Andrew Morris got on a roll the other day and whacked out this tweetstorm describing the three key use cases for GreyNoise. You can check out the original Twitter thread here. Enjoy!

I'd like to do an overview of the three most common use-cases to use @GreyNoiseIO for. 1. Ignore/deprioritize pointless telemetry or alerts in the SOC 2. Identify compromised systems 3. Track which vulnerabilities are being opportunistically exploited ITW Thread (1/26)

1. Improve SOC efficiency

Benign IPs

Let's say I get a wacky IDS alert or am seeing something strange in my logs. I'll look up the IP address in GreyNoise (either using our visualizer or our free community API.

I looked up the IP address and, oh wow! It's just Shodan! GreyNoise already marked it as benign. No big deal. Paste a link in your ticket to the GreyNoise visualizer and move on.

https://viz.greynoise.io/ip/71.6.135.131

Example of GreyNoise Visualizer showing benign IP address detail

Maybe I don't want to use the GreyNoise web interface. Let's say I look up the IP in the free unauthenticated GreyNoise Community API and... cool, reports back that it's Censys. No problemo. Move on.

Example of GreyNoise Community API showing benign IP address detail

Malicious IPs

Let's say I look up an IP address, and it comes back with this big scary red IP address that says "malicious." What does this mean?

https://viz.greynoise.io/ip/45.155.205.165

Example of GreyNoise Visualizer showing malicious IP address detail

Well, this means that the IP is probably malicious (or was observed by GreyNoise doing something bad on our sensors), but whatever attack you're seeing is not targeted at *you specifically*. It was an opportunistic attack. Background noise.

Unknown IPs (to GreyNoise)

What if the IP address... doesn't come back at all?

This means that we've never seen that IP scanning/crawling the Internet, and it doesn't belong to any benign business services. It actually *might* be targeted your organization specifically. Investigate.

Example of GreyNoise Visualizer showing "No results found"

GreyNoise APIs

The GreyNoise Community API is rate limited to a few thousand lookups per day, but it's completely free and unauthenticated. As long as we continue to add enterprise customers and can afford to pay our staff and AWS bills, this will continue to be free.

Note that you don't get context, raw data, metadata, or tags using the Community API. Sorry folks, we've gotta make our money somewhere. This is available in our Enterprise API. If you want this data via API, hit up our sales team. But hey, it's free.

Fun fact: Just about every customer we have at GreyNoise sees at least a 20% alert contextualization/reduction rate from using GreyNoise. That's a LOT of wasted human hours spent chasing ghosts.

Analyze a List of IPs

Now let's say you've had an incident, and you need to figure out which of the gazillion IP addresses in some log file compromised your device.

No problemo. Just dump the log file (or just the IP addresses) into the GreyNoise analysis page, and now you can do two things:

  1. Quickly filter out known good guys
  2. If the situation warrants it, quickly identify opportunistic bad guys.

Here's an Analysis from an SSH auth.log I grabbed on a live server on the Internet.

~*~97.22% noise~*~

Example of GreyNoise Visualizer showing Analysis results

Filter Known-Benign Services (RIOT)

Let's say I'm trawling through a ton of netflow logs, and I want to identify any connections OUT of my network that might be going to bad guys.

I can filter known-benign services (Zoom, Github, Office365, Cloudflare, etc.). I can use GreyNoise RIOT for this.

Example of netflow log with a large number of IP addresses to triage
After analysis, just a handful of IP addresses are identified as "malicious" or "unknown"
Example of GreyNoise Visualizer showing RIOT IP address detail

*I'd like to note here that the IPs in RIOT *could potentially* be used by a sufficiently advanced adversary to attack you (async c2, etc.), but that doesn't mean that 99% of bad guys will be doing this, and it's not like you can just *BLOCK ZOOM* and not expect blowback.

Don't think of RIOT as a NACL or whitelist/allowlist. Think of RIOT as added context and a time-saver. You can either find out from GreyNoise via RIOT, or you can find out from your helpdesk reps when you block an IP and execs suddenly can't send emails anymore ¯\_(ツ)_/¯

2. Identify compromised devices

Let's say I want to find compromised devices that belong to ME, my users, or just some interesting network around the world.

Just punch in a GNQL query into the web interface of the IP block I'm interested in + the facet: "classification:malicious"

Example of GreyNoise Visualizer showing malicious scanning from devices within an IP address range

You can actually also find compromised devices in other facets as well. Here are examples of finding compromised devices in a specific country or using free text search to find compromised devices in hospitals or government facilities (or both):

Example of GreyNoise Visualizer showing malicious IP addresses related to government
Example of GreyNoise Visualizer showing malicious IP addresses related to hospitals
Example of GreyNoise Visualizer showing malicious IP addresses from a country related to hospitals

You can use your FREE GreyNoise account to register alerts on any network block or IPs. Once you've registered your alerts, we email you if we see any of your IPs get compromised (e.g., unexpectedly start scanning the internet )

https://viz.greynoise.io/alerts

Example of GreyNoise Visualizer showing how to set up Alerts

3. Emerging vulnerability exploitation

You can use GreyNoise to find whether a given vulnerability is being opportunistically exploited or "vuln checked" at scale. Simply craft a GNQL query for CVE.

https://viz.greynoise.io/query/?gnql=cve%3ACVE-2021-3129

Example of GreyNoise Visualizer showing malicious IP addresses related to a CVE

When a big scary vulnerability is announced, basically everyone has the exact same thought:

"How much do I **really** have to care about this? Is this... being exploited in the wild right now?"

GreyNoise is declaring war on this ambiguity.

You can also see *which* CVEs a given IP address is probing the internet for or opportunistically exploiting. This list is not exhaustive - it takes a lot of work to add coverage to these. This is what @ackmage @nathanqthai and @4b4c41 do.

Example of GreyNoise Visualizer for a malicious IP address showing targeted CVEs

Our Business Model

We have a long ways to go on properly productizing this offering. It's really hard to do at scale, and not every vulnerability can be exploited in a way that GreyNoise will ever see. That said, we'll be announcing some new offerings focusing on this use case later this year.

Our business model is pretty simple:

  • Most viz stuff == free but rate limited
  • Community API == free but rate limited
  • GreyNoise in your SIEM/TIP/SOAR == paid

Expect a lot of this stuff to shift over the next few months/years as we find better ways to price/package our features.

That pretty much covers it.

Here are my asks to you:

  • If you use GreyNoise's free products, get in touch with @SupriyaMaz and she'll hook you up with free swag
  • If you work in SOC/TI or at an MSSP and want to hear about our commercial offering, ping sales@greynoise.io

And, of course, ping me anytime. I can't promise a snappy response, but I try to clear my inbox at least every few weeks (aspirational). My email is andrew@greynoise.io.

Oh, last thing. We tag like... hundreds of activities and actors and exploits and vuln probes and tools. Check them all out here (it's searchable, but the layout is pretty unwieldy considering how massive our tag library is now).

https://viz.greynoise.io/cheat-sheet/tags

Some of the activities and actors and exploits and vuln probes GreyNoise has identified

Onward.

--Andrew

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account