We know that threat actors tend to act in herds/groups, and finding attacker infrastructure when attackers can easily recycle IPs is hard. Manual analysis is time consuming and can be prone to human error.
We built GreyNoise’s powerful IP Similarity tool to make it easy for security teams to uncover IPs behaving similarly to an IP in question, and examine the similarity and differences side-by-side.
Often we’ll see a group of IPs that have the same User-Agent or are sending payloads to the same web path...even though they are coming from different geo-locations:
…Or, we might see a group that uses the same OS and are from the same region, but may be scanning slightly different ports:
With our IP Similarity feature, you can easily sniff out these groups without pouring over all the raw data to find combinations of similar and dissimilar information!
Use IP Similarity to streamline and validate intelligence gathering for current and emerging threats targeting an organization, with rapid and data-driven identification of IP addresses that display similar patterns.
Use IP Similarity to proactively search for previously unknown and potentially malicious IP addresses, driving hypothesis development or pivot points to guide in-depth hunting for existing risks to the organization.
Our IP Similarity Summary view that breaks down the high level summary of what fields we found similar in our dataset, and allows you to quickly scan for common fields and tags.
You can further break down the similarity by each IP, GreyNoise shows the matching / non-matching fields side by side with the target IP in our IP List view.
To access IP Similarity, enterprise customers can simply click “Similar IPs” on our IP details page: