TuesdayTool 23: GreyNoise The Internet Noise Filter
Introduction
Vulnerability management within the digital estate of an organization is a major practice to keep safe in rugged cyberspace where threat actors are continuously crawling for exploitable information systems. It is also pertinent for every security analyst and threat intelligence analyst to understand the posture of an organization on the internet. As a threat intelligence analyst, I have used a particular tool to understand the kind of noise my organization’s ASNs (Autonomous System Numbers) are making on the internet. Do you know why it is important? The result from the internet noise related to an organization’s internet-facing assets could serve as a pointer to a compromise especially when it is more than a certain number of events, say 3–5. This will aid further investigation which could lead to a reduction of a threat actor’s dwell time in an environment if eventually confirmed compromised. The name of the tool that has helped me in my daily operational intelligence gathering is called ‘GREYNOISE’.
About GreyNoise
GreyNoise is a cybersecurity tool that helps organizations filter out “noise” from their security alerts by providing insights into IP addresses associated with benign scanners, bots, and malicious activities. GreyNoise helps security teams distinguish between benign and malicious internet noise.
Getting started
Below is a step-by-step guide on how to use GreyNoise
- Registration: sign up for a free account on greynoise.io
- Verification: Verify your email address
- Set up: set up your account password.
Using GreyNoise
You can use GreyNoise in either of the two instances below
- Web interface: log into your GreyNoise account, and explore GreyNoise features on its dashboard. The features include:
a. IP Summary: view different IP addresses and their noise levels
b. Search: query different IP addresses, domains, and or hashes for results
c. Scan history: check recent scans and their results
d. Analyze IP address details: analyze IP addresses based on noise level which can be categorized into unknown, benign, or malicious. Perform scan history of IP addresses, see associated tags such as ‘Çloud provider’, ‘VPN’etc.
e. Vulnerability search: a user can gain insight into the degree of vulnerability exploitation using the CVE parameter. This provides some vulnerability intelligence related to the CVE. Information such as the timeline of exploitation, the IP addresses seen scanning for the vulnerability, the country associated with the IP address, and even the IP address history of vulnerability exploitation.
2. API Integration
a. API Key: Obtain your GreyNoise API key from the GreyNoise Visualizer.
b. Python Environment: Ensure you have Python installed along with the greynoise package. You can install it via pip:
bashpip install greynoise
GreyNoise Benefits
- It reduces False positives.
- It enhances threat detection.
- It improves incident response.
- It optimizes security workflows
Integration with Security Tools
GreyNoise supports integration with various SIEM, threat intelligence, and SOAR platforms, which allows users to automate threat detection processes. For example, you can configure your SIEM to annotate alerts with GreyNoise data automatically—tools such as Splunk, ELK, etc.
Conclusion
GreyNoise is a powerful tool used for filtering out irrelevant security alerts and focusing on genuine threats. By using its API and web instances effectively, organizations can improve their security posture and response times. For further details, refer to the official documentation which provides comprehensive guidance on all available endpoints and features of the GreyNoise API.
Till I come your way again next 2 weeks Tuesday, #BeCyberSmart
Cyberliza writes TuesdayTool
