Running an internet search query can be a lot like cooking a meal.
Hang with us here …
If you think about it, both cooking and querying rely on stepwise orders of operation – both follow “recipes,” if you will. For example, if you’re looking to uncover hacked web hosts, you’ll follow a series of search prompts and their returns until you find the information you’re looking for.
Both cooking and querying also require the right quality ingredients. In the kitchen, that might mean only using organic, freshly-picked berries for a pie to ensure it has the bright sweetness you’re looking for. In a search query, that might mean relying on comprehensive, fresh internet intelligence that’s continuously updated. Underwhelming ingredients on either front won’t deliver the result you’re looking for. Not to mention, both cooking and querying also need the right equipment to power your efforts, whether it’s a state-of-the-art brick oven or a best-in-class internet intelligence platform.
Additionally – to be sure we really see through this metaphor – both cooking and querying leave a little room for user creativity. For instance, as you’re running search queries, you might uncover intel that prompts you to change directions and explore a new lead (ex: “I want to learn more about an odd certificate on this host”). Similarly, in the kitchen, you might decide to swap out Russet potatoes for sweet potatoes, or sneak a few extra dashes of chili powder.
All of this to say, we’ve been thinking a lot about the similarities between cooking and querying lately, and it’s why we’ve put together this latest guide for cybersecurity pros: Cooking Up Queries with Censys: Your Guide to Savory Internet Searches (and Actual Recipes). We’ve married these two seemingly unrelated activities together in a cookbook full of fresh internet search queries you can run on the free Censys Search tool and actual recipes you can make in your kitchen, courtesy of the home chefs at Censys. Each search query recipe is paired with a related appetizer, main dish, or dessert.
For a taste of what we mean, consider our query recipe for “Responding to a Dreaded Zero Day,” which we think pairs nicely with our parmesan spinach ball appetizer.
To find all five query recipes and their companion food recipes, download your copy of the ebook!
Query Recipe: Discovering Critical Infrastructure
Let’s dive into the intriguing and high-stakes arena of critical infrastructure. What makes this particular corner of the internet worthy of a query recipe? For starters, there’s a lot going on here – the majority of which we all rely on in some way, whether we realize it or not. Critical infrastructure includes essential services relevant to things like national security, economic security, and public health. Let’s take a look at how we can use Censys Search to learn more about activity on critical infrastructures, and how to take action if we spot something unusual.
Ingredients
- Access to search.censys.io
- A goal for discovery: what kind of infrastructure are you looking to find?
- A location of interest
Recipe
1. Let’s kick off this recipe by focusing on a location of interest. You might already have a specific location in mind, or you may want to start broader and select a country of interest, and narrow your search from there. Pop into the Censys Search tool (search.censys.io) and navigate to the location field. Then, select country or country code, and from there, narrow down by province, city, and other options if you want to get more specific.
2. Once you’ve told Censys Search where you want to look, it’s time to start unveiling what is hanging out in said location. Let’s start by looking at hosts with ICS/SCADA/OT-related protocols. You can browse up to 1000 different protocols by location using the handy Report function. You can click on a protocol to view all hosts that are running that protocol in your area of interest, or you can query all ICS/SCADA/OT-related protocols that Censys discovers in your area of interest.
3. You’ll next want to find ICS/SCADA/OT assets by asset type. You can search for specific ICS/SCADA/OT assets by name (ex: `Honeywell XL Web Controller`) or by keyword (ex: `Siemens`) within host responses via queries such as HTML Title, Telnet banner or other ICS/SCADA/OT response fields. If your overall search goal is broad, you might try a number of different asset types here.
4. If you’re interested in figuring out which infrastructure might be home to suspicious activity, this is where the investigation continues. You can keep digging by narrowing your resulting hosts by likelihood of exposure. Too many hosts to investigate individually? Not a problem. Just add HTTP, Telnet and/or other protocols to your query string. Adding other protocols that are likely to elicit a login prompt, a product type, an admin panel, or provide other insights can indicate possible exposures.
5. From here you can investigate individual hosts for exposures by examining their responses on various ports/protocols (including HTTP, Telnet, Modbus, BACnet and more) for login prompts, serviced location information, model numbers, manufacturers, admin panels, and more.
6. Now it’s time to research uncovered device information. For this step, we’ll hop out of the Censys Search tool and use a search engine like Google to look up the makes and models discovered in the previous step. This will give us a more precise understanding of the host’s function and allow us to see if known exposures exist (e.g.: default credentials in online user manuals).
7. Let’s say you do in fact spot something that looks like an exposure. After confirming its criticality (function + location) and confirming that an exposure exists on the host, you’ll want to document your findings. You can capture your key findings right within the Censys Search tool! Use document key aspects like function, make/model, owner, and location serviced by the asset. The tool’s tags also let you quickly return to hosts and track your progress. Additionally, you can use the COMMENT section at the bottom of the host summary page to detail exposures and add context to share with your colleagues. Note: Tags & Comments are only visible to your team, so no need to worry about exposing sensitive findings. .
➔ Did you find a make/model in a parsed field like HTML Title or Modbus vendor? Capture it and build a list of known devices to query en masse later.
8. Now that you’ve discovered a criticality and exposure, it’s time to take action. As soon as you have your findings documents, you’ll want to contact the owner or authorities in the served location and let them know about the exposure. If you’re able to, recommend remediation with the host owner or authorities to make the asset less publicly accessible and/or to increase redundancy of the asset’s functions. After all, sharing what you know could help keep the infrastructure safe from bad actors going forward.
Chef’s Note
To report an ICS, IoT, or medical device vulnerability, please email central@cisa.gov or call 1-888-282-0870. When sending sensitive information to the CISA via email, we encourage you to encrypt your messages. Download the CISA ICS public key. For more questions on this topic or CISA in general, please contact Central@cisa.gov. To report anomalous cyber activity and/or cyber incidents 24/7 email report@cisa.gov or (888) 282-0870. To report an IT Vulnerability, please use this form: https://www.kb.cert.org/vuls/report/
Discovering Critical Infrastructure Pairs Well with … Sausage Stuffed French Bread
Since we’ve been focused on critical infrastructure, let’s draw inspiration from an appetizer with an infrastructure we could also say is “critical” to its success as a party favorite. This dip recipe forgets the traditional serving bowl approach and instead nestles its spicy sausage and cream cheese filling within the soft and toasty walls of an extra-wide loaf of French bread – an infrastructure meant to be enjoyed with the dip it contains. Bake your French bread to golden perfection and let this hearty appetizer be the centerpiece of your next party spread. The bonus? No clean-up necessary; we can bet your loaf will be devoured by night’s end.
Ingredients
- 1 wide loaf of French bread
- 1 pound breakfast sausage
- 2 ½ TBSP of jalapenos, chopped
- ½ cup green onions, chopped
- 1 cup green peppers, chopped
- 8 oz package of cream cheese
- 8 oz sour cream
- 8 oz cheddar cheese, grated
- 1 ½ TSP of New Orleans Cajun or Creole seasoning
- Tortilla chips
Recipe
- Let’s preheat your oven. You can set yours to a standard 350 degrees Fahrenheit.
- While your oven heats up, take your extra-wide loaf of French bread and lengthwise, cut the top quarter off of it. Hollow out the center until the loaf’s walls are about a half-inch thick. Set aside for now.
- Next, brown the sausage in a medium skillet and break up any clumps.
- Add your vegetables to the skillet (jalapeños, green peppers, green onions) and let them cook for about 5 minutes, stirring occasionally.
- Next, add in your cream cheese, sour cream, and cheddar cheese right into the skillet and stir until melted.
- Now it’s time to add in your seasoning (for those looking for an extra kick, add in another dash).
- Take your French bread loaf and fill it with the sausage-cheese mixture.
- Next, place the loaf on a cooking sheet and let it bake for about 45 minutes, or until the loaf is crusty on the outside and the dip is warm.
- Now it’s time to enjoy: gather your tortilla chips for dipping and dig in! Once you’ve made it through the chips, use pieces of the bread loaf itself to finish off the remaining dip.
Get the Full Cookbook
