Glossary of terms

A terminology study guide for the data intelligence community.

RIOT dataset

RIOT provides context to communications between your users and common business applications (e.g., Microsoft O365, Google Workspace, and Slack) or services like CDNs and public DNS servers. These applications communicate through unpublished or dynamic IPs, making it difficult for security teams to track. Without context, this harmless behavior distracts security teams from investigating true threats.

actor [GNQL searchable field]

alert (contextualization / reduction)

Notification of a threat, vulnerability, risk, exploit, or other security issues. GreyNoise can be utilized for alert contextualization and informed alert reduction. (see also: alert fatigue)

alert fatigue

Alert or alarm fatigue occurs when an overwhelming number of alerts desensitizes the analysts or individuals tasked with responding to them, resulting in delayed responses or missed/ignored alerts.

API

(stands for Application Programming Interface) A software intermediary or connection between programs. The GreyNoise API requires an active Subscription or Enterprise Trial to access.

background noise

see: internet background noise

benign (re: GreyNoise classification)

The benign classification for an IP address is applied using knowledge about the Actor associated with the IP. Criteria must be met for an IP address to be classified as benign. Some benign examples include: search engine crawlers, universities, and security researchers.

blocklist / blocking

A process used to exclude or block unwanted traffic from IP addresses. The GreyNoise Trends feature includes the ability to generate a dynamic list of IPs that can be used in the Dynamic Block List feature in many of today's firewall products.

bot

An automated program like a chatbot; As it relates to GreyNoise Noise Response: Data Enrichment - IP is associated with known bot activity.

classification [GNQL searchable field]

Whether the device has been categorized by GreyNoise as unknown, benign, or malicious; IP Classification - possible options: benign, unknown, malicious.

CVE (Common Vulnerabilities and Exposures)

A system that catalogs publicly known vulnerabilities and exposures. When a new CVE is released, that CVE can be queried within GreyNoise to see the total number of IPs that are scanning for it so a team can assess how critical the threat is to their organization. The "cve" field within GreyNoise Response displays a list of CVEs the IP has been observed scanning for or exploiting.

credential stuffing

The automated injection of compromised credentials (usernames, passwords) in order to breach a system or access data. A successful login to a business service from an IP address that GreyNoise has marked as malicious could be indicative of a compromised device being re-purposed for credential stuffing.

dataset

A collection of data. GreyNoise produces two datasets of IP information that can be used for threat enrichment: Noise dataset, and RIOT dataset.

exploit / exploitation

A piece of code or a program that takes advantage of a security flaw or vulnerability in applications, networks, software, operating systems, or hardware. Exploitation is the utilization of an exploit.

first_seen [GNQL searchable field]

The date the device was first observed by GreyNoise; Date of first observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD)

GN Community API

The Community API provides a free resource to members to allow for quick IP lookups in the GreyNoise datasets. The Community API provides a free resource to members to allow for quick IP lookups in the GreyNoise datasets.

GN Enterprise API

The GreyNoise Enterprise APIs require an active paid subscription or Enterprise Trial to access and provide rich contextual information on what GreyNoise knows about that IP.

GNQL

The GreyNoise Query Language (GNQL) provides users with a powerful tool to search the GreyNoise data set to help analysts, threat hunters, researchers, etc., find emerging threats, compromised devices, and other interesting trends. GNQL is a domain-specific query language that uses Lucene deep under the hood.

honeypot

A decoy system or server deployed alongside production systems within a network with the purpose of luring attackers in order to detect, deflect, counteract, or analyze cyber attacks.

internet background exploitation

Opportunistic exploitation traffic observed by GreyNoise's distributed sensor network.

internet background noise

Scanners reach out and attempt to initiate communications with a wide range of devices that are directly connected to the internet. Tens of thousands of devices are scanning the internet constantly, generating a tremendous amount of internet “noise.” On a daily basis, every individual routable IP on the internet sees ~3k unsolicited pings from ~1k distinct IP addresses. (see also: internet noise)

internet noise

The massive volume of unsolicited traffic and communications that internet-connected machines are exposed to, including web crawlers, port scanners, researchers, public DNS servers, universities, and more. GreyNoise’s internet-wide sensor network passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. (see also: internet background noise)

internet scanning

The process of reaching out and trying to initiate communications with a wide range of devices that are directly connected to the internet.

ip [GNQL searchable field]

The IP address of the scanning device IP.

ip address

(stands for Internet Protocol) A unique, numbered address that is assigned to an internet-connected device. Note that IPs can be static or dynamic, and may even be recycled. IP addresses can be looked up in the GreyNoise Visualizer or API, and IPs are classified as benign, malicious, or unknown.

ip blocklist

see: blocklist

Log4j

A vulnerability (also known as Log4shell or CVE-2021-44228) that enables attackers to gain full control of affected servers by allowing unauthenticated remote code execution (RCE) if the user is running an application utilizing the Java logging library. The vulnerability is particularly troubling due to the ease of exploitation and prevalence, as the Apache Log4j library has been used in numerous applications worldwide. GreyNoise first observed activity for the Log4j vulnerability in the wild on December 9, 2021, and began reporting on findings the same day.

malicious (re: GreyNoise classification)

The malicious classification for an IP is determined by its associated tags, which capture behaviors GreyNoise has directly observed an IP address engage in. Some of our tags are classified as "malicious" for harmful behaviors seen. If an IP address is not classified as benign and has at least one malicious tag, it is classified as malicious.

malware

Malicious software. A catch-all term for anything that could be called malicious, including CryptoLockers, spyware, viruses, worms, trojans, and backdoors.

mass exploitation

Large-scale attack campaigns utilizing mass mailing, CDN, or other services to reach a large quantity of victims in a minimal amount of time.

mass scanning

At a technical level, mass scanning the internet means requesting a slight amount of information (specifically a TCP SYN, UDP/ICMP packet, or banner grab) from all 4.2 BILLION IP addresses on the entire routable IPv4 space.

MASSCAN

MASSCAN is a mass IP, internet-scale port scanner that scans the internet in under 5 minutes, transmitting 10 million packets per second from a single machine. GreyNoise tracks IPs utilizing the Masscan tool.

metadata

Data providing information about one or more aspects of other data. GreyNoise metadata can include: category, country, country_code, city, organization, region, rdns, asn, tor (additional details below).

metadata.asn [GNQL searchable field]

The autonomous system the IP address belongs to.

metadata.category [GNQL searchable field]

Whether the device belongs to a business, isp, hosting, education, or mobile network.

metadata.city [GNQL searchable field]

The city the device is geographically located in.

metadata.country [GNQL searchable field]

The full name of the country the device is geographically located in.

metadata.country_code [GNQL searchable field]

The two-character country code of the country the device is geographically located in.

metadata.organization [GNQL searchable field]

The organization that owns the network that the IP address belongs to.

metadata.rdns [GNQL searchable field]

metadata.region [GNQL searchable field]

The region the device is geographically located in.

metadata.tor [GNQL searchable field]

Whether or not the device is a known Tor exit node.

noise dataset

GreyNoise’s internet-wide sensor network passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. Companies like Shodan and Censys, as well as researchers and universities, scan in good faith to help uncover vulnerabilities for network defense. Others scan with potentially malicious intent. GreyNoise analyzes and enriches this data to identify behavior, methods, and intent, giving analysts the context they need to take action.

noise floor

In audio recording, "noise floor" refers to the amount of unwanted or background sound that is detected in a recording file. Noise floor, for us, represents the observed scanning traffic that can be ruled out or ignored as harmless activity based on GreyNoise analysis and enrichment.

opportunistic scan

A non-targeted scan of a system or device. GreyNoise increases analyst capacity by distinguishing opportunistic internet scanning or common business services from targeted threats.

path traversal

(also known as directory traversal) Path traversal is a vulnerability that allows an attacker to access restricted directories or files on a web server.

raw_data.hassh.fingerprint [GNQL searchable field]

The HASSH fingerprint; Fingerprint of the SSH negotiation between the IP and the GreyNoise sensor.

raw_data.hassh.port [GNQL searchable field]

The corresponding TCP port for the given HASSH fingerprint.

raw_data.ja3.fingerprint [GNQL searchable field]

raw_data.ja3.port [GNQL searchable field]

The corresponding TCP port for the given JA3 fingerprint.

raw_data.scan.port [GNQL searchable field]

The port number(s) the devices have been observed scanning.

raw_data.scan.protocol [GNQL searchable field]

The protocol of the port the device has been observed scanning.

raw_data.web.paths [GNQL searchable field]

Any HTTP paths the device has been observed crawling the Internet for.

raw_data.web.useragents [GNQL searchable field]

Any HTTP user-agents the device has been observed using while crawling the Internet.

RCE

(stands for Remote Code Execution) An RCE allows an attacker to remotely execute commands and/or malicious code within a system or device. One example of an RCE is Log4j (CVE-2021-44228), which GreyNoise first observed activity for December 9, 2021.

RIOT

RIOT is a GreyNoise feature that informs users about IPs used by common business services that are almost certainly not attacking you. Traditional threat intelligence feeds make an effort to enumerate the locations where the bad guys may be - RIOT is the exact opposite. RIOT enables security practitioners to quickly eliminate logs and events generated from common businesses services from their security telemetry; to quickly rule them out.

scan / scanning

The attempt to reach out and initiate communications with a wide range of devices that are directly connected to the internet. GreyNoise analyzes and enriches data to categorize scans as benign, malicious, or unknown.

sensor system

GreyNoise’s internet-wide sensor system / sensor network passively collects packets from hundreds of thousands of IPs seen scanning the internet every day. GreyNoise is basically a search engine that looks at those who are scanning the internet.

SIEM

(stands for Security Information and Event Management) GreyNoise’s internet background noise and RIOT datasets help analysts minimize resources wasted on investigations into irrelevant events. This data can be integrated with a SIEM to quickly enrich events, a SOAR to automate workflows and incident response, or a TIP as an investigation resource. GreyNoise is integrated into a SIEM application, and external IPv4 addresses are automatically looked up to determine if GreyNoise has observed noise from the IP. This information is appended to the log so it can be presented to other tools and analysts.

SOAR

(stands for Select, Organize, Associate, Regulate) GreyNoise’s internet background noise and RIOT datasets help analysts minimize resources wasted on investigations into irrelevant events. This data can be integrated with a SIEM to quickly enrich events, a SOAR to automate workflows and incident response, or a TIP as an investigation resource. GreyNoise is integrated into a SOAR application. All incidents from the perimeter are queried against GreyNoise, and based on defined rules, incident severity is adjusted.

SOC

(stands for Security Operations Center) Can refer to a physical location, or the information security team responsible for continuously monitoring, detecting, investigating, preventing, and responding to cybersecurity incidents.

spoofable [GNQL searchable field]

(spoof: To create a fraudulent, attacker-controlled replica of legitimate data like a website) This IP address has been opportunistically scanning the Internet, however has failed to complete a full TCP connection. Any reported activity could be spoofed.

tag / GN tag

GreyNoise uses Tags to label activity hitting our sensors from IP addresses around the world. Think of Tags like network signatures, but with additional context such as tag intent, category, and related CVEs.

tags [GNQL searchable field]

A list of the tags the device has been assigned over the past 90 days.

threat hunting

The practice of proactively seeking out cybersecurity threats on a device or network.

TIP

(Threat Intelligence Platform) GreyNoise’s internet background noise and RIOT datasets help analysts minimize resources wasted on investigations into irrelevant events. This data can be integrated with a SIEM to quickly enrich events, a SOAR to automate workflows and incident response, or a TIP as an investigation resource. GreyNoise is integrated into a TIP application. All incidents from the perimeter are queried against GreyNoise, and based on defined rules, incident severity is adjusted.

trends

The GreyNoise Trends feature takes the lens that GreyNoise uses to view internet-wide scanning and focuses on the exploit, activity, or tool associated with a GreyNoise Tag.

trust levels

Trust Levels within the GreyNoise RIOT dataset help to provide analysts with an indicator as to how likely they are to want to trust an IP address, knowing which business service it belongs to.

TTP

(Stands for Tactics, Techniques, and Procedures) The behavior of an actor. A tactic is the highest-level description of the behavior; techniques provide a more detailed description of the behavior in the context of a tactic; and procedures provide a lower-level, highly detailed description of the behavior in the context of a technique.

unknown (re: GreyNoise classification)

IPs not classified as Benign or Malicious under existing criteria are classified as Unknown. Both Benign and Malicious classifications are highly vetted, so any other IP seen engaging in internet scanning behavior is classified as Unknown.

Visualizer / GN Visualizer

The GreyNoise Visualizer is our web user interface that allows users to lookup IP addresses, drill down into the data, and identify emerging internet threats.

viz

see: visualizer

vpn [GNQL searchable field]

(stands for Virtual Private Network) This IP is associated with a VPN service. Activity, malicious or otherwise, should not be attributed to the VPN service provider.

vpn_service [GNQL searchable field]

vulnerability / vuln

Any condition, configuration, or state that increases an asset’s logical, informational, or physical exposure to loss of availability, integrity, or confidentiality.

vulnerability scan

An assessment of a target using vulnerability-scanning tools to detect security weaknesses.

vulnerability scanner

An automated application or system designed to assess computers, computer systems, networks, or applications for weaknesses.

Cut through the noise