Cybersecurity often demands a forward-looking perspective. Staying ahead of threats means security teams have to think proactively — anticipating new threats, predicting how adversary tactics might change in the coming months, and thinking about how to prevent new exposures on the attack surface.
However, looking back in time, to understand and assess how past activity unfolded, is a critical part of this proactive mindset. By analyzing the past, security teams can better anticipate and prepare for what might unfold in the future. That’s why in this blog, we’ll explore why having access to historical internet intelligence is an invaluable addition to any security team’s toolkit, and discuss how you can gain that historical perspective with Censys.
What Makes Historical Data So Useful?
You’re able to identify patterns and track attacker infrastructure.
Historical threat intelligence enables threat hunters to identify threat patterns and track attacker infrastructure over time. Threat actors often reuse infrastructure, such as IP addresses, domains, and SSL certificates, across multiple campaigns. By analyzing historical data, threat hunters can uncover these patterns, making it easier to predict and preempt future attacks.
You can build a timeline of events.
One of the key benefits of historical threat intelligence is the ability to build a timeline of events. Understanding the sequence of events leading up to a security incident is crucial for effective reporting and remediation. It’s also often a required part of proper incident response, particularly when customer data was compromised or when working within highly-regulated industries. A comprehensive timeline helps in identifying the initial point of compromise, the methods used by the attacker, and the extent of the damage.
You can gain needed context.
Context is critical when attempting to determine if activity is malicious or benign. Historical threat intelligence can provide the context needed to understand the significance of current events. For example, an increase in network traffic from a particular IP address might seem benign at first glance. However, if historical data reveals that this IP address has been associated with malicious activity in the past, the threat level increases significantly.
You can facilitate threat attribution.
Attributing cyberattacks to specific threat actors is a complex but essential aspect of threat hunting. Historical threat intelligence plays an important role in this process by providing a wealth of data that can be used to link different attacks to the same actor or group. This is particularly valuable when dealing with advanced persistent threats (APTs), which are characterized by their stealth and persistence. Historical data can even provide law enforcement agencies the credible evidence they need to hold threat actors accountable and mitigate their impact on future targets.
You can analyze historical trends.
If you’re interested in observing broad trends across the internet (a relevant objective for those in security research) the ability to jump back in time is imperative. A historical view can shed light on how attacker tactics have changed, how certain host types have or have not been increasingly targeted by attacks, how threat activity is changing within specific industries over time, how a specific ransomware campaign has affected organizations over the course of multiple months … the list can go on.
Gaining Historical Perspective with Censys
Censys provides access to this kind of valuable historical data. On every host page in Censys Search, you can find a “History” icon at the top that provides a reverse-chronology of events related to host activity. This might include information about how services on the host appeared and disappeared, how new certificates were presented, or how location changed – details that are particularly useful to glean when looking at the history of a compromised or suspicious host.
In this view you can also compare different points in a host’s chronology of events, which can be particularly useful when you want to understand if and how a host changed between two points in time.
How far back this timeline goes varies depending on your Censys Search package. All users have at least one week of historical data, while other packages offer up to two years of historical data.
An example of how historical data can facilitate observations about hosts over time.
Outside of this host-specific historical view, if you want to run a historical search to answer a question like “Was there a spike in the number of active hosts displaying certain characteristics on a particular day in the past?” you can leverage the power of Google’s BigQuery. Censys historical data can be pulled by running SQL queries through Google’s BigQuery interface. Those with advanced Censys Search packages who download or access daily snapshots in BigQuery can search the internet as it was observed by Censys at a historical point in time.
You can check out our “Where the Weird Things Are” blog article for a more detailed example of how to run a historical search on Censys data in BigQuery.
Historical Data in Practice
The Censys Research Team leveraged historical data to facilitate an investigation into NTC Vulkan infrastructure, involving offensive cyber tools. The team used historical analysis to identify a GitLab server that the NTC Vulkan Group may have previously been using to develop tools for a cyber unit of Russia’s military intelligence service. Investigating the history of NTC Vulkan’s hosts helped the team learn more about the core functions of these suspicious hosts and the larger organization itself.
Historical data was also a linchpin in the team’s investigation into Russian ransomware, as it gave the team the ability to analyze a suspected malware kit at an earlier point in time. In doing so, they were able to observe the presence of a previous C2 certificate, as well as a domain that the team went on to confirm was associated with a known adversary group. Through this historical analysis, the team assessed that the host in question could be credibly implicated as part of a ransomware C2 network.
With Yesterday’s History, Tomorrow Doesn’t Have to Be a Mystery
Don’t underestimate the power of historical data! With access to historical data, you can more easily identify patterns, track attacker infrastructure, build comprehensive timelines, enhance contextual awareness, and facilitate threat attribution. Organizations can use this historical viewpoint to plan for the future, gaining the insights they need to stay ahead of adversaries and strengthen their defenses.
Check out our historical data for yourself! Visit Censys Search to create an account and get started.