TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GreyNoise

Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition

2024-12-23 · Read original ↗

ATT&CK techniques detected

4 predictions
T1046Network Service Discovery
99%
“contacts that could indicate automated discovery processes. alpha strike labs shows a selective, possibly more targeted approach to first contact, while criminalip has minimal but distinct touchpoints. shodan rounds out the observation set with periodic contacts that suggest a me…”
T1071.001Web Protocols
64%
“approach to host identification or a more focused scanning methodology. the above graph also shows just how extensive some of the scanner fleets are ( each dot is a single ip address making contact with one of the sensors ; dot colors distinguish one sensor node from another ). i…”
T1018Remote System Discovery
36%
“criminalip ( ~ 17 minutes ) hit at least one of the target sensors within five minutes of the sensor coming online. binaryedge and onyphe display similar dense clustering patterns, with significant activity bursts occurring around the 1 - week mark. their sensor networks appear t…”
T1595.002Vulnerability Scanning
33%
“these benign scanners. why this matters when organizations deploy new internet - facing assets, they typically experience a flood of inbound connection attempts within minutes. while many security teams focus on malicious actors, understanding benign scanning activity is equally …”

Summary

A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners found new nodes within 5 minutes, with ONYPHE leading in first contacts.