Search 2.0 Quick Start Guide
Censys Search makes Internet-facing hosts and certificates searchable, just like Google makes websites searchable.
The best way to get started with Censys Search is to prepare a list of questions you want to answer with these data sets. Each question you’re asking will be expressed as one or more search queries written in the Censys Search Language.
Key Use Cases for Censys Search 2.0
-
Investigate Indicators of Compromise (IoCs): Find and track threat actors on the Internet via the infrastructure they’ve set up.
-
Enrich Internal Threat Feeds with Host and Certificate Data: Augment network logs with the most accurate, up-to-date public profile of the entities within and connecting to your network.
-
Create a Timeline of Adversary Infrastructure: Investigate how and when infrastructure was weaponized by an adversary. See the history of a compromised or suspicious host.
-
Understand the Global Impact of Vulnerabilities Across the Internet: Conduct security research to understand the global impact of vulnerabilities across the Internet from CVEs to zero-days like SolarWinds or Microsoft Exchange.
-
Map Your Attack Surface: Investigate and view your attack surface from an external perspective by finding your Internet-facing assets and evaluating them for vulnerabilities.
Investigate Indicators of Compromise
Censys' rich, highly indexed datasets allow you to find the needles in the haystacks when you’re threat hunting. With Censys, you can take threat intelligence from internal or public sources like AlienVault to build, validate, and investigate IoCs on hosts across the Internet.
You will need a strong understanding of the Censys host fields where the indicators you seek are located, so be sure to leverage the Host and Certificate schemas.
If you need an introduction to how Censys models Internet hosts, read this data model article.
Search moves:
In the Search 2.0 web UI:
-
Search for fingerprints using hashes:
services.http.response.body_hash: {SHA1-hash of a site serving malicious content} -
Tag hosts to keep better track of them (Ability to search on your tags coming soon!)
Advanced Technique:
-
Create reports to see a breakdown of different values for interesting fields from your search results.
Here’s an example report for operating systems on hosts in this AWS netblock.
Enrich Internal Threat Feeds with Host and Certificate Data
As you monitor network activity, you can look up IPs that your hosts are connecting to or receiving connections from. The Search 2.0 view host endpoint is fast and performant, so you can immediately enrich your network security logs with host profiles from Censys.
Search move:
Use the API to programmatically retrieve host profiles:
-
GET https://search.censys.io/api/v2/hosts/{ip-address}-
Parse the host’s
locationto look for geographic irregularities -
Check for non-standard protocol/port pairs
-
Look for suspicious certificates (self-signed, issued by Let’s Encrypt, or containing suspicious names)
-
Advanced Technique:
-
Layer Censys host profiles with Greynoise analysis and IP reputation data.
Create a Timeline of Adversary Infrastructure
See how a host has changed over time. Observe how services appeared, disappeared, or how new certificates were presented in order to chart how this infrastructure was weaponized.
Search move:
In the Search 2.0 web UI:
-
On any host details page, a tab called Host History presents reverse-chronologically ordered host events.
On this page, you can browse events, choose two points in time to calculate a diff, or go back in time to view a host as it was known to Censys then.
Advanced Technique:
-
Use the host diff API call for greater flexibility in comparisons, such as diffing two different IP addresses.
Understand the Global Impact of Vulnerabilities Across the Internet
Search for hosts vulnerable to a new or existing vulnerability across the entire Internet. CPE-formatted software fields integrate with the Common Vulnerability Enumeration (CVE) framework.
Search move:
In the Search 2.0 web UI, search for:
-
services.software.uniform_resource_identifer: {CPE-formatted software URI}
Advanced Technique:
-
Upgrade to a Pro account to use regular expressions for even more fine-grained searching.
Map Your Attack Surface
Look at your organization’s Internet presence from the outside. Profile hosts, services, and certificates to assess your overall security posture and make improvements by reducing public exposure, patching outdated or vulnerable systems, and practicing good hygiene with Internet assets.
Search moves:
In the Search 2.0 web UI:
-
On host summary pages, click the Explore tab to use the visual explorer to find related certificates, names and hosts.
-
Perform searches within CIDR blocks assigned to your organization by adding the following to the beginning of your query:
ip: X.X.X.X/# and …
See an example search within a CIDR.
Advanced Technique:
-
Check out the Censys Attack Surface Management platform, which helps you shrink your attackable network surface area with best-in-class asset discovery, comprehensive inventory, risk analysis, and a Cloud Security Offering tailored for cloud-based organizations.
Comments
0 comments
Please sign in to leave a comment.