GreyNoise
Guides
Start typing to search…

Applying GreyNoise Data to Your Analysis

Since GreyNoise is not a traditional Threat Intelligence service, applying the Internet Scanner (previously NOISE) or common business service (formerly RIOT) data to an event or incident may not be completely intuitive. The following guide outlines best practices for applying GreyNoise data to your analysis.

Analyzing Inbound Threats

When triaging events related to internet-facing devices, GreyNoise data is best applied to the captured "source IP" of each event. When querying GreyNoise, the IP should be looked up in the Internet Scanner (previously NOISE) or common business service (formerly RIOT) datasets. The following logic can help guide the next steps:

  • GreyNoise has no information about this IP (internet_scanner_intelligence.found:false and business_service_intelligence.found:false responses)

    • Recommendation: Set priority to the highest level or numeric value
    • Rationale: In this scenario, this response indicates that this attack on your system may be targeted and is not just an opportunistic attempt by an actor scanning the internet. Therefore, an analyst should immediately review this.

  • GreyNoise has not seen the IP, but the IP belongs to a common business service that owns and operates that IP (internet_scanner_intelligence.found:false, business_service_intelligence.found:true, and business_service_intelligence.trust_level: 1 response)

    • Recommendation: Set priority to a low level or decrease to the lowest numeric value
    • Rationale: In this scenario, this response indicates that this activity on your system was likely caused by a connection to a common business service. This IP is unlikely to be doing anything malicious unless the provider is dealing with a significant compromise of their operated infrastructure.

  • GreyNoise has not seen the IP, but the IP belongs to a common business service that owns but does not operate that IP (internet_scanner_intelligence.found:false, business_service_intelligence.found:true, and business_service_intelligence.trust_level: 2 responses)

    • Recommendation: Set priority to low-medium level or decrease the numeric value by 2
    • Rationale: In this scenario, this response indicates that this activity on your system was likely caused by a connection to a common business service; however, the provider allows external sources to add content, so additional research should be conducted. However, this IP likely cannot be blocked without disrupting business functions.

  • GreyNoise has seen the IP and classifies it as benign (internet_scanner_intelligence.found:true and internet_scanner_intelligence.classification:benign responses)

    • Recommendation: Set priority to low level or decrease to the lowest numeric value
    • Rationale: In this scenario, this response indicates that this activity on your system was likely an opportunistic scan attempt by a known actor scanning the internet. Since the actor is known to be good, their actions can be considered benign in most cases.
    • Additional Factors to Consider: Even known benign actors can get compromised, which is why we do not recommend events be "auto-closed" but instead suggest they be de-prioritized. If observed behavior appears malicious, contact the identified actor to understand if there is a compromise on their system.

  • GreyNoise has seen the IP and classifies it as malicious (internet_scanner_intelligence.found:true and internet_scanner_intelligence.classification:malicious responses)

    • Recommendation: Set priority to medium-high level or decrease the numeric value by 1
    • Rationale: In this scenario, this response indicates that this activity on your system was likely an opportunistic exploit attempt by an actor scanning the internet. While the activity may have malicious intent, it is likely an opportunistic scan.
    • Additional Factors to Consider: GreyNoise associated tags, ports, and other metadata can be used to apply different priorities based on how critical this IP is to your organization. If all the metadata suggests that the IP is not a threat to your organization, the priority can be lower even though it is classified as malicious.

  • GreyNoise has seen the IP and classifies it as suspicious (internet_scanner_intelligence.found:true and internet_scanner_intelligence.classification:suspicious responses)

    • Recommendation: Set priority to medium level or decrease the numeric value by 1 or 2
    • Rationale: In this scenario, this response indicates that this activity on your system was likely an opportunistic reconnaissance attempt by an actor scanning the internet. While the activity may have suspicious intent, the scan hasn't reached malicious stages and can be lowered in priority.
    • Additional Factors to Consider: GreyNoise associated tags, ports, and other metadata can be used to apply different priorities based on how critical this IP is to your organization. If all the metadata suggests that the IP is not a threat to your organization, the priority can be lower even though it is classified as suspicious.

  • GreyNoise has seen the IP and classifies it as unknown (internet_scanner_intelligence.found:true and classification:unknown responses)

    • Recommendation: Set priority to low-medium level or decrease the numeric value by 2
    • Rationale: In this scenario, this response indicates that this activity on your system was likely just an opportunistic attempt by an actor scanning the internet. Based on what GreyNoise observes, the activity does not appear to have malicious intent. It is not necessarily targeted or of concern to your organization, but it wasn't from a known actor, so it should be treated with some caution and additional review.
    • Additional Factors to Consider: Since all IPs start with an unknown classification, future behavior observed from these actors could change this classification. The additional context, such as the raw data (ports, paths, user-agents, spoofable), should be taken into account.

Analyzing Outbound Threats

  • GreyNoise has not seen the IP, but the IP belongs to a known service provider (internet_scanner_intelligence.found:false and business_service_intelligence.found:true responses)

    • Recommendation: Set priority to low level or decrease to the lowest numeric value
    • Rationale: In this scenario, this response indicates that this activity on your system was likely caused by a connection to a known service provider. Most of these are benign and probably required for continued business operations, but this data should be applied along with additional observed behavior.

  • GreyNoise has seen the IP, but the IP does not belong to a known service provider (internet_scanner_intelligence.found:true and business_service_intelligence.found:false, any classification level responses)

    • Recommendation: Set priority to the highest level or numeric value
    • Rationale: This response indicates that an outbound connection was made to a known device scanning the internet in this scenario. Regardless of the classification of the IP in the GreyNoise dataset, this is likely unwanted behavior and should be investigated immediately.

Additional Cases and Notes

  • In the event of a successful login to any business service from an IP address that is marked malicious, raise it to the highest priority and alert immediately. This is indicative of:

    • a compromised account,
    • a compromised device being re-purposed for credential stuffing
    • a successful bruteforce attack

  • If an alert is raised from a Business Service (RIOT) IP, you may want to investigate further, but blocking the IP address is ill-advised, as a legitimate business service is using it and may disrupt service for your network's users.

  • If an IP from the Internet Scanner (NOISE) data is marked as spoofable, remember that the observed traffic may not have originated from that device, but rather an unidentified device that was spoofing the observed IP. Additional analysis should be considered in this case.

  • If an IP is tagged as both Internet Scanner (NOISE): True AND Business Service (RIOT): True all of the details presented on this IP address must be considered. In most cases, the scanning data observed will reflect the spoofable:True flag, indicating that someone may be spoofing that IP. This would allow you to focus on the RIOT data, as the IP address likely is not actually doing any scanning and is just part of a common business service.

Updated 24 days ago