Product

(And when you should stick with our free version)

Giving back to the cyber security community will always be a key part of the GreyNoise mission, so our free plan isn’t going anywhere. 

But there are a lot of benefits to a paid plan that may not be immediately obvious (benefits other than subsidizing Andrew’s tweets). Let’s dig into the top 7 reasons you should upgrade, and when a paid plan might not be a good fit for you. 

Increased Search limits

The most obvious reason for a user to upgrade from free to paid is the expanded Search limits. Search is at the core of our product, it’s the first thing users see when they land on our visualizer and the primary way most users interact with GreyNoise. Asking GreyNoise for data on an IP, a CVE, a tag, or a trend all counts as a Search. 

The Free limits are designed for hobbyists, independent users, or for someone who is just starting to explore the GreyNoise ecosystem. They aren’t high enough to tap into automation or large scale data enrichment. So if you’re a team who wants to save time by throwing out all the hay to get to the needles faster, a paid plan will give you the volume you need. 

Increased limits on alerts and dynamic blocklists

In addition to Search, all paid customers get increased limits for alerts and dynamic blocklists - the other two features that make up the core of the GreyNoise product. 

Alerts let you configure an email notification that will trigger anytime the response to a GreyNoise Query Language (GNQL) query changes. Use them to identify compromised devices on your network (or a vendor or third party supplier’s network), or get a heads up when attackers start exploiting a vulnerability in the wild. 

Dynamic blocklists give you a full list of IPs associated with a GreyNoise tag. The list is updated hourly, and can be plugged directly into your next gen firewall to keep your perimeter safe. When the next Log4j happens, you can use a dynamic blocklist to buy your team needed time to patch. 

A more robust API with full IP context

The Community API has 1 endpoint, it takes an IP and returns a simple response with some basic information about that IP. Is the IP in the GreyNoise Noise or RIOT datasets? What is its classification? And a link to the visualizer.

‍

For some teams this is enough. But for teams that are stretched thin and need comprehensive answers fast, rely on automation to make their lives easier, or want to run more complex queries (like pulling back a list of IPs tagged with a specific CVE) access to our Enterprise API is a must. 

Our Enterprise API has 16 endpoints. Enterprise API users can: 

• Get abbreviated IP info or full context (on up to 1,000 IPs in a single request)
• Run full GNQL queries 
• Get tag metadata
• Check an IP against our RIOT dataset (a list of IPs known to be associated with common vendors)
• Access our IP Similarity endpoints 
• Access our IP Timeline endpoints

‍

‍

‍

More integrations, and expanded integration options

We have 31 integrations that support using a Community API key. But these integrations are limited by what the Community API can return, so if you need full context on the IP (which most users do) you'll have to click into the Visualizer to get a full picture.

Full integrations and integration with some of the most popular security tools like Splunk, QRadar, LogStash, and Recorded Future are available to paid customers. You’ll also want the higher Search limits that come with our paid plans to maximize our integrations and automate more of your work.

Exclusive paid features

While limited access to the core GreyNoise features will always be available to free users, there are a handful of features that are only available to Paid customers, with more being added this year. These features can be used for enhanced enrichment, threat hunting, and protecting your perimeter from mass exploitation. 

Premium data fields

Premium data fields like our IP Destination fields tell users even more about what an IP is doing on the internet, and open up new Search queries. IP Destination specifically tells users which countries our sensors observed an IP scanning, and let users narrow down their searches to geo-targeted traffic. All paid plans come with IP Destination. 

Export

Getting data out of the visualizer (or accessing full context in the API) is restricted to paying customers. You can export GNQL search results or analysis results to a CSV or JSON file. 

IP Timeline

IP Timeline lets security analysts and threat hunters look back at an IP’s behavior over time. Answer the question, “what was this IP doing 7 days ago?” Useful if you find an IP in your logs and want to know what it was doing the day it hit your system. 

‍

‍

IP Similarity

IP Similarity helps users identify potential actors and infrastructure associated with an IP you’re investigating. All users can see how many IPs GreyNoise has identified as similar to a given IP, but only paying customers can access the list of similar IPs and a breakdown of the factors that determine similarity. 

‍

Feeds

Feeds are a useful way to enrich your existing data without blowing up your Search limit, or to narrow down a search into a big dataset. 

Enterprise support

Paying customers get direct access to our Customer Success team who have a deep knowledge of the GreyNoise product, integrations, and customer use cases. While we will always do our best to support all of our users, our Customer Success team goes above and beyond for our customers with onboarding, training sessions, and quarterly check-ins.

Convenience

One of the most important benefits of a paid plan is convenience, and our best customers get this. You’re strapped for time. You’re trying to keep up with changing tactics from the bad guys, training and hiring good analysts, and the latest demands from the rest of your org. Any time you can save has real value. 

GreyNoise has proven time and time again that we save our paying customers time, and generate a pretty significant ROI. 

Upgrade to a paid plan if…

There’s a lot of value unlocked when you move from a Free GreyNoise account to one of our paid plans. You probably want to upgrade if you fit into one or more of these buckets.

• You have a mid-size or large team heavily leveraging the visualizer for manual alert triage 
• You want to build automations or enrichments leveraging GreyNoise data into your workflows
• You’re using Splunk, QRadar, Panther or one of the other tools supported by our paid integrations
• You want an easy way to monitor large blocks of IP space for malicious behavior
• You want to block IPs scanning for emerging threats from touching your perimeter entirely
• You are doing advanced threat hunting 
• You want to leverage GreyNoise data in your product or service
• You need enterprise support
• You value saving your analysts time anywhere you can

A GreyNoise paid plan isn’t necessary for everyone, we get that. Don’t worry about a paid plan right now if you fit into one of these buckets:

Your team has a manageable number of alerts

Look, if you’re a team of 1 or 2 analysts, and you can easily handle all of the perimeter-related alerts in your SIEM then you’re probably not going to get a ton of benefit from a GreyNoise subscription right now. You can always create a free account, and use it as needed when you have questions about a strange IP or hot, new CVE. 

You outsource your security program

If most or all of your security program is managed by MSSP/MDR partners, they can leverage GreyNoise on your behalf to provide you a better service more cost-efficiently. Some of our rockstar MSSP/MDR partners include:

• Hurricane Labs
• Expel
• Ideal Integrations
• Seculore

You’re a student, academic, or independent researcher

If you’re a student, academic, or an independent researcher using GreyNoise for non-commercial purposes then you may actually qualify for our VIP program. VIP users get access to all of the same features and benefits as paying customers, at no cost. 

Check out our pricing to learn more

In the end it’s up to you. GreyNoise isn’t going to be a good fit for everyone, and that’s okay. You can always use GreyNoise for free, and reach out later when your security team has grown. But if these benefits resonated with you, then consider reaching out to our sales team. They’re here to help, not be pushy, and know a ton about GreyNoise. 

‍

When running across an unknown IP address in the logs, the first move might be to check the IP address’s reputation through a number of services.  This check is useful for the immediate task at hand, but what if you could see not only reputation reports but see, at a granular level, when and what is causing this reputation?  That’s where GreyNoise comes in. 

Alongside the common fields of a GreyNoise IP address page’s located in the Visualizer (which include relevant DNS information, destination sites, and other data), GreyNoise now has a feature called the IP Timeline. The IP Timeline displays activity as seen by GreyNoise sensors of a particular IP Address over the past thirty days.  Let’s take a look at an IP address and explore this tool further.

Getting Started – IP address page

When an IP address is entered into the GreyNoise search box, if GreyNoise has observed scan activity from the IP, you will receive an IP Address page detailing data and related tags:

In this example (IP address 41.65.223.220), an opportunistic scanner appears to be crawling for SMBv1 endpoints and trying to brute force MSSQL servers.

Within the fields displayed are which ports this address scans, any associated fingerprints and what kinds of web requests the IP is known to make. In this case, GreyNoise does not have a lot of fingerprint and request data. So, how can we know for sure that this IP address is still active and malicious?

This is where the IP Timeline feature comes into play.  Next to the summary of the IP address, there’s a tab labeled ‘timeline’.  Let’s click that and see what we find:

Voila!  The page has gone from an overview of the IP address to discrete data points showing when, exactly, GreyNoise has noticed activity.  Consecutive days of the same activity are connected by a line.

Each data point GreyNoise has for the IP address is a field along the Y axis, and each day that GreyNoise notices it is the X axis. You can see respective fields and dates along the left and top sides of the graph.  In this example, you can see that on the 1st of January there is SMBv1 crawling observed.  Then, on the 2nd, there’s MSSQL brute force attempts. The SMBv1 crawling has an unknown intention so it’s listed as white, while the MSSQL brute force attempts are highlighted in red as they are tagged as malicious activity.

How is this useful?

This graph can be used for more than just a quick check on an IP address.  For example: you are running an MSSQL server and found this IP address in your logs. Seeing somebody trying to brute force your server can be a nerve-wracking experience!  However, by checking this graph you can see that this address attempts to brute force every 8 days on the dot, implying an automated process. That’s still not great, but it’s less scary than a concerted human effort. From there, you could make the call to block at the firewall or you could make sure your passwords aren’t on any well-known word lists and continue to observe the IP address.

Additionally, if you are looking for behavior patterns on an IP address, this graph could come in handy.  In this example, we only see two cases where the IP address crawls SMBv1 and then attempts to brute force the next day but, if this was a consistent pattern, this may be indicative of a pattern used when deciding which hosts to try and brute force. You could then use that information to pivot into checking your SMB logs for anything suspicious.

Final Takeaways

GreyNoise is always looking for new ways to bring as much value as possible.  IP Timeline data is only one part of a much bigger ecosystem you can integrate into your processes and investigations. Try it out yourself by signing up for our *enterprise trial or contact us to schedule a more in depth demo.

‍

(*Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)

‍

‍

Why we created the IP similarity feature

While we at GreyNoise have been collecting, analyzing, and labeling internet background noise, we have come to identify patterns among scanners and background noise traffic. Often we’ll see a group of IPs that have the same User-Agent or are sending payloads to the same web path, even though they are coming from different geo-locations. Or, we might see a group that uses the same OS and scanned all the same ports, but they have different rDNS lookups. Or any other combination of very similar behaviors with slight differences that show some version of distributed or obfuscated coordination.

With our new IP Similarity feature, we hope to enable anyone to easily sniff out these groups without having an analyst pore over all the raw data to find combinations of similar and dissimilar information. Stay tuned for an in-depth blog covering how we made this unique capability a reality, but for now, here’s a quick snapshot of what the feature does and the use cases it addresses.

The GreyNoise dataset

GreyNoise has a very rich dataset with a ton of features. For IP Similarity we are using a combination of relatively static IP-centric features, things we can derive just from knowing what IP the traffic is coming from or their connection metadata, and more dynamic behavioral features, things we see inside the traffic from that IP. These features are:

IP Centric 

• VPN
• Tor
• rDNS
• OS
• JA3 Hash
• HASSH

Behavioral 

• Bot
• Spoofable
• Web Paths
• User-Agents
• Mass scanner
• Ports

Of note, for this analysis we do not use GreyNoise-defined Tags, Actors, or Malicious/Benign/Unknown status, as these would bias our results based on our own derived information.

What GreyNoise analysis can show you

The output of the IP Similarity feature has been pretty phenomenal, which is why we’re so excited to preview it. 

We can take a single IP from our friends at Shodan.io, https://viz.greynoise.io/ip-similarity/89.248.172.16, and return 19 (at the time of writing) other IPs from Shodan, 

And we can compare the IPs side by side to find out why they were scored as similar.

While we have an Actor tag for Shodan which allows us to see that all of these are correct, IP Similarity would have picked these out even if they were not tagged by GreyNoise.

Key use cases 

As with any machine learning application, the results of IP Similarity will need to be verified by an aware observer, but this new feature holds a lot of promise for allowing GreyNoise users to automatically find new and interesting things related to their investigations. In fact, we see some immediate use cases for IP Similarity to help accelerate and close investigations faster, with increased accuracy, and provide required justifications before acting on the intelligence. For example:  

• For cyber threat intelligence analysts. Use IP Similarity to generate a list of IP addresses that are similar to a target IP address identified/associated with specific malicious activity. This could entail generating a list of IPs similar to an IP observed executing a brute force attack.
  
  
• For threat hunters: Use IP Similarity to identify a list of IP addresses similar to your “hypothesis” IP address. You can then search for them inside your network (perhaps within your Splunk SIEM or leveraging NetFlow data). The goal here would be to proactively find compromises from related threat actors. 

Get Access to IP Similarity

For more on how you can use IP similarity in your investigations, check out our recent blog from Nick Roy covering use cases of IP similarity. You can also read more about IP similarity in our documentation. IP Similarity is available as an add on to our paid GreyNoise packages and to all VIP users. If you’re interested in testing these features, sign up for a free trial account today!*

‍

(*Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)

‍

Why We Created IP Geo Destination 

If you’ve ever heard our founder and CEO, Andrew Morris, speak, you’ll know that one of the core reasons GreyNoise exists is to answer the question “Is everyone seeing this, or is it just me?” 

GreyNoise provides details about opportunistic scan activity by source IP as observed across our sensor network. When large geopolitical events happen, like the ongoing Russia-Ukraine war, our research team historically has been able to provide details on the destination of the traffic we’re seeing as well (e.g. Russian scans and exploitation attempts only focusing on our Ukrainian sensors). We are proud to share that this capability, labeled as IP Geo Destination, is now available to all GreyNoise customers via the Visualizer and API endpoints as of today.

‍

What IP Geo Destination Can Show You

Using the new IP Geo Destination feature, we can delve deeper into anomalies in scanning traffic.

Multi-Destination Results

Recently, there has been an uptick in scan activity related to scanning for DB2 databases as highlighted by the trends page. Using this as a starting point organizations can begin to investigate further to better understand why there is a sudden increase in scan activity.

‍

Using the GreyNoise command line tool, we can search ‘.metadata.destination_countries’ to derive where this activity is pointing to. The traffic seen from the DB2 Scanner in the last 7 days reveals an even distribution of traffic across GreyNoise sensors in 41 different countries (see our docs for a list of all countries where we have sensors today).

Further investigating IPs active in the last seven days that are scanning for DB2 instances shows that all of them have been tagged as malicious in GreyNoise. Most of them have multiple tags associated with each IP address, several of which are related to various worms attempting to propagate across the systems connected to the internet. 

Single Destination Results 

Threat hunters looking for more targeted activity can add the `single_destination` parameter to identify IPs focusing on a particular geographic region.

In the example above, by entering the search `tags:"DB2 Scanner" destination_country:Ukraine single_destination:true `, you can filter results to show only activity that is targeting a single country, in this case, Ukraine. Defenders that work for the government, non-profit organizations, or are generally interested in a specific country or region can utilize this to focus on localized activities and potential threats.

----

With the additional data provided by IP Geo Destination, GreyNoise users can better understand how attacks impact different geographic regions. Our destination data is built off of our own sensor network so the geographic information being provided is first-hand. This feature is designed for cyber defenders to connect geopolitical motivations with scan and attack traffic and help responders quickly prioritize and triage alerts.

If you have questions about this feature or are interested in getting a demo contact our sales team.

‍

Feature explainer: anomaly and trend detection

Defenders have a remarkably tough job. They must understand — to the largest extent possible — which event needs investigating right now. There are many triggers for such events, but a major one is knowing when their threat landscape has changed. More specifically, defenders need to know when traffic (and actor) behavior has changed sufficiently to warrant taking notice or action.

Change detection comes in many forms. One such form comes under the lofty heading of "anomaly detection," which may also be referred to as "trend detection." Most modern detection and response solutions have some sort of anomaly detection capability.

GreyNoise has recently introduced a new trend detection feature in our platform that will help inform both researchers and organization defenders about potentially new or dangerous traffic behavior changes as quickly as possible. This gives researchers and defenders the necessary context to decide if further action is warranted.

Background on trends and anomalies

Our new Anomaly/Trend Detection feature operates on Tags, GreyNoise’s automated event labeling system. Our processing takes signatures developed by our Research team and applies tags to the packet traffic from our sensor network. These tags are used to add context from actor attribution to behavior, including scanning, crawling, or exploitation events. Each one represents a particular kind of traffic: malicious, benign, or as yet unknown. Each can also encompass one or more protocols, vulnerabilities, and/or exploits.

Monitoring tag behavior over time is a large part of GreyNoise’s value. Because we see how many sensors are hit with traffic events labeled with a particular tag every hour, we can assess which tags are becoming more popular, which ones are experiencing a near-term anomaly in traffic (possibly a notable event in itself), and which are going quiet. At GreyNoise, we look for opportunities to filter out the noise. Traffic that trends upward or exhibits an anomalous "spike" is noteworthy because it is "noisy.”

How it works

Detecting trends and anomalies is about finding deviation from previous behavior, particularly in a positive direction. Both tasks start with finding the average over a long period, at least ten days. The Trends tab looks at slower increases in traffic for a specific tag, comparing the long-term average to a short-term, more recent average, and doing the classic percent-change formula. This produces a value we can use to rank which tags are seeing the largest increase in average traffic.

‍

Detecting an anomaly (as seen immediately above) is somewhat trickier, as we’re not interested in alerting on every recent anomaly. Indeed, it’s not inconceivable that a “quiet” tag that’s gone unseen for a while could suddenly start appearing intermittently (see below). That tag could very well get a separate report for each anomaly, even if each anomaly is not all that tall compared to its neighbors. 

We have to find a single recent peak, and preferably the highest. We do so with two algorithms: first, we use a moving window to determine which sample(s) have the largest (positive) deviation from the average value for that window. Second, we check for a change in slope, as a peak signifies a change from increasing to decreasing behavior. Between the two algorithms, we can find peaks reliably, accurately, and precisely. The peak values are then subjected to the percent change formula, so we can compare anomalies and trends for each tag.

Ranking the output of these algorithms, we present the tags that have the largest recent increase in trend as well as the tallest recent peak, both relative to previous average behavior. 

What to do about it

Loading up our Tag Trends page, you’ll see trending tags and anomalies: lists of the tags exhibiting each of the behaviors the strongest out of our vast collection of known tags.

Trending tags are showing a marked increase in average traffic; that is, the average now is relatively greater than previously. This could continue over time, suggesting the possibility of the related vulnerabilities being more commonly exploited (or at the very least, more commonly seen in data from one’s inbound internet security perimeter). This raises the odds of seeing it on our customer’s own perimeter, and therefore increases the urgency for monitoring in more detail and patching, if possible.

Anomalies in a tag manifest sudden jumps in behavior–and could be more useful to see what already happened than for projection about future behavior. Anomalies, by our internal definition, have already started to ebb, so the real “peak” has passed. With the largest anomalies listed, though, we can note the timing of large events/incidents that may illuminate what happened and how. However, it is possible that repeated anomalies could signal a new behavior pattern of intermittent bursts of activity: then the timing between those anomalies could show coordination, how many groups are involved, or even in which time zones they likely operate. 

What is particularly powerful is the ability to raise the conversation around tags (and therefore particular exploit vectors) as soon as they’re seen in numbers “in the wild,” instead of waiting for a particular exploit to hit the news. Additionally, each tag notes a particular approach. So, if a product has multiple potential exploits one could patch for, the tag (or tags) that are seeing the most traffic should be patched soonest.

All this being said, of course, these behaviors may not be seen on your perimeter. You may load the Tag Trends page and find that none of the “trending” tags are increasing their traffic for you, and you may be seeing traffic on other vectors. This is perfectly normal, and likely indicates that your firewall is doing its job, or that your attack surface is minimized to the threats and activity on the web at large. You may also be investigating a sudden wave of traffic of a particular type, and see that it didn’t make our Anomalies list. This means that, likely as not, your wave of traffic is more targeted than it may appear at first, and perhaps some caution may be warranted.

A note on data over time

There’s been some talk in the last few paragraphs about possibilities because this is largely cutting-edge research in cybersecurity. Already, we have seen tags which saw a drop in behavior that appear to be trending (as said drop passes out of the recent time window). The movement of the drop drags down the previous baseline, which makes the resumption of normal activity look like it’s trending to the algorithm. Perhaps it’s not trending upward from where it started, but the whole sample still exhibits notable behavior; sometimes the resumption of normal behavior out-trends the weaker actual “trending” tags. Notable behavior is notable behavior. 

There are more exotic patterns lurking in the time series data that our researchers already know and recognize. For us, it’s a matter of building a statistical system around that recognition so we can further automate. No one knows all of what’s possible out there, but we’re listening, so we know better than many. As soon as GreyNoise finds something new, you can rest assured that our findings make their way into refining this feature and other features to come.

‍

New GreyNoise Trends dashboard helps security analysts identify and respond to opportunistic “exploit” attacks

The increasing frequency of internet-wide exploit attacks targeting newly announced vulnerabilities is a tremendous challenge for security teams. There is a long line of “celebrity vulnerabilities” that we at GreyNoise have observed with increasing alarm. And given our focus on internet noise, customers have naturally been asking for our help in providing visibility into vulnerabilities being actively exploited in the wild.

This is why we created GreyNoise Trends, a new view into the GreyNoise data set to help security analysts identify and respond to internet attacks targeting specific vulnerabilities.

New Vulnerabilities Create A Race Against Time for Security Teams

When a new vulnerability is discovered and announced, it's a race against time to see who can find vulnerable servers first. For example, when the Apache Log4j vulnerability (CVE-2021-44228, aka “Log4Shell”) was announced on December 5, 2021, GreyNoise saw a dramatic spike in internet-wide scanning activity searching for servers that exposed this vulnerability:

Note that thousands of unique IP addresses searching for a vulnerability can generate billions or trillions of connection requests across the internet, generating a storm of internet noise that makes it difficult to identify true threats.

For security teams, responding to this kind of event is extremely challenging. Under pressure of a newly announced vulnerability, they need to understand how serious the vulnerability is, whether it is being actively exploited in the wild, whether they are vulnerable, and whether they may have already been compromised. And if they have vulnerable systems, they need to patch them on an emergency basis.

Vulnerability Exploits Used in 34% of Cyber Attacks in 2021

According to a recent report by IBM, severe vulnerabilities in internet-facing enterprise software are being exploited and weaponized at a higher frequency, at massive scale:

• 34% of attacks in 2021 used vulnerability exploitation - opportunistic “scan-and-exploit” attacks are quickly approaching phishing as the most-used cyber attack vector, with 34% of attacks leveraging vulnerabilities, compared to 41% of attacks leveraging phishing.
• Vulnerability exploit attacks grew 33% year over year in 2021 - the number of incidents that were caused by vulnerability exploitation this past year rose 33% from 2020, indicating this attack vector’s stronghold in threat actors’ arsenals.

Furthermore, the amount of time between disclosure of a new vulnerability and the start of active exploitation has been reduced to a matter of hours, leaving defenders with less time to react and respond.

GreyNoise Investigate - Real-Time Visibility and Blocking of Exploit Attacks

GreyNoise Investigate helps security analysts identify and respond to opportunistic “scan-and-exploit” attacks, providing context about the behavior and intent of IP addresses scanning the internet. Investigate allows security teams to:

• Quickly triage alerts based on malicious, benign, or targeted classifications
• Identify trending internet attacks targeting specific vulnerabilities and CVEs
• Block and hunt for IP addresses opportunistically attacking a specific vulnerability

With the release of Investigate 4.0, GreyNoise has created a new Trends page that helps security analysts identify and respond to internet attacks targeting specific vulnerabilities. This new page provides two key capabilities:

• Attack Trend Visibility - the Trends graph shows the number of IP addresses targeting a specific vulnerability or CVE over time. This unique visualization allows security teams to identify and prioritize internet threats based on how actively a vulnerability is being exploited in the wild.
• Dynamic IP lists - the new Trends page provides several ways for analysts to access a dynamic list of IP addresses actively scanning for a vulnerability in the past 24 hours. This data can be used to provide near-term protection by blocking attacks at the firewall or WAF, as well as providing indicators of compromise to use to hunt for potentially compromised systems.

Taken together, this new Trends functionality allows security teams to quickly understand if a vulnerability is relevant to their organization, and buys them the time they need to put security defenses in place.

GreyNoise Trends for Community Accounts

Note that GreyNoise continues to be committed to supporting the broader security community via our free Community plan, and this new GreyNoise Trends functionality is included. Community members will be able to subscribe to a single tag to export the Dynamic IP list.

In addition, for severe vulnerabilities with global impact, GreyNoise will selectively make the full functionality of the paid Trends page available to ANYONE who wants to take advantage of it, including both attack visibility and dynamic IP lists.

Try GreyNoise Trends For Yourself, And Tell Us What You Think

One important note about GreyNoise Trends - we’ve launched this new capability as Beta code for several reasons:

• Potential bugs and stability - We made the decision to build and launch this new capability after analyzing our experience during the Apache Log4j vulnerability event in late December. Over the past two months, our engineering team has been working hard to build out this new functionality. If you notice any issues or have questions about functionality, please do not hesitate to reach out to our team: support@greynoise.io
• Learning - We realize that we need to learn more about how analysts and others will use this new, never-before-seen functionality. We’ve made our best guess about how to package this functionality into our Community and Investigate plans, but we know there are things we don’t know.
• Roadmap - Finally, we have a number of ideas about where we think we should take this capability in the future, but we need your help and guidance to shape this direction. To this end, we hosted a “futures'' discussion at our 3rd Open Forum on March 17, 2022.

So please, sign up for a free GreyNoise Community account if you don’t already have one, try out GreyNoise Trends, and let us know what you think. And to get you started, here are a few interesting Trends pages to check out:

• Trends for Apache Log4j RCE Attempt
• Trends for Mirai
• Trends for EternalBlue
• Trends for GoogleBot

Andrew Morris got on a roll the other day and whacked out this tweetstorm describing the three key use cases for GreyNoise. You can check out the original Twitter thread here. Enjoy!

1. Improve SOC efficiency

Benign IPs

Let's say I get a wacky IDS alert or am seeing something strange in my logs. I'll look up the IP address in GreyNoise (either using our visualizer or our free community API.

I looked up the IP address and, oh wow! It's just Shodan! GreyNoise already marked it as benign. No big deal. Paste a link in your ticket to the GreyNoise visualizer and move on.

https://viz.greynoise.io/ip/71.6.135.131

Maybe I don't want to use the GreyNoise web interface. Let's say I look up the IP in the free unauthenticated GreyNoise Community API and... cool, reports back that it's Censys. No problemo. Move on.

Malicious IPs

Let's say I look up an IP address, and it comes back with this big scary red IP address that says "malicious." What does this mean?

https://viz.greynoise.io/ip/45.155.205.165

Well, this means that the IP is probably malicious (or was observed by GreyNoise doing something bad on our sensors), but whatever attack you're seeing is not targeted at *you specifically*. It was an opportunistic attack. Background noise.

Unknown IPs (to GreyNoise)

What if the IP address... doesn't come back at all?

This means that we've never seen that IP scanning/crawling the Internet, and it doesn't belong to any benign business services. It actually *might* be targeted your organization specifically. Investigate.

GreyNoise APIs

The GreyNoise Community API is rate limited to a few thousand lookups per day, but it's completely free and unauthenticated. As long as we continue to add enterprise customers and can afford to pay our staff and AWS bills, this will continue to be free.

Note that you don't get context, raw data, metadata, or tags using the Community API. Sorry folks, we've gotta make our money somewhere. This is available in our Enterprise API. If you want this data via API, hit up our sales team. But hey, it's free.

Fun fact: Just about every customer we have at GreyNoise sees at least a 20% alert contextualization/reduction rate from using GreyNoise. That's a LOT of wasted human hours spent chasing ghosts.

Analyze a List of IPs

Now let's say you've had an incident, and you need to figure out which of the gazillion IP addresses in some log file compromised your device.

No problemo. Just dump the log file (or just the IP addresses) into the GreyNoise analysis page, and now you can do two things:

1. Quickly filter out known good guys
2. If the situation warrants it, quickly identify opportunistic bad guys.

Here's an Analysis from an SSH auth.log I grabbed on a live server on the Internet.

~*~97.22% noise~*~

Filter Known-Benign Services (RIOT)

Let's say I'm trawling through a ton of netflow logs, and I want to identify any connections OUT of my network that might be going to bad guys.

I can filter known-benign services (Zoom, Github, Office365, Cloudflare, etc.). I can use GreyNoise RIOT for this.

*I'd like to note here that the IPs in RIOT *could potentially* be used by a sufficiently advanced adversary to attack you (async c2, etc.), but that doesn't mean that 99% of bad guys will be doing this, and it's not like you can just *BLOCK ZOOM* and not expect blowback.

Don't think of RIOT as a NACL or whitelist/allowlist. Think of RIOT as added context and a time-saver. You can either find out from GreyNoise via RIOT, or you can find out from your helpdesk reps when you block an IP and execs suddenly can't send emails anymore ¯\_(ツ)_/¯

2. Identify compromised devices

Let's say I want to find compromised devices that belong to ME, my users, or just some interesting network around the world.

Just punch in a GNQL query into the web interface of the IP block I'm interested in + the facet: "classification:malicious"

You can actually also find compromised devices in other facets as well. Here are examples of finding compromised devices in a specific country or using free text search to find compromised devices in hospitals or government facilities (or both):

You can use your FREE GreyNoise account to register alerts on any network block or IPs. Once you've registered your alerts, we email you if we see any of your IPs get compromised (e.g., unexpectedly start scanning the internet )

https://viz.greynoise.io/account/alerts

3. Emerging vulnerability exploitation

You can use GreyNoise to find whether a given vulnerability is being opportunistically exploited or "vuln checked" at scale. Simply craft a GNQL query for CVE.

https://viz.greynoise.io/query/cve:CVE-2021-3129

When a big scary vulnerability is announced, basically everyone has the exact same thought:

"How much do I **really** have to care about this? Is this... being exploited in the wild right now?"

GreyNoise is declaring war on this ambiguity.

You can also see *which* CVEs a given IP address is probing the internet for or opportunistically exploiting. This list is not exhaustive - it takes a lot of work to add coverage to these. This is what @ackmage @nathanqthai and @4b4c41 do.

Our Business Model

We have a long ways to go on properly productizing this offering. It's really hard to do at scale, and not every vulnerability can be exploited in a way that GreyNoise will ever see. That said, we'll be announcing some new offerings focusing on this use case later this year.

Our business model is pretty simple:

• Most viz stuff == free but rate limited
• Community API == free but rate limited
• GreyNoise in your SIEM/TIP/SOAR == paid

Expect a lot of this stuff to shift over the next few months/years as we find better ways to price/package our features.

That pretty much covers it.

Here are my asks to you:

• If you use GreyNoise's free products, get in touch with @SupriyaMaz and she'll hook you up with free swag
• If you work in SOC/TI or at an MSSP and want to hear about our commercial offering, ping sales@greynoise.io

And, of course, ping me anytime. I can't promise a snappy response, but I try to clear my inbox at least every few weeks (aspirational). My email is andrew@greynoise.io.

Oh, last thing. We tag like... hundreds of activities and actors and exploits and vuln probes and tools. Check them all out here (it's searchable, but the layout is pretty unwieldy considering how massive our tag library is now).

https://viz.greynoise.io/tags

Onward.

--Andrew

‍

Andrew Morris got on a roll the other day and whacked out this tweetstorm describing the three key use cases for GreyNoise. Enjoy!