GreyNoise: Knowing the difference between benign and malicious internet scans

Used with Shodan, this "search engine that looks at people scanning the internet" can help you pick bad actors out of the noise.

When Shodan launched, people freaked out. “How dare you scan my device connected to the public internet,” freaker-outers griped. Yet Shodan is a benign scanner and useful for many defensive tasks. (Maybe don't connect those devices to the internet? Just sayin’.)

Shodan is by no means the only scanner sweeping the entire IPv4 address space, all 4.2 (and a bit) billion of 'em. So do Censys, Sonar and ShadowServer. Like Shodan, they scan noisily from fixed IP subnets and announce their intentions.

Benign scanners make up less than a fraction of 1 percent of all internet scanners, however, according to Andrew Morris at GreyNoise. Of the rest, 10 to 20 percent are known malicious — Mirai botnet, anyone? — and in search of vulnerable devices to compromise. The rest are, well, "grey noise."

Are the scanners in your logs in search of an opportunistic target? Or are they scanning your organization specifically as recon for an attack? To answer this question, Morris launched GreyNoise.

Making sense of scanners in your logs

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!