Product

If you’ve ever seen a GreyNoise presentation by me, it’s more than likely at some point I will pull up my Splunk instance to show what I would consider to be a few clever dashboards and searches. Apart from the impromptu searches that I may write (which may not be great), there’s some powerful and practical ways you can leverage GreyNoise data inside your Splunk environment right now.

Feeds

With the latest version of the GreyNoise app for Splunk (v.2.2.0), you can now keep the last 24 hours of data local to your Splunk instance with feeds. Plus, it’s easier than ever to filter out noise from large datasets. Instead of relying on API lookups, the data can be referenced locally first to remove opportunistic and benign IP’s quickly when hunting through your data.

Dashboards

A good dashboard can turn a bad day into a great one.

I always joke that data isn’t real until it’s displayed on a map, but there's some truth to it! Having a quick overview of your data visually makes it easier to piece together an understanding of the scan activity landscape.

Using custom commands you can pull out information on internet traffic to safely and confidently ignore (things we classify as ‘benign’ or IP’s from the RIOT dataset) and particular pieces of information you may want to investigate further. Everything left over will include the IP’s that are not in GreyNoise, which could indicate more targeted attacks, and IP’s we classify as ‘unknown’.

You can find more information about our classifications and how to apply GreyNoise data to your analysis in our documentation: https://docs.greynoise.io/docs/applying-greynoise-data-to-your-analysis

Paired with information from your firewall imported into Splunk, GreyNoise data leveraged in a dashboard can show vulnerabilities that ‘unknown’ IP’s are specifically looking for. Combining this knowledge with your current vulnerability scans can help you quickly identify if someone is interested in vulnerabilities specific to your attack surface.

Known Good

We talk a lot about filtering out opportunistic traffic, and enriching data based on GreyNoise but let’s not sleep on the RIOT dataset. If you’re not familiar with RIOT it’s a collection of ~50 million IP addresses that are associated with common business services.

What does this let you do with your data in Splunk? There’s a lot of ways that people are applying this dataset in their searches and hunting. Ryan Kovar wrote a great blog post about using wiredata with Splunk (https://www.splunk.com/en_us/blog/security/wire-data-huh-what-is-it-good-for-absolutely-everything-say-it-again-now.html) and while legitimate services can be abused (Hello T1567!) they can also make up a significant portion of the traffic being searched. RIOT makes it easy to do a first pass and remove any outbound traffic to those services and makes it easier to find potentially interesting traffic.

More on our RIOT dataset here: https://docs.greynoise.io/docs/riot-data

Learn More About GreyNoise + Splunk

If you find this information useful then join me on June 15th for a live webinar where I’ll cover the Splunk integration in detail.

‍

May brought more product enhancements to user workflows, data coverage… and of course, more interesting tags! Twenty four to be exact, as we continue to improve our product to help our customers monitor emerging threats and identify benign actors. We improved our sensor coverage to include coverage in the country of Ghana, plus we made some helpful improvements to our bulk analysis, RIOT dataset, and APIs.  

Improvement to Bulk Analysis: Export Unknown IPs

The Bulk Analysis function in the GreyNoise Visualizer has been improved so that users can now export unidentified IPs via CSV and JSON.  

This improvement helps analysts more easily identify the ‘interesting’ IPs in a bulk dataset that they are analyzing (IPs identified by GreyNoise are identified to be known common scanners or common business services; IPs that are UNKNOWN in GreyNoise could represent a targeted threat or something that requires additional investigation). 

To access this feature, go to the GreyNoise Analysis page and analyze a file or dataset containing IP addresses.

Improvements to Destination Metadata: Sensor Hits

Two fields have been added to the metadata returned via Bulk Data, IP Context API, and GNQL API that will help users determine baselines or rates of activity:

• metadata.sensor_hits is the amount of unique data the sensor has recorded from the queried IP.
• metadata.sensor_count is the number of our sensors from which the IP address or behavior has been observed.

RIOT: Qualys Scanner IPs added

We are now tracking Qualys scanner IP addresses in our RIOT database of common business services, so that customers can whitelist this activity (should they wish to) or contextualize this activity when seen in their security logs.

RIOT identifies IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products. The collection of IPs in RIOT is continually curated and verified to provide accurate results.

New and Updated Integrations

Splunk Improvements: High Volume Enrichment, IP Similarity and IP Timeline Support

‍

‍

‍

‍

The GreyNoise App for Splunk has been updated to include a new Feed component, which allows users to ingest the GreyNoise indicator feed into Splunk to be used for high-volume log enrichment. Additionally, new dashboard and commands have been added to support the IP Similarity and IP Timeline tools.  Learn More

ThreatQ Improvements: New Actions for ThreatQ Orchestrator

ThreatQ has released new GreyNoise Actions for the Orchestrator platform which allow for IP Similarity, RIOT and Quick lookups against the GreyNoise API. These updates can be downloaded from the ThreatQ Marketplace.  Learn More

Tags Coverage Enhancements

In May, GreyNoise added 24 new tags:

20 malicious activity tags

• Sophos Web Appliance RCE Attempt
• Solarview Compact 6 RCE Attempt
• JexBoss Backdoor Check
• TRENDnet TEW-652BRP RCE Attempt
• Apache Superset Authentication Bypass Attempt
• Arris TR3300 RCE Attempt
• D-Link DWL-2600AP RCE Attempt
• Tenda AX3 RCE Attempt
• Nacos No Auth Scanner
• Apache Solr Admin Panel RCE Attempt
• Ruckus Wireless Admin RCE Attempt
• WordPress Advanced Custom Fields XSS Attempt
• Sophos Mobile XXE Attempt
• SecurePoint UTM Auth Bypass Attempt
• Roxy-WI RCE Attempt
• Pentaho Business Analytics Server RCE Attempt
• Tenda RCE Attempt
• Zyxel RCE Attempt
• DCBI Netlog LAB RCE Attempt
• LB-LINK RCE Attempt

3 benign actor tags

• SOCRadar
• Open Port Statistics
• Malware Patrol

1 unknown tag

• Nessus Scanner

All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert informing them of any new IPs scanning for tags they are interested in.

Notable Security Research and Detection Engineering Blogs:

KEV'd: CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389

On Monday, May 1, 2023, CISA added CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389 to the Known Exploited Vulnerabilities (KEV) list.  For all three CVEs, GreyNoise users had visibility into which IPs were attempting mass exploitation prior to their addition to the KEV list. GreyNoise tags allow organizations to monitor and prioritize the handling of alerts regarding benign and, in this case, malicious IPs.

Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens

At GreyNoise we recognize the value of partnership and intelligence sharing when it comes to protecting internet citizens. Today the GreyNoise Labs team wants to give a shoutout to Trinity Cyber.

Progress’ MOVEit Transfer Critical Vulnerability: CVE-2023-34362

On May 31st, 2023 Progress issued a security notice to users of MOVEit Transfer regarding a vulnerability that allows for escalated privileges and potential unauthorized access to the environment. CVE-2023-34362 was assigned to this vulnerability on June 2, 2023.

Sensor Coverage Enhancements: Ghana

‍

We’ve added additional sensor coverage for the following countries:

• Ghana

You can view which IPs are seen scanning sensors in certain countries from our IP details page, or use `destination_country:”<country_name>”` in GNQL to find IPs that have hit those regions.  Destination country search is available in all commercial plans for GreyNoise and to our community VIP users.

‍

‍

GreyNoise added a number of exciting updates in April, including 20 new tags for users to monitor emerging vulnerabilities and threats, and identify benign actors. We’ve also added integration updates to support our new IP Similarity and Timeline features, and enhancements to the IP Similarity capability to improve accuracy and give users a summary view to easily understand similar IP infrastructure.

IP Similarity Enhancements 

New IP Similarity Summary View

‍

We’ve enhanced our IP Similarity feature with a summary view that breaks down the high level summary of what fields we found similar in our dataset, and allows customers to quickly scan for common fields and tags.  IP Similarity is available to paying customers and to our community VIP users: start a trial* today to explore or learn more about this feature.

IP Similarity Model Updates

We've updated the algorithm used by our IP Similarity to improve accuracy through several changes. Feature vectors are scaled and normalized to increase the distance between low and high information numbers, resulting in lower similarity scores. Bugs related to tokenizing user agent and web path strings were fixed, and options like 'unknown' and certain domain names were excluded. Values for webpath, rDNS, OS, and ports were adjusted, resulting in a feature vector with 693 items. Lastly, the minimum info threshold was raised to help improve accuracy of results.

IP Timeline Enhancements 

‍

90 Days of IP Timeline Data Now Available

We’ve enhanced our IP timeline feature to store up to 90 days of IP history data (previously, we provided up to 60 days of data) to enable customers to better understand historical IP activity when threat hunting or performing incident response.  IP Timeline is available to paying customers and to our community VIP users: start a trial* today to explore or learn more about this feature.

New and Updated Integrations

Integration Update: Anomali ThreatStream Enrichment

‍

We updated our Anomali ThreatStream Enrichment to include our IP Similarity and IP Timeline features. From the context of an observable, customers can now see all details GreyNoise knows, plus view similar IPs and the timeline of observed activity. Learn More

New Integration: Anomali ThreatStream Malicious IP Feed

Our Malicious IP Feed is now available on the Anomali ThreatStream marketplace. Customers can now easily subscribe to the feed and get a daily update of malicious IPs that GreyNoise observed scanning the internet in the last 24 hours. Learn More

Integration Update: Splunk SOAR

We updated our Splunk SOAR integration to introduce two new commands: "similar noise ips" and "noise ip timeline". These commands pull data from the GreyNoise IP Similarity and IP Timeline features and allow customers to bring that context into Splunk SOAR for an analyst to use during an investigation.  Learn More

Integration Update: Maltego

We updated our Maltego Enterprise transform set to include a new Transform that allows for users to query for Similar IPs.  This leverages the new IP Similarity tool, and allows for Maltego users to bring similar IPs into their graph for additional research and correlation within Maltego.  Learn More

Integration Update: GreyNoise SDK

The GreyNoise SDK has been updated to include both CLI and API based commands to interact with the new IP Timeline and IP Similarity APIs. Learn More

Tags Coverage Enhancements

In the month of April, GreyNoise added 20 new tags:

10 malicious activity tags

• Adobe ColdFusion RCE CVE-2023-26359 Attempt
• Zimbra Collaboration Suite RXXS
• Hasura GraphQL RCE Attempt
• Zoho ManageEngine Authenticated RCE Attempt
• SmartPTT SCADA Authenticated RCE Attempt
• vBulletin Remote Command Execution CVE-2023-25135 Attempt
• Tenda AC6 SSID Stack Overflow Attempt
• PaperCut RCE Attempt
• Amcrest Default Credentials Attempt
• Microsoft Message Queuing (MSMQ) QueueJumper RCE Attempt

6 benign actor tags

• Georgia Tech Research Scanner
• Neevabot
• DataGrid Surface
• Detectify
• NEKST
• Pinterest

4 unknown activity tags

• Microsoft Message Queuing (MSMQ) HTTP Crawler
• Microsoft Message Queuing (MSMQ) Crawler
• PaperCut Authentication Bypass Check
• TP-Link Archer AX21 Command Injection Vulnerability Scan

All GreyNoise users can monitor scanning activity we’ve seen for a tag by creating an alert that will inform them of any new IPs scanning for tags they are interested in.

Notable Security Research and Detection Engineering Blogs:

Change in ENV Crawler Tags as Bots Continue to Target Environment Files

On Tuesday, April 25, 2023, GreyNoise is changing how we classify environment file crawlers from unknown intent to malicious intent.  At the time of publication, this change will result in the reclassification of over 11,000 IPs as malicious.  Users who use GreyNoise’s malicious tag to block IPs based on malicious intent will see an increase in blocked IPs.

Active Exploitation Attempts (CVE-2023-1389) Against TP-Link Archer Gigabit Internet Routers

In collaboration with our partner Trinity Cyber, GreyNoise has a new tag for scan traffic related to CVE-2023-1389, a pre-auth command injection weakness in TP-Link Archer routers.

New Vulnerability: PaperCut MF/NG

On Friday, April 21, 2023, CISA added CVE-2023-27350 (a critical unauthenticated remote code execution vulnerability) impacting PaperCut MF and PaperCut NG to the Known Exploited Vulnerabilities (KEV) list.  PaperCut MF and PaperCut NG are both enterprise printer management software. 

A Trio of Tags For Identifying Microsoft Message Queue Scanners And Exploiters Live Now - QueueJumper (CVE-2023-21554)

Check Point Research discovered three vulnerabilities in Microsoft Message Queuing (MSMQ) service, patched in April's Patch Tuesday update. The most severe, QueueJumper (CVE-2023-21554), is a critical vulnerability allowing unauthenticated remote code execution. GreyNoise has a tag, classified as malicious, for the full QueueJumper RCE Attempt.

Sensor Coverage Enhancements

‍

We’ve added additional sensor coverage for the following countries:

• Pakistan
• Mexico

Destination country search is available in all commercial plans for GreyNoise and to our community VIP users. Start a trial* today to explore destination data.

Search Enhancements

The GNQL cheat sheet is now available in the search bar.  Want to learn more about how to effectively use GNQL? Review the cheat sheet for some helpful examples around syntax and available fields to use in search.

(*To begin your GreyNoise Enterprise Trial, sign-in to your account or sign-up for a free account, then go to your account details page and select "Start Trial".)

‍

Cyber threats are constantly evolving, and organizations need to stay on top of the latest techniques and tools to protect themselves against attacks. One of the most critical aspects of this is having an effective threat intel program in place. But how do you upgrade your program to keep up with the ever-changing threat landscape? Our answer: start looking for patterns in attack telemetry.

David Bianco’s ‘Pyramid of Pain’ illustrates the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them. Organizations can better identify and defend against threats by moving from simple indicators like domains, hashes, and IPs to focusing on more difficult to change indicators such as TTPs. While gaining this additional insight can take more time, defenders can do more to detect and prevent future attacks.

‍

‍

GreyNoise data is awesome, but in order to move from IPs -> TTPs, we have built new features to help you upgrade your Threat Intel program (thanks to the Pyramid of Pain)!

IP Similarity

It is now easier than ever to fingerprint attacker infrastructure. This new feature clusters activity based on similar behavior, like similar HASSH and JA3 fingerprints, RDNs, user agents, and ports scanned. Based on the results from IP Similarity, you can hunt within your own network to proactively find other related malicious activity.

‍

IP Timeline

The IP Timeline displays activity as seen by GreyNoise sensors of a particular IP Address over the past thirty days. By checking our timeline graph, you can see when an IP interacts with our sensors. This chron data helps CTI teams identify if an attacker is using an automated process or if the scan/attack process is manual.

‍

Understanding how adversaries operate and adopting a defined strategy to detect and remediate can lead to a more effective threat intelligence program. GreyNoise can be used to easily enrich threat feeds to gain deeper insight into how attacker infrastructure is being used and quickly understand what services, devices, and vulnerabilities they want to leverage as part of their campaign.

If you are interested in learning more about any of these new features, request a demo.

‍

‍

Co-Authors include: Austin Price & Jen Dooley

Introducing GhostieBot

For April Fools this year, the GreyNoise team created GhostieBot, an Artificial Unintelligence bot serving you all the answers you didn’t need. 

‍

We had a lot of fun creating it and thought it was a good example of the ideation, design, development, and release process at GreyNoise. Here we hope to walk you through that process so you can understand a little better how we work.

The Process

Ideation

We knew we wanted to have a fun April Fools joke this year, but everyone was already working on a ton of projects to make GreyNoise a more useful product. We decided to take a group of volunteers and just grab an hour here or there to work the problem.

‍

‍

Our first stop was a Figma brainstorming session. Just set up some space for everyone to jot down ideas, start a 5-10 minute timer, play some smooth jazz, and go to work.

‍

After all our ideas were gathered, we discussed them and added +1s to the ideas we liked. Since the world has been taken over by chatbots and large language models, we ultimately ended up with a GreyNoise chatbot that we could use to make jokes and expose some of the other ideas from the brainstorming session that weren’t big enough for their own show. Though you never know, the Internet Weather Report from the brainstorming session might pop up sometime…

Mocks

Next up, we had to create some mocks for what we wanted the GhostieBot interface to look like. Chatbots and messaging interfaces, in general, have some pretty established patterns. To keep things as simple and quick as possible, we leaned heavily on our design system and went with a standard chat/messaging layout. There were a few new elements in the design, like the message bubbles and Ghostie avatar, that we needed to create. We also needed to make sure it was responsive and handled small and large screens well. Altogether, these were pretty simple items, and we were able to have the finished mockups ready in under an hour.

Sourcing Responses

Since our chatbot is not a real chatbot, we had to actually come up with the responses we wanted, arguably a tougher task than creating a real chatbot. Luckily, we have a ton of nerds on staff who like terrible jokes. After spinning up a quick Notion page, we were able to crowdsource some ideas.

‍

‍

Making it real

Now it is time to make it all real; we took the mock-ups, created a new page, and started building. We compiled the list of questions and properly formatted them for display. Then built out the basic structure of a chat interface; once that was set up, we added a few nice to haves:

• “Enter” to submit instead of having to click “Submit”
• Scroll offscreen gradient to add visual cues
• Improved message timing so it felt like you were actually chatting with someone instead of instant replies.
• “Ghosty is typing…” message based on response length

Once the interface was completed, we hid the Chat behind a feature flag as well as set a date window for the chat to be available to the public. This allowed us to test the chat before it went live.

And while we went with a more informative page for 127.0.0.1, y’all almost ended up with:

Recap

We had a ton of fun putting this all together, and we hope you enjoyed it too. To keep in touch with GreyNoise as we figure out how to build an amazing product for the cyber security community, sign up for a free account (https://viz.greynoise.io/signup), join our Slack community (greynoiseintel.slack.com) and follow us on Twitter https://twitter.com/GreyNoiseIO. We also have a couple of positions open (https://www.greynoise.io/careers#Current-Openings).

‍

At GreyNoise, we're excited to announce that our Voluntary Product Accessibility Template (VPAT) is now available. We believe that everyone should have equal access to our product and service, regardless of their disabilities or abilities. By providing a document that evaluates our product's accessibility for people with disabilities, we are taking a step forward in ensuring that our product meets the needs of all users. We are committed to creating an environment that is inclusive and accessible to everyone, and we believe that our VPAT is an essential part of this initiative.

What is a VPAT?

VPAT stands for Voluntary Product Accessibility Template, which is a document that outlines how accessible a product or service is to individuals with disabilities. It provides information on how well the product or service conforms to the Web Content Accessibility Guidelines (WCAG) and other accessibility standards. It's an important tool for ensuring that everyone, regardless of their abilities, can use and benefit from our product and service.

‍

What does a VPAT contain?

A VPAT is a detailed report on how well a product or service conforms to accessibility guidelines such as Section 508 of the Rehabilitation Act in the United States. It typically contains information on the product's conformance to accessibility standards, including how it complies with various criteria related to accessibility, such as keyboard accessibility, color contrast, and assistive technology compatibility. Additionally, the VPAT provides details on any known limitations or barriers that may exist for users with disabilities and any plans for future development or improvement.

‍

Why is a VPAT important?

Accessibility is a fundamental human right, and it's crucial that our product and service are designed with everyone in mind. People with disabilities make up a significant portion of the population and deserve equal access to information and services. A VPAT is a valuable tool for organizations to demonstrate their commitment to creating and providing accessible products and services, as well as fulfilling legal obligations. By completing a VPAT, we're ensuring that GreyNoise is accessible to as many people as possible.

Why is accessibility important?

Accessibility is important because it ensures that everyone, regardless of their abilities or disabilities, can access and use our platform. In the United States, approximately 61 million adults have a disability*, representing a significant portion of the population. By making our platform accessible, we're opening up our product and service to a much broader audience, leading to increased engagement, more meaningful interactions, and, ultimately, better outcomes for everyone.

In addition, accessibility can lead to better user experiences. People with disabilities may face significant challenges when accessing websites or online tools not designed with their needs in mind. By making our platform accessible, we're reducing these barriers and making it easier for everyone to use our product and service. 

What's next for GreyNoise's accessibility efforts?

At GreyNoise, we're committed to continuous improvement. We're constantly looking for ways to make our platform more accessible and inclusive. In addition to providing a VPAT, we're also working on other accessibility initiatives, such as improving our keyboard navigation, adding alternative text to images, and ensuring that we meet accessibility standards.

We believe that accessibility is an essential part of our platform, and we're committed to making our tools and services accessible to everyone. By providing a VPAT, we demonstrate our commitment to accessibility and inclusivity, which can lead to a better experience and outcomes for everyone. We look forward to continuing our accessibility efforts and making GreyNoise a platform everyone can use and enjoy. 

‍

Reference:

*https://www.inclusivecitymaker.com/disability-statistics-in-the-us/#:~:text=As%20stated%2C%20according%20to%20the,or%201%20in%204%20adults.

https://www.section508.gov/sell/vpat/

‍

‍

(And when you should stick with our free version)

Giving back to the cyber security community will always be a key part of the GreyNoise mission, so our free plan isn’t going anywhere. 

But there are a lot of benefits to a paid plan that may not be immediately obvious (benefits other than subsidizing Andrew’s tweets). Let’s dig into the top 7 reasons you should upgrade, and when a paid plan might not be a good fit for you. 

Increased Search limits

The most obvious reason for a user to upgrade from free to paid is the expanded Search limits. Search is at the core of our product, it’s the first thing users see when they land on our visualizer and the primary way most users interact with GreyNoise. Asking GreyNoise for data on an IP, a CVE, a tag, or a trend all counts as a Search. 

The Free limits are designed for hobbyists, independent users, or for someone who is just starting to explore the GreyNoise ecosystem. They aren’t high enough to tap into automation or large scale data enrichment. So if you’re a team who wants to save time by throwing out all the hay to get to the needles faster, a paid plan will give you the volume you need. 

Increased limits on alerts and dynamic blocklists

In addition to Search, all paid customers get increased limits for alerts and dynamic blocklists - the other two features that make up the core of the GreyNoise product. 

Alerts let you configure an email notification that will trigger anytime the response to a GreyNoise Query Language (GNQL) query changes. Use them to identify compromised devices on your network (or a vendor or third party supplier’s network), or get a heads up when attackers start exploiting a vulnerability in the wild. 

Dynamic blocklists give you a full list of IPs associated with a GreyNoise tag. The list is updated hourly, and can be plugged directly into your next gen firewall to keep your perimeter safe. When the next Log4j happens, you can use a dynamic blocklist to buy your team needed time to patch. 

A more robust API with full IP context

The Community API has 1 endpoint, it takes an IP and returns a simple response with some basic information about that IP. Is the IP in the GreyNoise Noise or RIOT datasets? What is its classification? And a link to the visualizer.

‍

For some teams this is enough. But for teams that are stretched thin and need comprehensive answers fast, rely on automation to make their lives easier, or want to run more complex queries (like pulling back a list of IPs tagged with a specific CVE) access to our Enterprise API is a must. 

Our Enterprise API has 16 endpoints. Enterprise API users can: 

• Get abbreviated IP info or full context (on up to 1,000 IPs in a single request)
• Run full GNQL queries 
• Get tag metadata
• Check an IP against our RIOT dataset (a list of IPs known to be associated with common vendors)
• Access our IP Similarity endpoints 
• Access our IP Timeline endpoints

‍

‍

‍

More integrations, and expanded integration options

We have 31 integrations that support using a Community API key. But these integrations are limited by what the Community API can return, so if you need full context on the IP (which most users do) you'll have to click into the Visualizer to get a full picture.

Full integrations and integration with some of the most popular security tools like Splunk, QRadar, LogStash, and Recorded Future are available to paid customers. You’ll also want the higher Search limits that come with our paid plans to maximize our integrations and automate more of your work.

Exclusive paid features

While limited access to the core GreyNoise features will always be available to free users, there are a handful of features that are only available to Paid customers, with more being added this year. These features can be used for enhanced enrichment, threat hunting, and protecting your perimeter from mass exploitation. 

Premium data fields

Premium data fields like our IP Destination fields tell users even more about what an IP is doing on the internet, and open up new Search queries. IP Destination specifically tells users which countries our sensors observed an IP scanning, and let users narrow down their searches to geo-targeted traffic. All paid plans come with IP Destination. 

Export

Getting data out of the visualizer (or accessing full context in the API) is restricted to paying customers. You can export GNQL search results or analysis results to a CSV or JSON file. 

IP Timeline

IP Timeline lets security analysts and threat hunters look back at an IP’s behavior over time. Answer the question, “what was this IP doing 7 days ago?” Useful if you find an IP in your logs and want to know what it was doing the day it hit your system. 

‍

‍

IP Similarity

IP Similarity helps users identify potential actors and infrastructure associated with an IP you’re investigating. All users can see how many IPs GreyNoise has identified as similar to a given IP, but only paying customers can access the list of similar IPs and a breakdown of the factors that determine similarity. 

‍

Feeds

Feeds are a useful way to enrich your existing data without blowing up your Search limit, or to narrow down a search into a big dataset. 

Enterprise support

Paying customers get direct access to our Customer Success team who have a deep knowledge of the GreyNoise product, integrations, and customer use cases. While we will always do our best to support all of our users, our Customer Success team goes above and beyond for our customers with onboarding, training sessions, and quarterly check-ins.

Convenience

One of the most important benefits of a paid plan is convenience, and our best customers get this. You’re strapped for time. You’re trying to keep up with changing tactics from the bad guys, training and hiring good analysts, and the latest demands from the rest of your org. Any time you can save has real value. 

GreyNoise has proven time and time again that we save our paying customers time, and generate a pretty significant ROI. 

Upgrade to a paid plan if…

There’s a lot of value unlocked when you move from a Free GreyNoise account to one of our paid plans. You probably want to upgrade if you fit into one or more of these buckets.

• You have a mid-size or large team heavily leveraging the visualizer for manual alert triage 
• You want to build automations or enrichments leveraging GreyNoise data into your workflows
• You’re using Splunk, QRadar, Panther or one of the other tools supported by our paid integrations
• You want an easy way to monitor large blocks of IP space for malicious behavior
• You want to block IPs scanning for emerging threats from touching your perimeter entirely
• You are doing advanced threat hunting 
• You want to leverage GreyNoise data in your product or service
• You need enterprise support
• You value saving your analysts time anywhere you can

A GreyNoise paid plan isn’t necessary for everyone, we get that. Don’t worry about a paid plan right now if you fit into one of these buckets:

Your team has a manageable number of alerts

Look, if you’re a team of 1 or 2 analysts, and you can easily handle all of the perimeter-related alerts in your SIEM then you’re probably not going to get a ton of benefit from a GreyNoise subscription right now. You can always create a free account, and use it as needed when you have questions about a strange IP or hot, new CVE. 

You outsource your security program

If most or all of your security program is managed by MSSP/MDR partners, they can leverage GreyNoise on your behalf to provide you a better service more cost-efficiently. Some of our rockstar MSSP/MDR partners include:

• Hurricane Labs
• Expel
• Ideal Integrations
• Seculore

You’re a student, academic, or independent researcher

If you’re a student, academic, or an independent researcher using GreyNoise for non-commercial purposes then you may actually qualify for our VIP program. VIP users get access to all of the same features and benefits as paying customers, at no cost. 

Check out our pricing to learn more

In the end it’s up to you. GreyNoise isn’t going to be a good fit for everyone, and that’s okay. You can always use GreyNoise for free, and reach out later when your security team has grown. But if these benefits resonated with you, then consider reaching out to our sales team. They’re here to help, not be pushy, and know a ton about GreyNoise. 

‍

When running across an unknown IP address in the logs, the first move might be to check the IP address’s reputation through a number of services.  This check is useful for the immediate task at hand, but what if you could see not only reputation reports but see, at a granular level, when and what is causing this reputation?  That’s where GreyNoise comes in. 

Alongside the common fields of a GreyNoise IP address page’s located in the Visualizer (which include relevant DNS information, destination sites, and other data), GreyNoise now has a feature called the IP Timeline. The IP Timeline displays activity as seen by GreyNoise sensors of a particular IP Address over the past thirty days.  Let’s take a look at an IP address and explore this tool further.

Getting Started – IP address page

When an IP address is entered into the GreyNoise search box, if GreyNoise has observed scan activity from the IP, you will receive an IP Address page detailing data and related tags:

In this example (IP address 41.65.223.220), an opportunistic scanner appears to be crawling for SMBv1 endpoints and trying to brute force MSSQL servers.

Within the fields displayed are which ports this address scans, any associated fingerprints and what kinds of web requests the IP is known to make. In this case, GreyNoise does not have a lot of fingerprint and request data. So, how can we know for sure that this IP address is still active and malicious?

This is where the IP Timeline feature comes into play.  Next to the summary of the IP address, there’s a tab labeled ‘timeline’.  Let’s click that and see what we find:

Voila!  The page has gone from an overview of the IP address to discrete data points showing when, exactly, GreyNoise has noticed activity.  Consecutive days of the same activity are connected by a line.

Each data point GreyNoise has for the IP address is a field along the Y axis, and each day that GreyNoise notices it is the X axis. You can see respective fields and dates along the left and top sides of the graph.  In this example, you can see that on the 1st of January there is SMBv1 crawling observed.  Then, on the 2nd, there’s MSSQL brute force attempts. The SMBv1 crawling has an unknown intention so it’s listed as white, while the MSSQL brute force attempts are highlighted in red as they are tagged as malicious activity.

How is this useful?

This graph can be used for more than just a quick check on an IP address.  For example: you are running an MSSQL server and found this IP address in your logs. Seeing somebody trying to brute force your server can be a nerve-wracking experience!  However, by checking this graph you can see that this address attempts to brute force every 8 days on the dot, implying an automated process. That’s still not great, but it’s less scary than a concerted human effort. From there, you could make the call to block at the firewall or you could make sure your passwords aren’t on any well-known word lists and continue to observe the IP address.

Additionally, if you are looking for behavior patterns on an IP address, this graph could come in handy.  In this example, we only see two cases where the IP address crawls SMBv1 and then attempts to brute force the next day but, if this was a consistent pattern, this may be indicative of a pattern used when deciding which hosts to try and brute force. You could then use that information to pivot into checking your SMB logs for anything suspicious.

Final Takeaways

GreyNoise is always looking for new ways to bring as much value as possible.  IP Timeline data is only one part of a much bigger ecosystem you can integrate into your processes and investigations. Try it out yourself by signing up for our *enterprise trial or contact us to schedule a more in depth demo.

‍

(*Create a free GreyNoise account to begin your enterprise trial. Activation button is on your Account Plan Details page.)

‍

‍

Why We Created IP Geo Destination 

If you’ve ever heard our founder and CEO, Andrew Morris, speak, you’ll know that one of the core reasons GreyNoise exists is to answer the question “Is everyone seeing this, or is it just me?” 

GreyNoise provides details about opportunistic scan activity by source IP as observed across our sensor network. When large geopolitical events happen, like the ongoing Russia-Ukraine war, our research team historically has been able to provide details on the destination of the traffic we’re seeing as well (e.g. Russian scans and exploitation attempts only focusing on our Ukrainian sensors). We are proud to share that this capability, labeled as IP Geo Destination, is now available to all GreyNoise customers via the Visualizer and API endpoints as of today.

‍

What IP Geo Destination Can Show You

Using the new IP Geo Destination feature, we can delve deeper into anomalies in scanning traffic.

Multi-Destination Results

Recently, there has been an uptick in scan activity related to scanning for DB2 databases as highlighted by the trends page. Using this as a starting point organizations can begin to investigate further to better understand why there is a sudden increase in scan activity.

‍

Using the GreyNoise command line tool, we can search ‘.metadata.destination_countries’ to derive where this activity is pointing to. The traffic seen from the DB2 Scanner in the last 7 days reveals an even distribution of traffic across GreyNoise sensors in 41 different countries (see our docs for a list of all countries where we have sensors today).

Further investigating IPs active in the last seven days that are scanning for DB2 instances shows that all of them have been tagged as malicious in GreyNoise. Most of them have multiple tags associated with each IP address, several of which are related to various worms attempting to propagate across the systems connected to the internet. 

Single Destination Results 

Threat hunters looking for more targeted activity can add the `single_destination` parameter to identify IPs focusing on a particular geographic region.

In the example above, by entering the search `tags:"DB2 Scanner" destination_country:Ukraine single_destination:true `, you can filter results to show only activity that is targeting a single country, in this case, Ukraine. Defenders that work for the government, non-profit organizations, or are generally interested in a specific country or region can utilize this to focus on localized activities and potential threats.

----

With the additional data provided by IP Geo Destination, GreyNoise users can better understand how attacks impact different geographic regions. Our destination data is built off of our own sensor network so the geographic information being provided is first-hand. This feature is designed for cyber defenders to connect geopolitical motivations with scan and attack traffic and help responders quickly prioritize and triage alerts.

If you have questions about this feature or are interested in getting a demo contact our sales team.

‍

Feature explainer: anomaly and trend detection

Defenders have a remarkably tough job. They must understand — to the largest extent possible — which event needs investigating right now. There are many triggers for such events, but a major one is knowing when their threat landscape has changed. More specifically, defenders need to know when traffic (and actor) behavior has changed sufficiently to warrant taking notice or action.

Change detection comes in many forms. One such form comes under the lofty heading of "anomaly detection," which may also be referred to as "trend detection." Most modern detection and response solutions have some sort of anomaly detection capability.

GreyNoise has recently introduced a new trend detection feature in our platform that will help inform both researchers and organization defenders about potentially new or dangerous traffic behavior changes as quickly as possible. This gives researchers and defenders the necessary context to decide if further action is warranted.

Background on trends and anomalies

Our new Anomaly/Trend Detection feature operates on Tags, GreyNoise’s automated event labeling system. Our processing takes signatures developed by our Research team and applies tags to the packet traffic from our sensor network. These tags are used to add context from actor attribution to behavior, including scanning, crawling, or exploitation events. Each one represents a particular kind of traffic: malicious, benign, or as yet unknown. Each can also encompass one or more protocols, vulnerabilities, and/or exploits.

Monitoring tag behavior over time is a large part of GreyNoise’s value. Because we see how many sensors are hit with traffic events labeled with a particular tag every hour, we can assess which tags are becoming more popular, which ones are experiencing a near-term anomaly in traffic (possibly a notable event in itself), and which are going quiet. At GreyNoise, we look for opportunities to filter out the noise. Traffic that trends upward or exhibits an anomalous "spike" is noteworthy because it is "noisy.”

How it works

Detecting trends and anomalies is about finding deviation from previous behavior, particularly in a positive direction. Both tasks start with finding the average over a long period, at least ten days. The Trends tab looks at slower increases in traffic for a specific tag, comparing the long-term average to a short-term, more recent average, and doing the classic percent-change formula. This produces a value we can use to rank which tags are seeing the largest increase in average traffic.

‍

Detecting an anomaly (as seen immediately above) is somewhat trickier, as we’re not interested in alerting on every recent anomaly. Indeed, it’s not inconceivable that a “quiet” tag that’s gone unseen for a while could suddenly start appearing intermittently (see below). That tag could very well get a separate report for each anomaly, even if each anomaly is not all that tall compared to its neighbors. 

We have to find a single recent peak, and preferably the highest. We do so with two algorithms: first, we use a moving window to determine which sample(s) have the largest (positive) deviation from the average value for that window. Second, we check for a change in slope, as a peak signifies a change from increasing to decreasing behavior. Between the two algorithms, we can find peaks reliably, accurately, and precisely. The peak values are then subjected to the percent change formula, so we can compare anomalies and trends for each tag.

Ranking the output of these algorithms, we present the tags that have the largest recent increase in trend as well as the tallest recent peak, both relative to previous average behavior. 

What to do about it

Loading up our Tag Trends page, you’ll see trending tags and anomalies: lists of the tags exhibiting each of the behaviors the strongest out of our vast collection of known tags.

Trending tags are showing a marked increase in average traffic; that is, the average now is relatively greater than previously. This could continue over time, suggesting the possibility of the related vulnerabilities being more commonly exploited (or at the very least, more commonly seen in data from one’s inbound internet security perimeter). This raises the odds of seeing it on our customer’s own perimeter, and therefore increases the urgency for monitoring in more detail and patching, if possible.

Anomalies in a tag manifest sudden jumps in behavior–and could be more useful to see what already happened than for projection about future behavior. Anomalies, by our internal definition, have already started to ebb, so the real “peak” has passed. With the largest anomalies listed, though, we can note the timing of large events/incidents that may illuminate what happened and how. However, it is possible that repeated anomalies could signal a new behavior pattern of intermittent bursts of activity: then the timing between those anomalies could show coordination, how many groups are involved, or even in which time zones they likely operate. 

What is particularly powerful is the ability to raise the conversation around tags (and therefore particular exploit vectors) as soon as they’re seen in numbers “in the wild,” instead of waiting for a particular exploit to hit the news. Additionally, each tag notes a particular approach. So, if a product has multiple potential exploits one could patch for, the tag (or tags) that are seeing the most traffic should be patched soonest.

All this being said, of course, these behaviors may not be seen on your perimeter. You may load the Tag Trends page and find that none of the “trending” tags are increasing their traffic for you, and you may be seeing traffic on other vectors. This is perfectly normal, and likely indicates that your firewall is doing its job, or that your attack surface is minimized to the threats and activity on the web at large. You may also be investigating a sudden wave of traffic of a particular type, and see that it didn’t make our Anomalies list. This means that, likely as not, your wave of traffic is more targeted than it may appear at first, and perhaps some caution may be warranted.

A note on data over time

There’s been some talk in the last few paragraphs about possibilities because this is largely cutting-edge research in cybersecurity. Already, we have seen tags which saw a drop in behavior that appear to be trending (as said drop passes out of the recent time window). The movement of the drop drags down the previous baseline, which makes the resumption of normal activity look like it’s trending to the algorithm. Perhaps it’s not trending upward from where it started, but the whole sample still exhibits notable behavior; sometimes the resumption of normal behavior out-trends the weaker actual “trending” tags. Notable behavior is notable behavior. 

There are more exotic patterns lurking in the time series data that our researchers already know and recognize. For us, it’s a matter of building a statistical system around that recognition so we can further automate. No one knows all of what’s possible out there, but we’re listening, so we know better than many. As soon as GreyNoise finds something new, you can rest assured that our findings make their way into refining this feature and other features to come.

‍

New GreyNoise Trends dashboard helps security analysts identify and respond to opportunistic “exploit” attacks

The increasing frequency of internet-wide exploit attacks targeting newly announced vulnerabilities is a tremendous challenge for security teams. There is a long line of “celebrity vulnerabilities” that we at GreyNoise have observed with increasing alarm. And given our focus on internet noise, customers have naturally been asking for our help in providing visibility into vulnerabilities being actively exploited in the wild.

This is why we created GreyNoise Trends, a new view into the GreyNoise data set to help security analysts identify and respond to internet attacks targeting specific vulnerabilities.

New Vulnerabilities Create A Race Against Time for Security Teams

When a new vulnerability is discovered and announced, it's a race against time to see who can find vulnerable servers first. For example, when the Apache Log4j vulnerability (CVE-2021-44228, aka “Log4Shell”) was announced on December 5, 2021, GreyNoise saw a dramatic spike in internet-wide scanning activity searching for servers that exposed this vulnerability:

Note that thousands of unique IP addresses searching for a vulnerability can generate billions or trillions of connection requests across the internet, generating a storm of internet noise that makes it difficult to identify true threats.

For security teams, responding to this kind of event is extremely challenging. Under pressure of a newly announced vulnerability, they need to understand how serious the vulnerability is, whether it is being actively exploited in the wild, whether they are vulnerable, and whether they may have already been compromised. And if they have vulnerable systems, they need to patch them on an emergency basis.

Vulnerability Exploits Used in 34% of Cyber Attacks in 2021

According to a recent report by IBM, severe vulnerabilities in internet-facing enterprise software are being exploited and weaponized at a higher frequency, at massive scale:

• 34% of attacks in 2021 used vulnerability exploitation - opportunistic “scan-and-exploit” attacks are quickly approaching phishing as the most-used cyber attack vector, with 34% of attacks leveraging vulnerabilities, compared to 41% of attacks leveraging phishing.
• Vulnerability exploit attacks grew 33% year over year in 2021 - the number of incidents that were caused by vulnerability exploitation this past year rose 33% from 2020, indicating this attack vector’s stronghold in threat actors’ arsenals.

Furthermore, the amount of time between disclosure of a new vulnerability and the start of active exploitation has been reduced to a matter of hours, leaving defenders with less time to react and respond.

GreyNoise Investigate - Real-Time Visibility and Blocking of Exploit Attacks

GreyNoise Investigate helps security analysts identify and respond to opportunistic “scan-and-exploit” attacks, providing context about the behavior and intent of IP addresses scanning the internet. Investigate allows security teams to:

• Quickly triage alerts based on malicious, benign, or targeted classifications
• Identify trending internet attacks targeting specific vulnerabilities and CVEs
• Block and hunt for IP addresses opportunistically attacking a specific vulnerability

With the release of Investigate 4.0, GreyNoise has created a new Trends page that helps security analysts identify and respond to internet attacks targeting specific vulnerabilities. This new page provides two key capabilities:

• Attack Trend Visibility - the Trends graph shows the number of IP addresses targeting a specific vulnerability or CVE over time. This unique visualization allows security teams to identify and prioritize internet threats based on how actively a vulnerability is being exploited in the wild.
• Dynamic IP lists - the new Trends page provides several ways for analysts to access a dynamic list of IP addresses actively scanning for a vulnerability in the past 24 hours. This data can be used to provide near-term protection by blocking attacks at the firewall or WAF, as well as providing indicators of compromise to use to hunt for potentially compromised systems.

Taken together, this new Trends functionality allows security teams to quickly understand if a vulnerability is relevant to their organization, and buys them the time they need to put security defenses in place.

GreyNoise Trends for Community Accounts

Note that GreyNoise continues to be committed to supporting the broader security community via our free Community plan, and this new GreyNoise Trends functionality is included. Community members will be able to subscribe to a single tag to export the Dynamic IP list.

In addition, for severe vulnerabilities with global impact, GreyNoise will selectively make the full functionality of the paid Trends page available to ANYONE who wants to take advantage of it, including both attack visibility and dynamic IP lists.

Try GreyNoise Trends For Yourself, And Tell Us What You Think

One important note about GreyNoise Trends - we’ve launched this new capability as Beta code for several reasons:

• Potential bugs and stability - We made the decision to build and launch this new capability after analyzing our experience during the Apache Log4j vulnerability event in late December. Over the past two months, our engineering team has been working hard to build out this new functionality. If you notice any issues or have questions about functionality, please do not hesitate to reach out to our team: support@greynoise.io
• Learning - We realize that we need to learn more about how analysts and others will use this new, never-before-seen functionality. We’ve made our best guess about how to package this functionality into our Community and Investigate plans, but we know there are things we don’t know.
• Roadmap - Finally, we have a number of ideas about where we think we should take this capability in the future, but we need your help and guidance to shape this direction. To this end, we hosted a “futures'' discussion at our 3rd Open Forum on March 17, 2022.

So please, sign up for a free GreyNoise Community account if you don’t already have one, try out GreyNoise Trends, and let us know what you think. And to get you started, here are a few interesting Trends pages to check out:

• Trends for Apache Log4j RCE Attempt
• Trends for Mirai
• Trends for EternalBlue
• Trends for GoogleBot

Andrew Morris got on a roll the other day and whacked out this tweetstorm describing the three key use cases for GreyNoise. You can check out the original Twitter thread here. Enjoy!

1. Improve SOC efficiency

Benign IPs

Let's say I get a wacky IDS alert or am seeing something strange in my logs. I'll look up the IP address in GreyNoise (either using our visualizer or our free community API.

I looked up the IP address and, oh wow! It's just Shodan! GreyNoise already marked it as benign. No big deal. Paste a link in your ticket to the GreyNoise visualizer and move on.

https://viz.greynoise.io/ip/71.6.135.131

Maybe I don't want to use the GreyNoise web interface. Let's say I look up the IP in the free unauthenticated GreyNoise Community API and... cool, reports back that it's Censys. No problemo. Move on.

Malicious IPs

Let's say I look up an IP address, and it comes back with this big scary red IP address that says "malicious." What does this mean?

https://viz.greynoise.io/ip/45.155.205.165

Well, this means that the IP is probably malicious (or was observed by GreyNoise doing something bad on our sensors), but whatever attack you're seeing is not targeted at *you specifically*. It was an opportunistic attack. Background noise.

Unknown IPs (to GreyNoise)

What if the IP address... doesn't come back at all?

This means that we've never seen that IP scanning/crawling the Internet, and it doesn't belong to any benign business services. It actually *might* be targeted your organization specifically. Investigate.

GreyNoise APIs

The GreyNoise Community API is rate limited to a few thousand lookups per day, but it's completely free and unauthenticated. As long as we continue to add enterprise customers and can afford to pay our staff and AWS bills, this will continue to be free.

Note that you don't get context, raw data, metadata, or tags using the Community API. Sorry folks, we've gotta make our money somewhere. This is available in our Enterprise API. If you want this data via API, hit up our sales team. But hey, it's free.

Fun fact: Just about every customer we have at GreyNoise sees at least a 20% alert contextualization/reduction rate from using GreyNoise. That's a LOT of wasted human hours spent chasing ghosts.

Analyze a List of IPs

Now let's say you've had an incident, and you need to figure out which of the gazillion IP addresses in some log file compromised your device.

No problemo. Just dump the log file (or just the IP addresses) into the GreyNoise analysis page, and now you can do two things:

1. Quickly filter out known good guys
2. If the situation warrants it, quickly identify opportunistic bad guys.

Here's an Analysis from an SSH auth.log I grabbed on a live server on the Internet.

~*~97.22% noise~*~

Filter Known-Benign Services (RIOT)

Let's say I'm trawling through a ton of netflow logs, and I want to identify any connections OUT of my network that might be going to bad guys.

I can filter known-benign services (Zoom, Github, Office365, Cloudflare, etc.). I can use GreyNoise RIOT for this.

*I'd like to note here that the IPs in RIOT *could potentially* be used by a sufficiently advanced adversary to attack you (async c2, etc.), but that doesn't mean that 99% of bad guys will be doing this, and it's not like you can just *BLOCK ZOOM* and not expect blowback.

Don't think of RIOT as a NACL or whitelist/allowlist. Think of RIOT as added context and a time-saver. You can either find out from GreyNoise via RIOT, or you can find out from your helpdesk reps when you block an IP and execs suddenly can't send emails anymore ¯\_(ツ)_/¯

2. Identify compromised devices

Let's say I want to find compromised devices that belong to ME, my users, or just some interesting network around the world.

Just punch in a GNQL query into the web interface of the IP block I'm interested in + the facet: "classification:malicious"

You can actually also find compromised devices in other facets as well. Here are examples of finding compromised devices in a specific country or using free text search to find compromised devices in hospitals or government facilities (or both):

You can use your FREE GreyNoise account to register alerts on any network block or IPs. Once you've registered your alerts, we email you if we see any of your IPs get compromised (e.g., unexpectedly start scanning the internet )

https://viz.greynoise.io/account/alerts

3. Emerging vulnerability exploitation

You can use GreyNoise to find whether a given vulnerability is being opportunistically exploited or "vuln checked" at scale. Simply craft a GNQL query for CVE.

https://viz.greynoise.io/query/cve:CVE-2021-3129

When a big scary vulnerability is announced, basically everyone has the exact same thought:

"How much do I **really** have to care about this? Is this... being exploited in the wild right now?"

GreyNoise is declaring war on this ambiguity.

You can also see *which* CVEs a given IP address is probing the internet for or opportunistically exploiting. This list is not exhaustive - it takes a lot of work to add coverage to these. This is what @ackmage @nathanqthai and @4b4c41 do.

Our Business Model

We have a long ways to go on properly productizing this offering. It's really hard to do at scale, and not every vulnerability can be exploited in a way that GreyNoise will ever see. That said, we'll be announcing some new offerings focusing on this use case later this year.

Our business model is pretty simple:

• Most viz stuff == free but rate limited
• Community API == free but rate limited
• GreyNoise in your SIEM/TIP/SOAR == paid

Expect a lot of this stuff to shift over the next few months/years as we find better ways to price/package our features.

That pretty much covers it.

Here are my asks to you:

• If you use GreyNoise's free products, get in touch with @SupriyaMaz and she'll hook you up with free swag
• If you work in SOC/TI or at an MSSP and want to hear about our commercial offering, ping sales@greynoise.io

And, of course, ping me anytime. I can't promise a snappy response, but I try to clear my inbox at least every few weeks (aspirational). My email is andrew@greynoise.io.

Oh, last thing. We tag like... hundreds of activities and actors and exploits and vuln probes and tools. Check them all out here (it's searchable, but the layout is pretty unwieldy considering how massive our tag library is now).

https://viz.greynoise.io/tags

Onward.

--Andrew

‍

Andrew Morris got on a roll the other day and whacked out this tweetstorm describing the three key use cases for GreyNoise. Enjoy!