The instant a device is connected to the internet, it gets scanned and interrogated for open ports, software versions, and default passwords. Who conducts these scans and why? When you connect to the internet, what kind of attacks will you immediately see? The days of mass exploitation are upon us and encouraged, in part, by the rise of the Internet of Things. When every device is connected, a new paradigm for mass exploitation emerges.
Vulnerabilities, specifically in core computing components, linger for decades. Many white hat organizations scan IPv4 constantly to assess the potential impact of a vulnerability or to understand the shifting technology landscape, while less reputable actors scan for more nefarious purposes. These scans often aren’t cheap. The economics of simple port scans at scale, and the associated costs for enthusiasts and enterprises alike requires analysis and exploration.
There are a number of insights you can gain into the systems and tools being used to conduct these scans. From Massscan to Zgrab to AutoSploit, internet-scanning tools are prevalent and can reveal patterns of threat behaviors.
There have been a lot of talks about scanning the internet, but actively tracking those who scan the internet is a new and interesting concept. Observing scanners allows us to find patterns, determine and predict behaviors, and coax out tactics, techniques, and procedures. Additionally, with the rise of IoT, the ability to use these devices as proxies to scan or exploit IPv4 at scale makes this a timely topic. The methods used by red teams and black hat hackers to enumerate and interrogate networks has changed. Tools like Shodan, Censys and Common Crawl are effectively performing network reconnaissance as a service. There are now attacks and scans today at a scale that is unprecedented thanks to the rise of IoT.
Anyone in cybersecurity should be aware of how these tools work, what they reveal and what threats they can uncover.
Curt Barnard will be discussing this in further detail, as well as providing a demonstration of ThreshRock – a visualization of internet scans converted into music to “hear” the background noise of the internet in real time as people scan IPv4 – at BSidesLV. Check out his talk on August 7 at 2pm during the Ground Floor Track in the Copa Room.
About the Author: Curt Barnard has spent the last decade becoming an expert in information security. He graduated with a Masters of Science from the Air Force Institute of Technology in Cyber Operations and continued on as a Cyber Analyst for the Department of Defense. He then joined Endgame, where he learned about security at scale. Later, at Inqtel, Curt obtained insight into the InfoSec industry at large. He has spent his career, and much of his free time, monitoring the internet for threats, analyzing patterns in internet scanning and creating threat analysis tools. Curt now runs ThreshingFloor (threshingfloor.io) to tackle cyber security problems head-on.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.