A terminology study guide for the data intelligence community.
RIOT provides context to communications between your users and common business applications (e.g., Microsoft O365, Google Workspace, and Slack) or services like CDNs and public DNS servers. These applications communicate through unpublished or dynamic IPs, making it difficult for security teams to track. Without context, this harmless behavior distracts security teams from investigating true threats.
The benign classification for an IP address is applied using knowledge about the Actor associated with the IP. Criteria must be met for an IP address to be classified as benign. Some benign examples include: search engine crawlers, universities, and security researchers.
A process used to exclude or block unwanted traffic from IP addresses. The GreyNoise Trends feature includes the ability to generate a dynamic list of IPs that can be used in the Dynamic Block List feature in many of today's firewall products.
A system that catalogs publicly known vulnerabilities and exposures. When a new CVE is released, that CVE can be queried within GreyNoise to see the total number of IPs that are scanning for it so a team can assess how critical the threat is to their organization. The "cve" field within GreyNoise Response displays a list of CVEs the IP has been observed scanning for or exploiting.
The automated injection of compromised credentials (usernames, passwords) in order to breach a system or access data. A successful login to a business service from an IP address that GreyNoise has marked as malicious could be indicative of a compromised device being re-purposed for credential stuffing.
A piece of code or a program that takes advantage of a security flaw or vulnerability in applications, networks, software, operating systems, or hardware. Exploitation is the utilization of an exploit.
The Community API provides a free resource to members to allow for quick IP lookups in the GreyNoise datasets. The Community API provides a free resource to members to allow for quick IP lookups in the GreyNoise datasets.
The GreyNoise Query Language (GNQL) provides users with a powerful tool to search the GreyNoise data set to help analysts, threat hunters, researchers, etc., find emerging threats, compromised devices, and other interesting trends. GNQL is a domain-specific query language that uses Lucene deep under the hood.
Scanners reach out and attempt to initiate communications with a wide range of devices that are directly connected to the internet. Tens of thousands of devices are scanning the internet constantly, generating a tremendous amount of internet “noise.” On a daily basis, every individual routable IP on the internet sees ~3k unsolicited pings from ~1k distinct IP addresses. (see also: internet noise)
The massive volume of unsolicited traffic and communications that internet-connected machines are exposed to, including web crawlers, port scanners, researchers, public DNS servers, universities, and more. GreyNoise’s internet-wide sensor network passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. (see also: internet background noise)
(stands for Internet Protocol) A unique, numbered address that is assigned to an internet-connected device. Note that IPs can be static or dynamic, and may even be recycled. IP addresses can be looked up in the GreyNoise Visualizer or API, and IPs are classified as benign, malicious, or unknown.
A vulnerability (also known as Log4shell or CVE-2021-44228) that enables attackers to gain full control of affected servers by allowing unauthenticated remote code execution (RCE) if the user is running an application utilizing the Java logging library. The vulnerability is particularly troubling due to the ease of exploitation and prevalence, as the Apache Log4j library has been used in numerous applications worldwide. GreyNoise first observed activity for the Log4j vulnerability in the wild on December 9, 2021, and began reporting on findings the same day.
The malicious classification for an IP is determined by its associated tags, which capture behaviors GreyNoise has directly observed an IP address engage in. Some of our tags are classified as "malicious" for harmful behaviors seen. If an IP address is not classified as benign and has at least one malicious tag, it is classified as malicious.
At a technical level, mass scanning the internet means requesting a slight amount of information (specifically a TCP SYN, UDP/ICMP packet, or banner grab) from all 4.2 BILLION IP addresses on the entire routable IPv4 space.
MASSCAN is a mass IP, internet-scale port scanner that scans the internet in under 5 minutes, transmitting 10 million packets per second from a single machine. GreyNoise tracks IPs utilizing the Masscan tool.
Data providing information about one or more aspects of other data. GreyNoise metadata can include: category, country, country_code, city, organization, region, rdns, asn, tor (additional details below).
GreyNoise’s internet-wide sensor network passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. Companies like Shodan and Censys, as well as researchers and universities, scan in good faith to help uncover vulnerabilities for network defense. Others scan with potentially malicious intent. GreyNoise analyzes and enriches this data to identify behavior, methods, and intent, giving analysts the context they need to take action.
In audio recording, "noise floor" refers to the amount of unwanted or background sound that is detected in a recording file. Noise floor, for us, represents the observed scanning traffic that can be ruled out or ignored as harmless activity based on GreyNoise analysis and enrichment.
(stands for Remote Code Execution) An RCE allows an attacker to remotely execute commands and/or malicious code within a system or device. One example of an RCE is Log4j (CVE-2021-44228), which GreyNoise first observed activity for December 9, 2021.
RIOT is a GreyNoise feature that informs users about IPs used by common business services that are almost certainly not attacking you. Traditional threat intelligence feeds make an effort to enumerate the locations where the bad guys may be - RIOT is the exact opposite. RIOT enables security practitioners to quickly eliminate logs and events generated from common businesses services from their security telemetry; to quickly rule them out.
The attempt to reach out and initiate communications with a wide range of devices that are directly connected to the internet. GreyNoise analyzes and enriches data to categorize scans as benign, malicious, or unknown.
GreyNoise’s internet-wide sensor system / sensor network passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. GreyNoise is basically a search engine that looks at those who are scanning the internet.
(stands for Security Information and Event Management) GreyNoise’s internet background noise and RIOT datasets help analysts minimize resources wasted on investigations into irrelevant events. This data can be integrated with a SIEM to quickly enrich events, a SOAR to automate workflows and incident response, or a TIP as an investigation resource. GreyNoise is integrated into a SIEM application, and external IPv4 addresses are automatically looked up to determine if GreyNoise has observed noise from the IP. This information is appended to the log so it can be presented to other tools and analysts.
(stands for Select, Organize, Associate, Regulate) GreyNoise’s internet background noise and RIOT datasets help analysts minimize resources wasted on investigations into irrelevant events. This data can be integrated with a SIEM to quickly enrich events, a SOAR to automate workflows and incident response, or a TIP as an investigation resource. GreyNoise is integrated into a SOAR application. All incidents from the perimeter are queried against GreyNoise, and based on defined rules, incident severity is adjusted.
(stands for Security Operations Center) Can refer to a physical location, or the information security team responsible for continuously monitoring, detecting, investigating, preventing, and responding to cybersecurity incidents.
(spoof: To create a fraudulent, attacker-controlled replica of legitimate data like a website) This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed.
GreyNoise uses Tags to label activity hitting our sensors from IP addresses around the world. Think of Tags like network signatures, but with additional context such as tag intent, category, and related CVEs.
(Threat Intelligence Platform) GreyNoise’s internet background noise and RIOT datasets help analysts minimize resources wasted on investigations into irrelevant events. This data can be integrated with a SIEM to quickly enrich events, a SOAR to automate workflows and incident response, or a TIP as an investigation resource. GreyNoise is integrated into a TIP application. All incidents from the perimeter are queried against GreyNoise, and based on defined rules, incident severity is adjusted.
(Stands for Tactics, Techniques, and Procedures) The behavior of an actor. A tactic is the highest-level description of the behavior; techniques provide a more detailed description of the behavior in the context of a tactic; and procedures provide a lower-level, highly detailed description of the behavior in the context of a technique.
IPs not classified as Benign or Malicious under existing criteria are classified as Unknown. Both Benign and Malicious classifications are highly vetted, so any other IP seen engaging in internet scanning behavior is classified as Unknown.