28 October 2022 | by Xavier Bellekens
Internet background noise is the result of scanners and crawlers that are looking for vulnerabilities, as well as malicious actors who are trying to take advantage of those vulnerabilities.
While some internet noise is simply the result of automated systems doing their job, there is also a significant amount of noise that is generated by people who are trying to exploit weaknesses in systems. This can include everything from scanners that are looking for open ports to malicious actors who are trying to exploit websites vulnerabilities during a reconnaissance phase.
The sheer volume of unsolicited traffic specifically designed to probe for weaknesses in cybersecurity defenses is a challenge for any organization. The average organization using cybersecurity tools like a SIEM will see tens of thousands of unique IPs in a given day, with the vast majority of them being malicious. And, because each IP can generate hundreds or even thousands of events, the number of potential security threats can quickly become overwhelming. To make matters worse, many of these attacks are automated and can run 24/7, making it nearly impossible for security teams to keep up.
There are a variety of sources of internet noise, so let’s have a look at who’s scanning what and why?
Good. One common source of internet noise is shodan, which is a search engine that allows users to find devices connected to the internet. censys is another common source, which is a database that contains information on devices connected to the internet. Palo Alto Networks is also a source of internet noise. Furthermore, since 2001 we also see more Universities and researchers constantly scanning the internet to have a picture of the World Wide Web.
Bad Adversaries use scanning activities as a way to discover potential victims or systems to target, and to gain information about those victims or systems. Adversaries may use automated tools to scan systems on the internet for vulnerable open ports that could be exploited.
Threat actors may also look for weak passwords that could be brute-forced. Common Vulnerabilities and Exposures (CVE) identifiers can be used by adversaries to identify specific software vulnerabilities to exploit. Adversaries may also enumerate running services, installed patches, and other system characteristics that could be used in subsequent attacks.
Adversaries have also been observed scanning for vulnerable internet-facing devices, such as printers and webcams, that could be leveraged in future operations.
At the end of the day, the internet “noise” is made up of many different types of scanning and crawling activity. Web crawlers index websites for search engines, port scanners check for open ports on servers, and researchers collect data for various purposes. However, some of this activity can also be indicative of malicious activity, such as worms and botnets.
Hence, with all that noise coming through a SIEM, differentiating between the noise and targeted activity is a major challenge for cybersecurity teams.
Internet noise is the constant stream of unimportant or irrelevant alerts that a security team receives. The term was coined by Bruce Schneier in 2005 and refers to the low signal-to-noise ratio of incoming alerts.
Internet background noise can have a number of consequences for cybersecurity teams, the most significant of which is alert fatigue. Alert fatigue occurs when cybersecurity professionals become so desensitized to alerts that they start to ignore them.
This can lead to serious security breaches, as important alerts are lost in the noise. Furthermore, Internet noise is onerous on SOC teams, who are already stretched thin.
The sheer volume of alerts can cause team members to burn out, leading to high turnover rates. In order to mitigate the effects of Internet noise, it is important for organizations to have a robust alert management strategy in place.
This should include alert prioritization, filtering, and automation features to help reduce the burden on SOC teams.
Lupovis Prowl keeps records of the noises, indicators of attacks and indicators of compromises seen on the internet and makes them available to your team via an API or through our web application.
Using data from Lupovis Prowl, security analysts can identify and prioritize alerts that matters over the noise. This allows them to focus on targeted scans and attacks while ignoring everything else.
28 October 2022 | by Xavier Bellekens