wild”. The issue is that these attributes quickly become stale. Technically, a snippet of proof-of-concept code is an available exploit, but it isn’t the same as a mass exploitation attack by a criminal organization. A hard-to-exploit race condition that requires a lot of time and effort might be “In the Wild”, but that doesn’t require the same urgency to fix as something an actor is actively exploiting today. In many ways, these attributes (in addition to CVSS Base Scores, Vendor bulletins, etc) are like stale tortillas - edible but ultimately unsatisfying.
At GreyNoise we believe that security teams deserve actionable information that is fresh enough to know what attackers are doing right now, so that they can respond with the speed and urgency required. Consequently, today we’re launching GreyNoise for Vulnerability Prioritization to give our customers exactly that.
Here’s how it works:
We run a global network of thousands of sensors that emulate the types of assets enterprises have exposed to the Internet: web servers, network gear, etc. We see when attackers and bots start probing them, and we collect the data as they are attacked in real-time. We compare this against known bad behaviors and known IPs; our ML models are even capable of alerting us to unknown but suspicious or malicious activities that are the hallmarks of novel exploits. This is all unique, primary data that we collect rather than simply aggregating from third-party sources. In other words, we make fresh tortillas from scratch rather than just reselling ones we bought from a supermarket.
As we collect this information, we make it immediately available via our Visualizer for ad-hoc usage and through our API for inclusion in your existing automation. We ensure that information is always fresh, so that you can get the most up-to-date intel for as long as you need until you fix the problem.
There are many good vulnerability prioritization tools out there, but we believe that only we can tell vulnerability teams which CVEs need attention now based on what attacks are actually happening today. Because Vuln Intel is based on all the same data that powers GreyNoise, you’ll also be able to share what you know seamlessly with your SOC analysts and threat hunters.
We think you’ll enjoy having fresh and actionable information with Greynoise Vulnerability Prioritization. You can visit our website to learn more or schedule time to talk with us directly.
I know you’ll also love having fresh and delicious tortillas, so please enjoy this recipe. I look forward to hearing from you about both!
Flour Tortillas Recipe
Ingredients:
4 parts all-purpose flour
.1 part salt
1 parts lard (or shortening, but lard is the best)
2 parts water - hot water for thin and chewy tortillas, cold water for thick and fluffy
For example, I find 300gm (4 x 75gm) flour + 75gm lard (1 x 75gm) + 8gm salt (.1 x 75gm) mixed with 150gm (2 x 75gm) hot water makes 8 burrito-sized or 12 fajita-sized tortillas.
Instructions:
Place flour, salt, and lard in a bowl. Add in water; if using hot water, give it 30 seconds to melt the lard.
Knead for 1 minute - it should be tacky but not so sticky it won't easily come off your fingers; you can add a little flour if needed.
Let stand covered for 30 minutes.
Heat a cast iron griddle (a skillet works too) on med-high for 5 minutes (i.e. at the 25-minute mark)
Divide the dough into golf ball-sized portions.
Using a rolling pin, roll one into 6-9 inch diameter rounds.
Cook 30 seconds on one side - you'll see bubbles form on the top when it is time to flip. Now is a great time to roll the next round while it cooks.
Flip and cook for another 15-30 seconds; I like longer to get a few charred spots.
Stack on a plate and cover with a towel.
Eat them soon — they will be unbelievably good for 60 minutes, very good the rest of the day, and better than anything you can buy in the store for at least a week if you keep them in the fridge.
In today’s cyber landscape, blending robust security with effective design is not just beneficial—it’s essential. At GreyNoise, we integrate design principles from the very beginning of our development process, ensuring that every security measure is user-focused and seamlessly integrated. This approach doesn't just enhance the security of digital services; it also ensures that updates and innovative controls fit perfectly within existing systems.
Empowering Users with User-Centric Design
Our philosophy at GreyNoise centers around understanding and addressing your needs, challenges, and feedback. By prioritizing user-centric design, we ensure that each feature and update is not just powerful, but also relatable and engaging.
Putting You First: Your needs, challenges, and feedback are what drive us at GreyNoise. We believe that understanding your perspective is key to making our cybersecurity solutions not just powerful, but also relatable and engaging.
Anticipating Security Needs: We proactively incorporate mechanisms like security logging, monitoring, alerting, and response capabilities into our systems, preparing for potential security incidents before they occur [1].
Join Our Community on Slack: Your insights are invaluable. Engage with us on Slack to share your experiences and suggestions, playing a pivotal role in our product iteration process. Join our Community on Slack.
Simplicity and Accessibility: The Hallmarks of GreyNoise Design
Our commitment to simplicity and accessibility ensures that our tools are straightforward and can be used by everyone. Here’s how we achieve this:
Clutter-Free Interface: Simplicity is central to GreyNoise’s design ethos. Our interfaces are streamlined, focusing on delivering essential information efficiently to prevent overload and facilitate quick, informed decisions.
Focused Feature Set: We hone in on the most impactful features, ensuring our tools are straightforward and effective, making complex threat analysis accessible to all users.
Inclusive Design Philosophy: Upholding the principle that cybersecurity should be accessible to everyone, GreyNoise designs tools that cater to a wide range of abilities, embodying our inclusive design philosophy. Our proof of promise and commitment to accessibility is demonstrated through our Voluntary Product Accessibility Template (VPAT), which details how our products adhere to recognized accessibility standards. This transparency underscores our belief in making security tools accessible to everyone, affirming that effective security is a universal right.
Visual Engagement: Simplifying Complex Information
GreyNoise uses visual elements like infographics to break down complex information, making cybersecurity concepts more understandable and engaging, illustrating the practical benefits of our design-driven approach.
GreyNoise consistently demonstrates its commitment to enhancing user capabilities through various educational and interactive platforms. We offer comprehensive demos and case studies, which are pivotal for users looking to deepen their understanding of cybersecurity practices [2]. These resources are tailored to help both novice and advanced users by providing practical, real-world applications of GreyNoise's cybersecurity solutions.
Additionally, GreyNoise is proactive in addressing future cybersecurity concerns by hosting webinars, such as the recent discussion on the future of honeypots. These events aim to educate participants on strategies to combat targeted attacks, reflecting GreyNoise's dedication to keeping the cybersecurity community informed and prepared [3].
A Fusion of Cybersecurity and Design
At GreyNoise, we are redefining the synergy between security and design. Our dedication to user-centric, simple, and accessible design propels us to deliver tools that are not just powerful but also intuitive and inclusive. With GreyNoise, you are equipped with cybersecurity tools designed for the modern digital landscape, where effective security seamlessly integrates with exceptional user experience.
Key Innovations and Features
1. Explore and Investigate: Users can delve into detailed analyses of IP activities, enhancing their understanding and ability to react swiftly to potential threats [4].
2. IP Timeline and Details: Offers a comprehensive view of an IP's history and current status, allowing users to track and analyze behavior patterns over time [5].
3. Alerts and Blocklists: Enables proactive responses with customized alerting systems, ensuring users can respond to threats promptly [6].
At GreyNoise, we don’t just create tools; we build solutions that integrate effective security with exceptional user experience. Our commitment to user-centric, simple, and accessible design drives us to deliver products that not only protect but also empower our users.
Dive deeper into how our design-centric cybersecurity solutions can transform your security strategy. Interact with our tools, join our community forum on Slack to share your insights and help shape the future of cybersecurity.
FAQs:
How does GreyNoise ensure its design is user-centric?
GreyNoise integrates user feedback throughout the design and development process, ensuring that our tools meet real user needs effectively and intuitively.
What are GreyNoise’s key design principles?
We focus on simplicity, user-centricity, and accessibility to ensure our cybersecurity tools are effective and easy to use for everyone.
How can I provide feedback on GreyNoise products?
Join our Slack community! It’s a vibrant space where you can provide direct feedback, suggest improvements, and influence our product development.
Yesterday, GreyNoise reached a fun and significant milestone after publishing our 1,337th tag. 1337 is a cherished number in hacker culture, as it is a numerical shorthand for "leet", which itself stands for "elite". This term has deep roots, going all the way back to the 80's when one had to make modems scream to access bulletin board systems (now, we humans are the ones screaming whenever we go online to see what fresh hades awaits us each day).
What makes this milestone even more significant is how it was achieved.
The chart, below, shows the cumulative sum of tag counts by year. While there was a modest improvement in intra-year tag creation from 2022 to 2023, we're just into the first few weeks of Q2 in 2024 and are almost at the total tag count for 2023.
We will almost certainly blow past 2023's tag count well-before the end of Q2, and this has all been made possible by our focused and practical use of AI. This system helps our incredible detection engineers quickly triage the millions of events our sensor fleet absorbs every day. With it, they discover and tag novel payloads to help inform and protect our customers, community, and the internet as a whole. The application that fuels this work is called Sift, and we've waxed poetic about it quite a bit over the past few months.
This boost to the tag inventory has also meant an increase in CVE coverage.
(Since it most likely drew your attention, the jumps in 2022 were due numerous factors, including the increase in Russian hostilities towards Ukraine.)
60% of 2024 tags are based on CVEs, and — along with plenty of "modern" vulnerabilities — Sift has helped us catch exploitation attempts of some very old CVEs, too:
I'm incredibly proud of our team of data scientists, security researchers, and detection engineers. Their leet expertise powers the detections that folks rely on every day, and we hope you'll join in our celebration of achieving this epic milestone!
To learn more about GreyNoise tags and how they differ from "traditional" detections, check out our Tags Webinar Series.
AI is so hot right now, and the cybersecurity space is no exception. Technology leaders are unveiling exciting new capabilities, vendors are making extravagant claims, and practitioners are working hard to understand how to separate the wheat from the chaff, leveraging AI where it can make the most difference to their operations’ and their organization’s risk.
Here at GreyNoise, we’ve been investigating where AI capabilities can have the biggest impact, and then working to deploy them internally, externally, and in partnership with other security vendors. In this blog we’ll discuss several GreyNoise AI projects and how they’re helping defenders identify and understand threats and secure their environment.
Sift: AI for Anomaly Discovery
Traditional automation is rule-based and rigid. “IF a packet matches this malware signature, THEN block it AND generate an alert”, etc. AI-based approaches are different. AI makes it possible to automate pattern recognition—and its inverse, anomaly discovery. With AI, defenders can rapidly process high volumes of data, and automatically identify the most suspicious observations for high-priority analysis and triage.
Sift is GreyNoise’s tool for solving this problem. It leverages multiple advanced AI techniques, including:
custom-built LLMs (Large Language Models)
nearest neighbor search and vector databases
unsupervised clustering
Sift runs daily, helping our research team process the data generated by our global sensor fleet to identify novel behavior, traffic, and attacks.
But Sift doesn’t stop there. The same techniques can be applied to the data generated by targeted subsets of our sensors, helping specific organizations generate intelligence insights and reports tailored to observations from their own networks. This AI application will bring the industry-leading research capabilities of GreyNoise into any organization’s internal security processes, reducing triage overhead, accelerating attack identification, and making life easier for defenders—and harder for attackers.
For more on how to bring the insights of Sift into your own organization, talk to our team.
Copilot: AI for Interpretation
The capabilities of AI aren’t limited to stochastic data analysis. Recent advances in transformer architectures and LLMs have cracked the natural language barrier, making it possible to generate well-formulated utterances at scale. This has opened up a new frontier of AI assistants. Microsoft Copilot for Security is leading the charge to bring these capabilities into the cybersecurity space, and GreyNoise is working together with Microsoft on this initiative. We’re a partner in the Microsoft Copilot for Security Partner Private Preview, and our plug-in means that both free and enterprise users can access GreyNoise insights from within their Copilot interface with natural language prompts.
The future of AI is hard to predict, and the evolution of the field has famously surprised both boosters and skeptics. Organizations looking to leverage these rapidly transforming capabilities will need to roll with the punches—and continue to partner with security vendors who can do the same. Here at GreyNoise we’re committed to doing just that. We’re excited to share how AI is already empowering our security—and we can’t wait to see what’s next.
In October 2023 — as part of the Ransomware Vulnerability Warning Pilot (RVWP) — CISA began tagging entries in their Known Exploited Vulnerabilities (KEV) catalog. This field designates whether exploits for a given vulnerability are known to be used in ransomware attacks. Ransomware has disrupted critical services, businesses, and communities worldwide, and many organizations are working diligently to get ahead of these attacks to prevent losses, disruptions, and exposures.
We’ve talked about this topic before, but today we dig a bit deeper into the topic with some specific guidance as to how your organization can fight the good fight against these foes by leveraging the power of GreyNoise tags.
GreyNoise Tags vs. Ransomware
As scores of organizations who use them know, GreyNoise tags are a signature-based detection method that categorizes internet noise into actionable intelligence. As of this writing, we’ve observed recent activity in 63 tags that CISA has identified as being used in association with ransomware attacks. The figure at the beginning of this post shows the frequency and volume of this opportunistic activity. One striking feature of this activity is the diversity of targeted platforms.
In the case of internet-facing attack campaigns, one might assume that vulnerabilities targeted by ransomware actors would lean towards remote access technologies. The chart and our data that backs it up shows that almost no technology category is safe from these types of attacks. Collaboration tools, such as Atlassian Confluence or JetBrains TeamCity; email platforms, such as Microsoft Exchange; software that powers application middleware services, such as Jboss and WebLogic; or, even devices that are intended to help elevate safety and resilience, such as SonicWall, Ivanti, Citrix, and Fortinet are all regularly targeted.
If you use any of these technologies, knowing when new activity is seen can be helpful in shoring up defenses and readying response activities. By leveraging GreyNoise platform features, such as our Alerts and block lists, security teams can, respectively, determine if more focus should be placed on monitoring key systems and preventing opportunistic harm. With the noise weeded out, response teams can focus their attention on similar activity that is likely to be more targeted, which may also mean by more capable adversaries. And, because we play incredibly well with a host of other security tools, teams can also save time, and use our intelligence within familiar environments.
The Long, Sporadic Tail Of Ransomware Tag Activity
Another striking feature of our ransomware tag activity chart is the diversity of activity. Cloud deployments top the list, with attackers looking to take advantage of misconfigurations that may arise in these highly dynamic environments. Broad and commonly deployed technologies are also regular targets, since these systems can also become victims of errant misconfigurations, especially when restored from unpatched backups.
However, as we move down the list, the frequency becomes far more sporadic, and many involve only single hosts vs. botnet armies. This can be due to attacker familiarity, or individual actors keying off results from well-timed Censys or Shodan searches that show newly exposed vulnerable configurations. If your organization uses any of these components, there truly is no rest from vigilance.
The Ransomware GNQL Listicle
To help defenders get a leg up on these attacks, the list below has links to each individual tag that’s known to be used in ransomware attacks. At each tag page, you can find the block list URL which you can use to immediately weed out the opportunistic noise. Wrap one or more of them inside a GNQL query, such as tags:"F5 BIG-IP iControl RCE Attempt", and you can set up an alert to notify you when new activity is seen, especially in generally dormant tags.
If you're curious as to just how GreyNoise researchers craft our tags we have a three-part webinar series that discusses the makeup of our tags, walks you through how we discover what needs to be tagged, and illustrates how AI is empowering the creation of new tags and detections:
Not a GreyNoise customer — yet? See how much time GreyNoise may be able to save your organization, and how many hours your defenders can save with our ROI calculator.
Sign up and take our platform for a free enterprise trial to see all the features and data available.
GreyNoise has recently released a new integration for Microsoft Sentinel, enhancing the capabilities of threat intelligence for business security. This integration provides security professionals with valuable insights into internet-wide scanning and reconnaissance activities. Tailored to offer a streamlined feed of threat indicators, it enables proactive threat identification and mitigation. Users can now leverage GreyNoise data within their threat-hunting queries and any analytics rules.
GreyNoise indicators in Microsoft Sentinel
One of the most exciting aspects of our new integration is the seamless combination of GreyNoise’s data with Sentinel’s threat-hunting capabilities. Analysts now have a unique, robust ability to utilize GreyNoise data when investigating potential malicious patterns and anomalies within their network events. The integration also allows filtering out known opportunistic traffic during threat hunting to identify more targeted and malicious activity better.
Modified threat-hunting queries to filter out indicators from GreyNoise
To further enhance detection capabilities, the new content pack also introduces a set of analytics rules designed to identify and mitigate potential threats. By incorporating these indicators into analytics rules, security teams can take a more proactive approach to identifying known malicious behavior. By taking this approach, detections are elevated, and organizations can stay ahead of malicious actors that are commonly looking for exposed, vulnerable devices and misconfigured applications.
In conclusion, integrating GreyNoise with Microsoft Sentinel offers a strategic advantage in navigating the cybersecurity landscape. By combining indicators from GreyNoise with analytics rules, hunting queries, and existing automation workflows, analysts now wield an indispensable toolkit to combat evolving threats proactively.
Explore the latest content pack available on the Azure marketplace to start ingesting GreyNoise indicators into Microsoft’s Sentinel’s threat intelligence platform. You' will need a current GreyNoise trial or Enterprise license to access the GNQL API endpoint for data ingestion. If you do not have access to either, contact us for more information and to get started.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a field to their Known Exploited Vulnerabilities (KEV) catalog that denotes if a KEV CVE has been used in ransomware attacks. Over two hundred KEV CVEs fall into this category, 75 of which (~35%) have corresponding GreyNoise tags. GreyNoise's planetary fleet of sensors are designed to catch remote Initial Access attacks, and most ransomware exploits in KEV fall outside this category.
The addition of this ransomware designation has proven to be valuable for defenders. It provides a critical data point that may help them gain traction for interrupting normal operations so that teams can focus on patching and applying mitigations to prevent a potentially devastating incident from occurring.
As the chart below shows, GreyNoise meets or beats KEV when it comes to having detections and actionable intelligence available after a CVE has been published. Since many ransomware gangs hide their activities in the same compromised devices that GreyNoise tracks daily, this gives organizations that use GreyNoise IP intelligence block lists a significant advantage over those that do not. You can effectively negate the onslaught of the majority of opportunistic ransomware attacks and campaigns of initial access brokers by using the hourly updated telemetry provided by the GreyNoise platform.
Extending Your Lead
To stay even further ahead of our combined adversaries, GreyNoise account holders can join in the fight by sifting through the novel daily clusters of malicious events that assault our fleet every minute of each day.
We’ve talked about Sift before, and the GreyNoise Labs and Design teams recently enhanced the user experience, streamlining the user interface and integrating more tools to make it easier to spot potentially new and malicious traffic.
Know. More. Noise
Not a GreyNoise customer — yet? See how much time GreyNoise may be able to save your organization, and how many hours your defenders can save with our ROI calculator.
Sign up and take our platform for a free enterprise trial to see all the features and data available.
As we roll through the summer, GreyNoise is back from its July two-week shutdown with a bunch of fresh new improvements, including 63 new tags and a bunch of exciting new data insights for our customers to explore in our Labs API. We’ve also updated our integrations to add support for our IP Similarity and Timeline for our Palo Alto customers.
New: Explore C2 Data, HTTP activity, and more
topC2s
Access the top 10% of possible Command and Control (C2) IP addresses, ranked by their pervasiveness, observed by GreyNoise over the previous 24 hours. Use this query to identify second-stage IP addresses that might be involved in malicious activities following the reconnaissance and initial access stages.
topHTTPRequests
Access the top 1% of HTTP requests, ranked by their pervasiveness, observed by GreyNoise over the last seven days. Gain insights into the background radiation of the internet, exploring the patterns and trends of HTTP requests.
topPopularIPs
Access the top 1% of IPs searched in GreyNoise, ordered by the number of users observed searching over the last 7 days. Understand commonalities in how users search within GreyNoise, gaining insights into popular IPs and their associated activities. This query uses a minimum number of IP submissions and users to build consensus before an IP can be considered available in this dataset.
noiseRank
Access the top 1% of IPs by their noise score for the last 7 days. This score is determined by comparing the pervasiveness of the number of sensors and countries that observed packets from the IP, the request rate, and the diversity of payloads and ports for which the packets were observed. This query is intended to help rank the top noise makers compared to the quiet single-hit scanners.
Enhancement: Create an Alert for a Tag From the Tags Action Panel
We’ve added a “Create Alert” button in the Action panel on the Tag details page to make it easy to create an alert. GreyNoise users can use this to monitor scanning activity directly from the Tags page, informing them of any new IPs scanning for tags they are interested in.
Enhancement: Copy/Search Fields On IP Details
There is now a Copy/Search button in fields on the IP details page. The previous behavior did not allow users to copy the values in the fields.
You can access the Copy/Search buttons by hovering over fields such as Ports Scanned, Country, OS in the IP Details pages.
Enhancement: Analysis File Size Increased to 4MB
Previously, the Analysis Feature only accepted inputs up to 2MB. We've increased this to 4MB, so that customers can submit larger files without getting an error.
New and Updated Integrations
Palo Alto XSOAR (Demisto) Improvements: IP Similarity and IP Timeline Support
We updated our Palo Alto XSOAR support to include our IP Similarity and IP Timeline features, allowing users to easily find similar IP addresses, or review GreyNoise’s classification history on an IP.
To learn more about using the XSOAR Demisto enhancements for IP Similarity and Timeline, you can check out our documentation.
All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert informing them of any new IPs scanning for tags they are interested in.
Notable Security Research and Detection Engineering Blogs:
During our latest webinar Proactive Defense Made Easy: Leveraging GreyNoise in Your SOAR Playbooks, we discussed some everyday use cases using GreyNoise with other SOAR platforms. The main goal of using GreyNoise with other SOAR platforms is to quickly identify either opportunistic attacks, get better insight into how infrastructure is being used, as well as enriching alerts using RIOT data to IP's associated with common business services.
Using GreyNoise to identify opportunistic scanning provides context to decisions in a SOAR playbook to either decide to investigate further or more quickly move to block IP's. Adding the checks into an investigation playbook provides data on scan activity and any vulnerabilities observed as being exploited.
A Tines story that uses GreyNoise as the first step to decide additional investigations needed.
RIOT data also provides quick data for an investigation. Many services integrated into an investigation playbook will provide details for when something is malicious but often don't provide details on known or known good services. Everyone wants the confidence to take action with their automation but may not have the insight needed. Additionally, no one wants to be wrong about this decision. RIOT adds this information to a playbook to assist with decision-making.
Phishing email in XSOAR identifying office 365 emails using RIOT data.
GreyNoise can be used in common SOAR use cases to provide better context to phishing playbooks and investigations and have more confidence to block IP's. The power of GreyNoise, alongside other intelligence tools like Recorded Future, VirusTotal, Tines, and Splunk, is nothing short of astonishing(see our full list of integrations). I hope the insights shared during the webinar inspired you to explore these tools further and optimize your cybersecurity investigations. Sign in/up for GreyNoise to explore our data for free.
If you’ve ever seen a GreyNoise presentation by me, it’s more than likely at some point I will pull up my Splunk instance to show what I would consider to be a few clever dashboards and searches. Apart from the impromptu searches that I may write (which may not be great), there’s some powerful and practical ways you can leverage GreyNoise data inside your Splunk environment right now.
Feeds
With the latest version of the GreyNoise app for Splunk (v.2.2.0), you can now keep the last 24 hours of data local to your Splunk instance with feeds. Plus, it’s easier than ever to filter out noise from large datasets. Instead of relying on API lookups, the data can be referenced locally first to remove opportunistic and benign IP’s quickly when hunting through your data.
Filtering web logs by IP’s not observed by GreyNoise: index=main sourcetype=access_combined | lookup greynoise_indicators.csv ip as clientip| search NOT classification=benign
Dashboards
A good dashboard can turn a bad day into a great one.
I always joke that data isn’t real until it’s displayed on a map, but there's some truth to it! Having a quick overview of your data visually makes it easier to piece together an understanding of the scan activity landscape.
Using custom commands you can pull out information on internet traffic to safely and confidently ignore (things we classify as ‘benign’ or IP’s from the RIOT dataset) and particular pieces of information you may want to investigate further. Everything left over will include the IP’s that are not in GreyNoise, which could indicate more targeted attacks, and IP’s we classify as ‘unknown’.
Paired with information from your firewall imported into Splunk, GreyNoise data leveraged in a dashboard can show vulnerabilities that ‘unknown’ IP’s are specifically looking for. Combining this knowledge with your current vulnerability scans can help you quickly identify if someone is interested in vulnerabilities specific to your attack surface.
Using GreyNoise with firewall data to build a dashboard to find potentially targeted activity as well as provide details for how IP addresses are operating.
Known Good
We talk a lot about filtering out opportunistic traffic, and enriching data based on GreyNoise but let’s not sleep on the RIOT dataset. If you’re not familiar with RIOT it’s a collection of ~50 million IP addresses that are associated with common business services.
What does this let you do with your data in Splunk? There’s a lot of ways that people are applying this dataset in their searches and hunting. Ryan Kovar wrote a great blog post about using wiredata with Splunk (https://www.splunk.com/en_us/blog/security/wire-data-huh-what-is-it-good-for-absolutely-everything-say-it-again-now.html) and while legitimate services can be abused (Hello T1567!) they can also make up a significant portion of the traffic being searched. RIOT makes it easy to do a first pass and remove any outbound traffic to those services and makes it easier to find potentially interesting traffic.
Using RIOT to summarize outbound network activity using Squid proxy data: index=main source=squid:access | gnriot ip_field=src | rename greynoise_name as organization | stats count by organization
May brought more product enhancements to user workflows, data coverage… and of course, more interesting tags! Twenty four to be exact, as we continue to improve our product to help our customers monitor emerging threats and identify benign actors. We improved our sensor coverage to include coverage in the country of Ghana, plus we made some helpful improvements to our bulk analysis, RIOT dataset, and APIs.
Improvement to Bulk Analysis: Export Unknown IPs
The Bulk Analysis function in the GreyNoise Visualizer has been improved so that users can now export unidentified IPs via CSV and JSON.
This improvement helps analysts more easily identify the ‘interesting’ IPs in a bulk dataset that they are analyzing (IPs identified by GreyNoise are identified to be known common scanners or common business services; IPs that are UNKNOWN in GreyNoise could represent a targeted threat or something that requires additional investigation).
To access this feature, go to the GreyNoise Analysis page and analyze a file or dataset containing IP addresses.
Improvements to Destination Metadata: Sensor Hits
Two fields have been added to the metadata returned via Bulk Data, IP Context API, and GNQL API that will help users determine baselines or rates of activity:
metadata.sensor_hits is the amount of unique data the sensor has recorded from the queried IP.
metadata.sensor_count is the number of our sensors from which the IP address or behavior has been observed.
RIOT: Qualys Scanner IPs added
We are now tracking Qualys scanner IP addresses in our RIOT database of common business services, so that customers can whitelist this activity (should they wish to) or contextualize this activity when seen in their security logs.
RIOT identifies IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products. The collection of IPs in RIOT is continually curated and verified to provide accurate results.
New and Updated Integrations
Splunk Improvements: High Volume Enrichment, IP Similarity and IP Timeline Support
The GreyNoise App for Splunk has been updated to include a new Feed component, which allows users to ingest the GreyNoise indicator feed into Splunk to be used for high-volume log enrichment. Additionally, new dashboard and commands have been added to support the IP Similarity and IP Timeline tools. Learn More
ThreatQ Improvements: New Actions for ThreatQ Orchestrator
ThreatQ has released new GreyNoise Actions for the Orchestrator platform which allow for IP Similarity, RIOT and Quick lookups against the GreyNoise API. These updates can be downloaded from the ThreatQ Marketplace. Learn More
All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert informing them of any new IPs scanning for tags they are interested in.
Notable Security Research and Detection Engineering Blogs:
On Monday, May 1, 2023, CISA added CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389 to the Known Exploited Vulnerabilities (KEV) list. For all three CVEs, GreyNoise users had visibility into which IPs were attempting mass exploitation prior to their addition to the KEV list. GreyNoise tags allow organizations to monitor and prioritize the handling of alerts regarding benign and, in this case, malicious IPs.
At GreyNoise we recognize the value of partnership and intelligence sharing when it comes to protecting internet citizens. Today the GreyNoise Labs team wants to give a shoutout to Trinity Cyber.
On May 31st, 2023 Progress issued a security notice to users of MOVEit Transfer regarding a vulnerability that allows for escalated privileges and potential unauthorized access to the environment. CVE-2023-34362 was assigned to this vulnerability on June 2, 2023.
Sensor Coverage Enhancements: Ghana
We’ve added additional sensor coverage for the following countries:
You can view which IPs are seen scanning sensors in certain countries from our IP details page, or use `destination_country:”<country_name>”` in GNQL to find IPs that have hit those regions. Destination country search is available in all commercial plans for GreyNoise and to our community VIP users.
GreyNoise added a number of exciting updates in April, including 20 new tags for users to monitor emerging vulnerabilities and threats, and identify benign actors. We’ve also added integration updates to support our new IP Similarity and Timeline features, and enhancements to the IP Similarity capability to improve accuracy and give users a summary view to easily understand similar IP infrastructure.
IP Similarity Enhancements
New IP Similarity Summary View
We’ve enhanced our IP Similarity feature with a summary view that breaks down the high level summary of what fields we found similar in our dataset, and allows customers to quickly scan for common fields and tags. IP Similarity is available to paying customers and to our community VIP users: start a trial* today to explore or learn more about this feature.
IP Similarity Model Updates
We've updated the algorithm used by our IP Similarity to improve accuracy through several changes. Feature vectors are scaled and normalized to increase the distance between low and high information numbers, resulting in lower similarity scores. Bugs related to tokenizing user agent and web path strings were fixed, and options like 'unknown' and certain domain names were excluded. Values for webpath, rDNS, OS, and ports were adjusted, resulting in a feature vector with 693 items. Lastly, the minimum info threshold was raised to help improve accuracy of results.
IP Timeline Enhancements
90 Days of IP Timeline Data Now Available
We’ve enhanced our IP timeline feature to store up to 90 days of IP history data (previously, we provided up to 60 days of data) to enable customers to better understand historical IP activity when threat hunting or performing incident response. IP Timeline is available to paying customers and to our community VIP users: start a trial* today to explore or learn more about this feature.
We updated our Anomali ThreatStream Enrichment to include our IP Similarity and IP Timeline features. From the context of an observable, customers can now see all details GreyNoise knows, plus view similar IPs and the timeline of observed activity. Learn More
New Integration: Anomali ThreatStream Malicious IP Feed
Our Malicious IP Feed is now available on the Anomali ThreatStream marketplace. Customers can now easily subscribe to the feed and get a daily update of malicious IPs that GreyNoise observed scanning the internet in the last 24 hours. Learn More
Integration Update: Splunk SOAR
We updated our Splunk SOAR integration to introduce two new commands: "similar noise ips" and "noise ip timeline". These commands pull data from the GreyNoise IP Similarity and IP Timeline features and allow customers to bring that context into Splunk SOAR for an analyst to use during an investigation. Learn More
Integration Update: Maltego
We updated our Maltego Enterprise transform set to include a new Transform that allows for users to query for Similar IPs. This leverages the new IP Similarity tool, and allows for Maltego users to bring similar IPs into their graph for additional research and correlation within Maltego. Learn More
Integration Update: GreyNoise SDK
The GreyNoise SDK has been updated to include both CLI and API based commands to interact with the new IP Timeline and IP Similarity APIs. Learn More
Tags Coverage Enhancements
In the month of April, GreyNoise added 20 new tags:
All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert that will inform them of any new IPs scanning for tags they are interested in.
Notable Security Research and Detection Engineering Blogs:
On Tuesday, April 25, 2023, GreyNoise is changing how we classify environment file crawlers from unknown intent to malicious intent. At the time of publication, this change will result in the reclassification of over 11,000 IPs as malicious. Users who use GreyNoise’s malicious tag to block IPs based on malicious intent will see an increase in blocked IPs.
In collaboration with our partner Trinity Cyber, GreyNoise has a new tag for scan traffic related to CVE-2023-1389, a pre-auth command injection weakness in TP-Link Archer routers.
On Friday, April 21, 2023, CISA added CVE-2023-27350 (a critical unauthenticated remote code execution vulnerability) impacting PaperCut MF and PaperCut NG to the Known Exploited Vulnerabilities (KEV) list. PaperCut MF and PaperCut NG are both enterprise printer management software.
Check Point Research discovered three vulnerabilities in Microsoft Message Queuing (MSMQ) service, patched in April's Patch Tuesday update. The most severe, QueueJumper (CVE-2023-21554), is a critical vulnerability allowing unauthenticated remote code execution. GreyNoise has a tag, classified as malicious, for the full QueueJumper RCE Attempt.
Sensor Coverage Enhancements
We’ve added additional sensor coverage for the following countries:
Destination country search is available in all commercial plans for GreyNoise and to our community VIP users. Start a trial* today to explore destination data.
Search Enhancements
The GNQL cheat sheet is now available in the search bar. Want to learn more about how to effectively use GNQL? Review the cheat sheet for some helpful examples around syntax and available fields to use in search.
(*To begin your GreyNoise Enterprise Trial, sign-in to your account or sign-up for a free account, then go to your account details page and select "Start Trial".)
Cyber threats are constantly evolving, and organizations need to stay on top of the latest techniques and tools to protect themselves against attacks. One of the most critical aspects of this is having an effective threat intel program in place. But how do you upgrade your program to keep up with the ever-changing threat landscape? Our answer: start looking for patterns in attack telemetry.
David Bianco’s ‘Pyramid of Pain’ illustrates the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them. Organizations can better identify and defend against threats by moving from simple indicators like domains, hashes, and IPs to focusing on more difficult to change indicators such as TTPs. While gaining this additional insight can take more time, defenders can do more to detect and prevent future attacks.
The Pyramid of Pain | Source: David Bianco
GreyNoise data is awesome, but in order to move from IPs -> TTPs, we have built new features to help you upgrade your Threat Intel program (thanks to the Pyramid of Pain)!
IP Similarity
It is now easier than ever to fingerprint attacker infrastructure. This new feature clusters activity based on similar behavior, like similar HASSH and JA3 fingerprints, RDNs, user agents, and ports scanned. Based on the results from IP Similarity, you can hunt within your own network to proactively find other related malicious activity.
GreyNoise IP Similarity Dashboard comparing HASSH Fingerprints of two IPs 71.6.199[.]23 and 89.248.172[.]16
IP Timeline
The IP Timeline displays activity as seen by GreyNoise sensors of a particular IP Address over the past thirty days. By checking our timeline graph, you can see when an IP interacts with our sensors. This chron data helps CTI teams identify if an attacker is using an automated process or if the scan/attack process is manual.
GreyNoise IP Timeline view for 41.65.223[.]220
Understanding how adversaries operate and adopting a defined strategy to detect and remediate can lead to a more effective threat intelligence program. GreyNoise can be used to easily enrich threat feeds to gain deeper insight into how attacker infrastructure is being used and quickly understand what services, devices, and vulnerabilities they want to leverage as part of their campaign.
If you are interested in learning more about any of these new features, request a demo.
For April Fools this year, the GreyNoise team created GhostieBot, an Artificial Unintelligence bot serving you all the answers you didn’t need.
We had a lot of fun creating it and thought it was a good example of the ideation, design, development, and release process at GreyNoise. Here we hope to walk you through that process so you can understand a little better how we work.
The Process
Ideation
We knew we wanted to have a fun April Fools joke this year, but everyone was already working on a ton of projects to make GreyNoise a more useful product. We decided to take a group of volunteers and just grab an hour here or there to work the problem.
GreyNoise April Fools Tributes
Our first stop was a Figma brainstorming session. Just set up some space for everyone to jot down ideas, start a 5-10 minute timer, play some smooth jazz, and go to work.
Brainstorming
After all our ideas were gathered, we discussed them and added +1s to the ideas we liked. Since the world has been taken over by chatbots and large language models, we ultimately ended up with a GreyNoise chatbot that we could use to make jokes and expose some of the other ideas from the brainstorming session that weren’t big enough for their own show. Though you never know, the Internet Weather Report from the brainstorming session might pop up sometime…
Mocks
Next up, we had to create some mocks for what we wanted the GhostieBot interface to look like. Chatbots and messaging interfaces, in general, have some pretty established patterns. To keep things as simple and quick as possible, we leaned heavily on our design system and went with a standard chat/messaging layout. There were a few new elements in the design, like the message bubbles and Ghostie avatar, that we needed to create. We also needed to make sure it was responsive and handled small and large screens well. Altogether, these were pretty simple items, and we were able to have the finished mockups ready in under an hour.
Sourcing Responses
Since our chatbot is not a real chatbot, we had to actually come up with the responses we wanted, arguably a tougher task than creating a real chatbot. Luckily, we have a ton of nerds on staff who like terrible jokes. After spinning up a quick Notion page, we were able to crowdsource some ideas.
Bad joke central
Making it real
Now it is time to make it all real; we took the mock-ups, created a new page, and started building. We compiled the list of questions and properly formatted them for display. Then built out the basic structure of a chat interface; once that was set up, we added a few nice to haves:
“Enter” to submit instead of having to click “Submit”
Scroll offscreen gradient to add visual cues
Improved message timing so it felt like you were actually chatting with someone instead of instant replies.
“Ghosty is typing…” message based on response length
Once the interface was completed, we hid the Chat behind a feature flag as well as set a date window for the chat to be available to the public. This allowed us to test the chat before it went live.
And while we went with a more informative page for 127.0.0.1, y’all almost ended up with:
Alternate GreyNoise Localhost Details
Recap
We had a ton of fun putting this all together, and we hope you enjoyed it too. To keep in touch with GreyNoise as we figure out how to build an amazing product for the cyber security community, sign up for a free account (https://viz.greynoise.io/signup), join our Slack community (greynoiseintel.slack.com) and follow us on Twitter https://twitter.com/GreyNoiseIO. We also have a couple of positions open (https://www.greynoise.io/careers#Current-Openings).
At GreyNoise, we're excited to announce that our Voluntary Product Accessibility Template (VPAT) is now available. We believe that everyone should have equal access to our product and service, regardless of their disabilities or abilities. By providing a document that evaluates our product's accessibility for people with disabilities, we are taking a step forward in ensuring that our product meets the needs of all users. We are committed to creating an environment that is inclusive and accessible to everyone, and we believe that our VPAT is an essential part of this initiative.
What is a VPAT?
VPAT stands for Voluntary Product Accessibility Template, which is a document that outlines how accessible a product or service is to individuals with disabilities. It provides information on how well the product or service conforms to the Web Content Accessibility Guidelines (WCAG) and other accessibility standards. It's an important tool for ensuring that everyone, regardless of their abilities, can use and benefit from our product and service.
What does a VPAT contain?
A VPAT is a detailed report on how well a product or service conforms to accessibility guidelines such as Section 508 of the Rehabilitation Act in the United States. It typically contains information on the product's conformance to accessibility standards, including how it complies with various criteria related to accessibility, such as keyboard accessibility, color contrast, and assistive technology compatibility. Additionally, the VPAT provides details on any known limitations or barriers that may exist for users with disabilities and any plans for future development or improvement.
Why is a VPAT important?
Accessibility is a fundamental human right, and it's crucial that our product and service are designed with everyone in mind. People with disabilities make up a significant portion of the population and deserve equal access to information and services. A VPAT is a valuable tool for organizations to demonstrate their commitment to creating and providing accessible products and services, as well as fulfilling legal obligations. By completing a VPAT, we're ensuring that GreyNoise is accessible to as many people as possible.
Why is accessibility important?
Accessibility is important because it ensures that everyone, regardless of their abilities or disabilities, can access and use our platform. In the United States, approximately 61 million adults have a disability*, representing a significant portion of the population. By making our platform accessible, we're opening up our product and service to a much broader audience, leading to increased engagement, more meaningful interactions, and, ultimately, better outcomes for everyone.
In addition, accessibility can lead to better user experiences. People with disabilities may face significant challenges when accessing websites or online tools not designed with their needs in mind. By making our platform accessible, we're reducing these barriers and making it easier for everyone to use our product and service.
What's next for GreyNoise's accessibility efforts?
At GreyNoise, we're committed to continuous improvement. We're constantly looking for ways to make our platform more accessible and inclusive. In addition to providing a VPAT, we're also working on other accessibility initiatives, such as improving our keyboard navigation, adding alternative text to images, and ensuring that we meet accessibility standards.
We believe that accessibility is an essential part of our platform, and we're committed to making our tools and services accessible to everyone. By providing a VPAT, we demonstrate our commitment to accessibility and inclusivity, which can lead to a better experience and outcomes for everyone. We look forward to continuing our accessibility efforts and making GreyNoise a platform everyone can use and enjoy.
The first goal of IP Similarity is to encode a GreyNoise record as a numerical feature vector. This is just an array of numbers that somehow represent all of the data we have in a GreyNoise record.
Figure 1: Record to Feature Vector
This representation is extremely useful for machine learning and any numerical analysis. From this point we can quantitatively measure how far away two records are, cluster groups of records together, and build all sorts of classifiers. This is the ground floor basis for applying machine learning to GreyNoise data.
The Nitty Gritty
But, getting there is hard. Our records contain a vast amount of unstructured and semi-structured textual data. User-Agents can be nearly anything you want, from
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Ports can be any or all of the 65,535 available values. The list goes on.
In order to turn this complex multi-modal data into a fixed size numerical feature vector we employ a few tricks, primarily: tokenization and “the hashing trick”.
Books could be (and have been) written on tokenization, but for our purposes we can implement a simple regex.
tokens = re.sub(r'[^\w\s]', ' ', text)
This matches everything but alphanumeric characters and replaces them with whitespace, with which we can split the string on and lowercase all values. This turns our
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Insert a 1 (or some other value as you choose, perhaps scaled based on the number of items you’re indexing) into the hash_index position. So ‘mozilla’ would get inserted into the 9 position of the vector, resulting in [0, 0, 0, 0, 0, 0 ,0 ,0 ,0 ,1 ,0 ,0 ,0 ,0 ,0 ,0].
Continue with all of the items you want to hash into that vector.
Note: For our use case, we are scaling the value inserted into the vector based on the number of items we are indexing. If two are put in the same position, they are added together.
Finally, the string of tokens ['mozilla', '5', '0', 'x11', 'linux', 'x86_64', 'applewebkit', '537', '36', 'khtml', 'like', 'gecko'] would get hashed to [0, 0.0833, 0.0833, 0.1667, 0.1667, 0.0833, 0, 0.0833, 0, 0.0833, 0.0833, 0.0833, 0.0833, 0, 0, 0]
For higher fidelity, you can increase the bucket size from 16 to a larger number.
Now that we have a method to turn unbounded text into a fixed numerical vector, we can do this with many more of our fields and concatenate the results , along with boolean variables (e.g. is this IP coming from a VPN? T/F), to create one long feature vector to represent each record. Success!
Figure 2: Base Feature Vector
But weight, there’s more!
Not all features have equal importance, so we need to create weights so some features have more significance than others in the analysis.
For IP Similarity we are using a combination of relatively static IP centric features, things we can derive just from knowing what IP the traffic is coming from or their connection metadata, and more dynamic behavioral features, things we see inside the traffic from that IP. These features are:
IP Centric
VPN
Tor
rDNS
OS
JA3 Hash
HASSH
Behavioral
Bot
Spoofable
Web Paths
User-Agents
Mass scanner
Ports
Features like JA3 can be less important while features like Web Paths can really show good similarity between records.
We are curating an ever growing collection of pairs of GreyNoise records that we think are good matches and bad matches. With these, we can randomly go through our collection, compare the feature vectors for the records and adjust the weights to make those matches (or non-matches) better and better. This creates a weight vector that we can use to adjust our base feature vector.
Figure 3: Weight Vector
The Final Vector
We take our GreyNoise record, extract the features we want to use, apply the hashing trick or other numerical logic, apply our weights, and we are left with a final vector that is ready to be used in comparison and machine learning. For example:
Figure 4: Final Feature Vector Calculation
The Results
With this new representation we can do a lot of ML, but our first use case is IP Similarity, which answers the following question:
Given an IP address and all that GreyNoise knows about it, show me all other IPs GreyNoise has seen that have similar characteristics and behaviors.
To do this we compare two feature vectors and calculate L2Norm. Just like in geometry where you use the Pythagorean theorem, a2 + b2 = c2 or c = sqrt(a2+b2), L2Norm just extends that to a larger space, so it is simply a measure of how far two points/vectors are from each other. If L2Norm is small, the feature vectors are close and thus very similar. If it is large, the feature vectors are far from each other and thus dissimilar.
We put all of this feature vector information into ElasticSearch alongside our GreyNoise records and voilà, we can now find any GreyNoise records that are similar to any other. Some of the use cases are:
Figure 5: IP Similarity of 89.248.172.16 as shown in GreyNoise.
And we can compare the IPs side by side to find out why they were scored as similar.
Figure 6: IP Similarity Details
While we have an Actor tag for Shodan which allows us to see that all of these are correct, IP Similarity would have picked these out even if they were not tagged by GreyNoise.
Figure 7: IP Similarity of 182.126.118.174 as shown in GreyNoise.
We can see they share OS, Ports, Web Paths, and rDNS.
We can take an IP from another prolific scanner like ReCyber, https://viz.greynoise.io/ip-similarity/89.248.165.64, and return a large number of IPs, many from ReCyber, but others that simply act like ReCyber,
Figure 8: IP Similarity of 89.248.165.64 as shown in GreyNoise.
The End
Ultimately, we hope this tool is insanely useful to you and you’ve developed a better understanding of how it works under the hood. Be on the lookout for more features, machine learning applications, and explanations! To try IP Similarity for yourself, sign-up for a free trial or request a demo to learn more.
(*Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)
.png)
.png)
.png)
.png)
