We know that threat actors tend to act in herds/groups, and finding attacker infrastructure when attackers can easily recycle IPs is hard. Manual analysis is time consuming and can be prone to human error.
We built GreyNoise’s powerful IP Similarity tool to make it easy for security teams to uncover IPs behaving similarly to an IP in question, and examine the similarity and differences side-by-side.
Often we’ll see a group of IPs that have the same User-Agent or are sending payloads to the same web path...even though they are coming from different geo-locations:
…Or, we might see a group that uses the same OS and are from the same region, but may be scanning slightly different ports:
With our IP Similarity feature, you can easily sniff out these groups without pouring over all the raw data to find combinations of similar and dissimilar information!
Use IP Similarity to streamline and validate intelligence gathering for current and emerging threats targeting an organization, with rapid and data-driven identification of IP addresses that display similar patterns.
Use IP Similarity to proactively search for previously unknown and potentially malicious IP addresses, driving hypothesis development or pivot points to guide in-depth hunting for existing risks to the organization.
Our IP Similarity Summary view that breaks down the high level summary of what fields we found similar in our dataset, and allows you to quickly scan for common fields and tags.
You can further break down the similarity by each IP, GreyNoise shows the matching / non-matching fields side by side with the target IP in our IP List view.
To access IP Similarity, enterprise customers can simply click “Similar IPs” on our IP details page:
What is IP Similarity?We at GreyNoise have been collecting, analyzing, and labeling internet background noise, and we have come to identify patterns among scanners and background noise traffic.
If an IP is not found in this API, it means that GreyNoise has either never observed the IP or does not have enough information about that IP to determine similarity.
GreyNoise University - Product Overview training series covering the IP Similarity feature and how to understand the information it provides.
By Daniel Grant
GreyNoise IP Similarity, a new feature that allows users to cluster similar IPs based on behavioral patterns and provides insights into the relationships between different IP addresses.
By Nick Roy
The blog posts how GreyNoise IP Similarity can be used to identify and track threat actors based on their unique fingerprint of network behavior patterns.
By The GreyNoise Team
We provide tips and strategies for improving threat intelligence programs in 2023, including automating data collection, integrating threat feeds, and leveraging new technologies.