Understanding GreyNoise RIOT Trust Levels

Understanding GreyNoise RIOT Trust Levels


RIOT aims to answer the following questions:

With proper context, is this IP something that I can rule out and ignore during an investigation because it belongs to a known business service?

What are Trust Levels?

Trust Levels within the GreyNoise RIOT dataset help to provide analysts with an indicator as to how likely they are to want to trust an IP address, knowing which business service it belongs to.

There are two available trust levels:

Trust Level 1: These IPs are trustworthy because the companies or services assigned are generally responsible for the interactions with this IP. Adding these ranges to an allow-list may make sense.

Trust Level 2: These IPs are somewhat trustworthy because they are necessary for regular and common business internet use. Companies that own these IPs typically do not claim responsibility or have accountability for interactions with these IPs. Malicious actions may be associated with these IPs but adding this entire range to a block-list does not make sense.

How are Trust Levels Determined?

Trust levels for each RIOT IP are determined with these two simple questions:

  • Who effectively declares "ownership" of this IP?
  • Is the organization that "owns" the IP the same as the actor behind the IP?

Understanding RIOT Trust Levels

By answering these two questions, RIOT provides a mechanism for identifying more unknown IPs at the network perimeter and providing additional context.

When the owner of an IP is highly likely to be the same as the actor behind the IP, we provide a trust level of "1". This indicates that the IP can be added an allow-list. Cloudflare DNS is a good example where interactions with the IP are likely to be safe interactions with Cloudflare itself.

Additional examples of a Trust Level 1 service would be: Google DNS, Adobe, or Apple

RIOT also captures when an IP is owned by an organization but is allowed to be used for arbitrary purposes by another party. This is when a trust level of "2" is applied. Cloudflare CDN is a good example where the interactions with the IP are not likely to be interactions with Cloudflare at all but rather someone using the IP provided by Cloudflare.

Additional examples of a Trust Level 2 service would be: AWS Cloudfront, or Fastly


Updates to RIOT providers List

GreyNoise regularly updates the list of providers that are contained within RIOT. If you have an IP or provider that you think should be included in RIOT, please email us at [email protected]