The vast collection of internet scan data accessible from Censys Search is used for many different cybersecurity and research objectives. Practitioners can use Censys Search to identify vulnerable services, security teams can enrich logs with up-to-date information about hosts and certificates, and researchers can leverage the global view we offer to identify trends in internet activity.
The rich, contextualized data found within Censys Search can also be used to investigate cyber threats. Not only can users turn to Censys to determine if they’ve been affected by a zero-day, (which the Censys Research team frequently publishes guidance on how to do), they can also use Censys data to track potential adversaries before action is taken, build timelines to understand how an attack happened, and learn more about who could be responsible.
In today’s post, we feature stories from Censys Search users who share how they use the tool to prevent and investigate threats.
Note: Are you a current Censys Search Community user? Be sure to check out our note to Community users at the end of this post.
1. Tracking the Hackers Behind Malware Malay
In late 2021, an IT services company based in India became the target of an extensive malware attack. A hacker group gained access to more than a dozen of the company’s customer-facing websites after successfully breaching their third-party hosting provider. Upon gaining access, the group infected the company’s websites with malware, redirected traffic, and generated thousands of junk HTML pages. This was all part of what the company later understood was a negative SEO campaign. As the company’s CEO recounted to Censys, the results of this malware-driven, negative SEO campaign meant that the affected “websites were essentially destroyed.”
Reeling from the impact of the breach and looking for accountability, the company decided to investigate. Fortunately, they had downloaded Apache log files before their websites were fully compromised, which allowed them to see requests made from other computers. With these files in hand, along with knowledge of the domain from which the criminals were operating, the company set out to identify a connection between the IP addresses in the log files and the known domain.
The company was able to use the expansive host data in Censys Search to quickly run a search against all of the hosts that were associated with this specific domain. The Censys host dataset provides accurate, up-to-date records that reflect the reality of public IPv4 and IPv6 hosts and virtual hosts, which makes it possible to conduct thorough investigative queries on hosts. After reviewing matching host returns, the company was able to prove that the IP address in the log files did in fact originate from hosts belonging to this domain. With this connection, the company was able to turn over their findings to law enforcement for potential further action.
2. Fighting Phishing Campaigns
AI has made it easier than ever for hackers to launch more sophisticated, effective phishing campaigns at scale.
To proactively identify and block these phishing campaigns, email security solutions provider Proofpoint regularly leverages Censys Search. In a recent webinar with Censys, Proofpoint Senior Threat Researcher Greg Lesnewich described how the data they access in Censys Search helps his team improve time to detection and efficacy against phishing campaigns.
For example, Proofpoint is able to use Censys to search for all instances of common phishing tools like “GoPhish,” and can identify the software that these tools are running. They can then use Censys Search to review DNS records and certificates, and leverage the reporting features within Search to drill down into certificate leaf data, and identify suspicious names that appear here. From there, they can either block this smaller subset of suspicious names from their systems, or set up alerts should these addresses attempt to come through.
Proofpoint says that the investigative detail and opportunities for automation that Censys helps facilitate have provided significant quantifiable value.
“We had a 35% improvement in time to detection and efficacy for a certain APT group through automated infrastructure ingestion with Censys.” – Greg Lesneswich, Senior Threat Researcher, Proofpoint
3. Mining Data for Evidence of C2
In addition to fighting phishing campaigns, Proofpoint shared that on the other end of the spectrum, they also regularly mine the internet scan data available in Censys Search to find and learn more about C2 servers. They describe Censys as providing a valuable “visibility extension” that allows them to track and identify C2 infrastructure before their organization or customers are negatively impacted.
In one example Proofpoint shared, they were able to use Censys to learn more about a potential C2 server that was using custom binary protocol. Proofpoint used what they knew about custom binary protocols (such as their continually changing values) to guide their investigation of the suspicious C2 server within Censys Search. After running queries on ports of interest, Proofpoint was able to narrow their focus to just seven potentially malicious IPs. With this smaller subset, they could then set up an alerting process. If inbound traffic came from any of the seven IPs, Proofpoint would know to flag the activity and quickly address.
You can watch the full on-demand webinar with Proofpoint here: How Proofpoint Fights Phishing with Censys Search.
Interested in searching for C2s on your own? Check out these Censys Search results for common C2s:
More Use Case Inspiration
There are lots of ways to maximize your use of Censys Search! The following resources offer just a glimpse into how Censys Search can be used to protect what you own and investigate threats.
You can tailor your access to Censys Search based on your specific needs. Our Censys Search Community version is a great option for those just looking to get started. However, for threat hunters, incident responders, multiple users, researchers, and those with more advanced needs, one of our Solo, Teams, or Pro/Advanced/Premium packages will likely be a better choice. These packages provide the access and capabilities that are often necessary for more thorough cybersecurity and research work.
You can learn more about Censys Search options here.
A Reminder to Censys Search Community Users
We recently shared that we are making changes to our current Censys Search Community version. Namely, we are discontinuing API access beyond 60 days. This applies to both new Community Users and current Community Users. This means that Community Users who created their Censys Search Community accounts on or before December 6, 2023 – the date our self-service packages were launched – will no longer have API access after February 5, 2024.
Any Community User who created a Community account after December 6, 2023 will have API access for 60 days after their specific date of enrollment.
You can read more about these changes in our recent blog.
As always, we appreciate your understanding and cooperation as we strive to maintain a high standard of service!
To learn more about how to upgrade your Censys Search account, please visit our pricing page.
Special Offer: Receive a 10% discount on your annual subscription to Censys Search Solo or Censys Search Teams! For your convenience, our code ANNUALDISCOUNT will auto populate when you select an annual subscription at checkout.
Do More in Censys Search
