Search 2.0 Quick Start Guide
Censys Search makes Internet-facing hosts and certificates searchable, just like Google makes websites searchable.
The best way to get started with Censys Search is to prepare a list of questions you want to answer. Each question you’re asking will be expressed as one or more search queries written in the Censys Search Language.
When you write a query, Censys evaluates every host or cert in the dataset for matches and returns that list to you.
For example, this query:
services.service_name: HTTP and dns.names: censys.io
asks the question:
"Which hosts running an HTTP service has Censys found in DNS records with censys.io names?"
Here’s what that looks like on the the web app.
Key Use Cases for Censys Search 2.0
-
Investigate Indicators of Compromise (IoCs): Find and track threat actors on the Internet via the infrastructure they’ve set up.
-
Enrich Internal Threat Feeds with Host and Certificate Data: Augment network logs with the most accurate, up-to-date public profile of the entities within and connecting to your network.
-
Create a Timeline of Adversary Infrastructure: Investigate how and when infrastructure was weaponized by an adversary. See the history of a compromised or suspicious host.
-
Understand the Global Impact of Vulnerabilities Across the Internet: Conduct security research to understand the global impact of vulnerabilities across the Internet from CVEs to zero-days like SolarWinds or Microsoft Exchange.
-
Map Your Attack Surface: Investigate and view your attack surface from an external perspective by finding your Internet-facing assets and evaluating them for vulnerabilities.
Investigate Indicators of Compromise
Censys' rich, highly indexed datasets allow you to find the needles in the haystacks when you’re threat hunting. With Censys, you can take threat intelligence from internal or public sources like AlienVault to build, validate, and investigate IoCs on hosts across the Internet.
You will need a strong understanding of the Censys host fields where the indicators you seek are located, so be sure to leverage the Host and Certificate schemas.
If you need an introduction to how Censys models Internet hosts, read this data model article.
Search Questions:
In the Search 2.0 web UI:
-
Ask a question like, "Which hosts are serving reused/reusable malicious content?"
Query for fingerprints using hashes:
services.http.response.body_hash: {SHA1-hash of a site serving malicious content} -
Ask a question like, "Which hosts that I’ve tagged have another characteristic I’m interested in?"
Search within your tags:
tags: {my-tag-name, my-other-tag-name} and services.service_name: DNS
Advanced Technique:
-
Ask the question, "What are the most common values for this one field on hosts matching my query?"
See a breakdown of values for interesting fields from your search results by creating reports.
Here’s an example report for operating systems on hosts in this AWS netblock.
Enrich Internal Threat Feeds with Host and Certificate Data
As you monitor network activity, you can look up IPs that your hosts are connecting to or receiving connections from. The Search 2.0 view host endpoint is fast and performant, so you can immediately enrich your network security logs with host profiles from Censys.
Search Questions:
Use the API to programmatically retrieve host profiles:
-
Ask a question like, "What does this host that’s connecting to my network look like from an external perspective?"
Use the API to
GET https://search.censys.io/api/v2/hosts/{ip-address}-
Parse the host’s
locationto look for geographic irregularities -
Check for non-standard protocol/port pairs
-
Look for suspicious certificates (self-signed, issued by Let’s Encrypt, or containing suspicious names)
-
Advanced Technique:
-
Layer Censys host profiles with Greynoise analysis and IP reputation data to help answer the question about whether a host is suspicious.
Create a Timeline of Adversary Infrastructure
See how a host has changed over time. Observe how services appeared, disappeared, or how new certificates were presented in order to chart how this infrastructure was weaponized.
Search Questions:
In the Search 2.0 web UI:
-
Ask the question, "What changes have been observed on this host by Censys in the past?"
On any host details page, a tab called Host History presents reverse-chronologically ordered host events.
You can browse events, choose two points in time to calculate a diff, or go back in time to view a host as it was known to Censys then.
Advanced Technique:
-
Ask questions like, "What are the differences between two different hosts?"
Use the host diff API call, which offers greater flexibility than the UI for generating diffs.
Understand the Global Impact of Vulnerabilities Across the Internet
Search for hosts vulnerable to a new or existing vulnerability across the entire Internet. CPE-formatted software fields integrate with the Common Vulnerability Enumeration (CVE) framework.
Search Questions:
In the Search 2.0 web UI:
-
Ask a question like, "Which hosts are running a software version that I know is vulnerable to a particular vulnerability?"
Search for CPE-formatted software identifiers:
services.software.uniform_resource_identifer: {CPE-formatted software URI}
Advanced Technique:
-
Upgrade to a Pro account to use regular expressions for even more fine-grained searching.
Map Your Attack Surface
Look at your organization’s Internet presence from the outside. Profile hosts, services, and certificates to assess your overall security posture and make improvements by reducing public exposure, patching outdated or vulnerable systems, and practicing good hygiene with Internet assets.
Search Questions:
In the Search 2.0 web UI:
-
Ask a question like, "What other entities are connected to this one?"
On host Summary pages, click the Explore tab to use the visual explorer to find related certificates, names and hosts.
-
Ask a question like, "Which hosts within my organization’s registered netblocks are online or have this characteristic?"
Search for and within CIDR blocks assigned to your organization:
ip: X.X.X.X/# and …
See an example search within a CIDR.
Advanced Technique:
-
Check out the Censys Attack Surface Management platform, which helps you shrink your attackable network surface area with best-in-class asset discovery, comprehensive inventory, risk analysis, and a Cloud Security Offering tailored for cloud-based organizations.
Next Steps
Now that you understand what you can accomplish with Censys Search, learn how to write queries using the Censys Search Language.
Diàtaxis: tutorial
Comments
0 comments
Article is closed for comments.