Applying GreyNoise Data to Your Analysis
Since GreyNoise is not a traditional Threat Intelligence service, applying the NOISE or RIOT data to an event or incident may not be completely intuitive. The following guide outlines best practices on how to apply GreyNoise data to your analysis.
Analyzing Inbound Threats
When triaging events that are related to internet-facing devices, GreyNoise data is best applied to the captured "source IP" of each event being reviewed. When querying GreyNoise, the IP should be looked up in both the NOISE and RIOT datasets. The following logic can help guide the next steps:
-
GreyNoise has no information about this IP (noise:false and riot:false responses)
- Recommendation: Set priority to the highest level or numeric value
- Rationale: In this scenario, this response indicates that this attack on your system may be targeted and is not just an opportunistic attempt by an actor that is scanning the internet. Therefore, an analyst should immediately review this.
-
GreyNoise has not seen the IP but the IP belongs to a common business service that owns and operates that IP (noise:false, riot:true, and trust_level: 1 response)
- Recommendation: Set priority to a low level or decrease to the lowest numeric value
- Rationale: In this scenario, this response indicates that this activity on your system was likely caused by a connection to a common business service. This IP is unlikely to be doing anything malicious unless the provider has had some sort of major compromise of their operated infrastructure.
-
GreyNoise has not seen the IP but the IP belongs to a common business service that owns but does not operate that IP (noise:false, riot:true, and trust_level: 2 responses)
- Recommendation: Set priority to low-medium level or decrease the numeric value by 2
- Rationale: In this scenario, this response indicates that this activity on your system was likely caused by a connection to a common business service, however, the provider allows external sources to add content, so additional research should be conducted. This IP likely cannot be blocked though, without disrupting business functions.
-
GreyNoise has seen the IP and classifies it as benign (noise:true and classification:benign responses)
- Recommendation: Set priority to low level or decrease to the lowest numeric value
- Rationale: In this scenario, this response indicates that this activity on your system was likely an opportunistic scan attempt by a known actor that is scanning the internet. Since the actor is known to be good, their actions can be considered benign in most cases.
- Additional Factors to Consider: Even known benign actors can get compromised, which is why we do not recommend events to be "auto-closed" but instead suggest them to be de-prioritized. If observed behavior appears malicious, contact should be made to the identified actor to understand if there is a compromise on their system.
-
GreyNoise has seen the IP and classifies it as malicious (noise:true and classification:malicious responses)
- Recommendation: Set priority to medium-high level or decrease the numeric value by 1
- Rationale: In this scenario, this response indicates that this activity on your system was likely an opportunistic attempt by an actor that is scanning the internet. While the activity may have malicious intent, it is likely an opportunistic scan.
- Additional Factors to Consider: GreyNoise associated tags, ports, and other metadata can be used to apply different priorities based on how critical this IP is to your organization. If all of the metadata suggests that the IP is not a threat to your organization, the priority can be lower even though it is classified as malicious.
-
GreyNoise has seen the IP and classifies it as unknown (noise:true and classification:unknown responses)
- Recommendation: Set priority to low-medium level or decrease the numeric value by 2
- Rationale: In this scenario, this response indicates that this activity on your system was likely just an opportunistic attempt by an actor that is scanning the internet. The activity does not appear to have malicious intent based on what is observed by GreyNoise. It is not necessarily targeted or of concern to your organization, but it wasn't from a known actor so should be treated with some caution and additional review.
- Additional Factors to Consider: Since all IPs start with a classification of unknown, there could be behavior that is coming from these actors that is unidentified. The additional context, such as the raw data (ports, paths, user-agents, spoofable) should be taken into account.
Analyzing Outbound Threats
-
GreyNoise has not seen the IP but the IP belongs to a known service provider (noise:false and riot:true responses)
- Recommendation: Set priority to low level or decrease to lowest numeric value
- Rationale: In this scenario, this response indicates that this activity on your system was likely caused by a connection to a known service provider. Most of these are benign and probably required for continued business operations, but this data should be applied along with additional observed behavior
-
GreyNoise has seen the IP but the IP does not belong to a known service provider (noise:true and riot:false, any classification level responses)
- Recommendation: Set priority to highest level or numeric value
- Rationale: In this scenario, this response indicates that an outbound connection was made to a known device scanning the internet. Regardless of the classification of the IP in the GreyNoise dataset, this is likely unwanted behavior and should be investigated further immediately.
Additional Cases and Notes
-
In the event of a successful login to any business service from an IP address that is marked malicious, raise it to the highest priority and alert immediately. This is indicative of:
- a compromised account,
- a compromised device being re-purposed for credential stuffing
- a successful bruteforce attack
-
If an alert is raised from a RIOT IP, you may want to investigate further, but blocking the IP address is ill-advised as it is being used by a legitimate business service and may disrupt service for your network's users
-
If an IP from the NOISE data is marked as spoofable, remember that it is possible the observed traffic may not have actually originated from that device, but rather an unidentified device that was spoofing the observed IP. Additional analysis should be considered in this case.
-
If an IP is tagged as both NOISE: True AND RIOT: True all of the details presented on this IP address must be taken into consideration. In most cases, the scanning data observed will reflect the spoofable:True flag, indicating that someone may be spoofing that IP. This would allow you to focus just on the RIOT data, as the IP address likely is not actually doing any scanning and is in fact just part of a common business service.
Updated over 2 years ago