Using attack telemetry for threat hunting.
Proactive threat hunting uses a variety of methods and data sources in order to drive a hunting campaign. Hunting for unknowns in an environment can be challenging without the right set of data. Every day hundreds of thousands of devices scan, crawl, and probe every routable IP address on the internet looking for vulnerabilities and misconfigurations. GreyNoise provides additional information about activity from a particular IP address or ASN and tracks trending or anomalous activity as threats emerge.
Anomalous behavior quickly gives analysts a way to review traffic observed by GreyNoise sensors that deviates from previously observed activity. Being able to conceptualize an attacker's early-stage attack infrastructure as threats emerge provides a window of opportunity for threat hunters to start targeted and specific investigation. Why are actors looking for these devices suddenly? Are similarly vulnerable devices in my organization and exposed to the internet?
How it works.
Manual IP lookup in the GreyNoise Visualizer.
The GreyNoise Query Language (GNQL) provides users with a powerful tool to search the GreyNoise data set to help cyber threat intelligence (CTI) teams, threat hunters, vulnerability researchers, etc. find emerging threats, compromised devices, and other interesting trends. GNQL provides threat hunters with a powerful and flexible way to query data observed by GreyNoise sensors.
Threat Intelligence Platforms (TIPs)
Organizations ingesting open source and commercial threat feeds require additional context into the behavior of a particular IP address to efficiently prioritize threats by severity. Building a relevant threat intel operation with up-to-date information can be challenging, expensive, and time consuming. GreyNoise’s integrations easily provide data enrichment within your TIP and help eliminate the noise and false positives CTI teams are apt to find when ingesting disparate intelligence sources.
Collecting IOC’s is only half of the battle; making the data actionable in an organization can be accomplished in a number of ways. Threat feeds enriched in a TIP can then be fed into a SIEM to either enrich logs, provide additional details to pivot on for further hunting, or easily filter out events generated by mass scanning to quickly focus on relevant data.
Further hunting can be automated via a SOAR platform by quickly searching for indicators provided by GreyNoise. Creating a playbook for threat hunting can leverage organization data as well as emerging threat data to use when querying a SIEM or data lake. This data can form the basis of a deeper hunt conducted by an analyst using the data that was automatically gathered.
Robust threat intelligence does not exist in a vacuum.
Collaboration is key to providing more relevant information to GreyNoise users and the security community at large. IP’s observed by the GreyNoise sensor network are enriched with additional information sources, such as, if an IP is a known Tor exit node or if the IP is used by a commercial VPN provider. GreyNoise participates in information sharing organizations and contributes data to strategic partnerships in an effort to provide and receive information on emerging threats as soon as they come into play.
Leverage our advanced threat hunting capabilities.
Using GreyNoise’s unique view of internet scanning activity, you can analyze threats in new ways saving your team time and energy. Identify geopolitical threats, tie together IPs that may be part of a larger attack infrastructure, and retrohunt through our data to see what internet scanning activity looked like at a specific point in time.
Using the IP destination fields users can identify IPs or attacks that may be targeting specific geographic regions. These fields, available to paying customers, draw on the destination of our sensors that have observed scanning activity and therefore cannot be spoofed.
More coming soon...