GreyNoise: Knowing the difference between benign and malicious internet scans

Used with Shodan, this "search engine that looks at people scanning the internet" can help you pick bad actors out of the noise.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

When Shodan launched, people freaked out. “How dare you scan my device connected to the public internet,” freaker-outers griped. Yet Shodan is a benign scanner and useful for many defensive tasks. (Maybe don't connect those devices to the internet? Just sayin’.)

Shodan is by no means the only scanner sweeping the entire IPv4 address space, all 4.2 (and a bit) billion of 'em. So do Censys, Sonar and ShadowServer. Like Shodan, they scan noisily from fixed IP subnets and announce their intentions.

Benign scanners make up less than a fraction of 1 percent of all internet scanners, however, according to Andrew Morris at GreyNoise. Of the rest, 10 to 20 percent are known malicious — Mirai botnet, anyone? — and in search of vulnerable devices to compromise. The rest are, well, "grey noise."

Are the scanners in your logs in search of an opportunistic target? Or are they scanning your organization specifically as recon for an attack? To answer this question, Morris launched GreyNoise.

Making sense of scanners in your logs

"GreyNoise is the exact opposite of Shodan," Morris says. "Where Shodan is a search engine of all open ports and services on the internet, GreyNoise is a search engine that looks at people scanning the internet."

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.