Search 2.0 Quick Start Guide
Censys Search makes Internet-facing hosts and certificates across the globe searchable, just like Google makes websites searchable.
The best way to get started with Censys Search is to prepare a list of questions you want to answer with these data sets. Each question you’re asking will be expressed as one or more search queries expressed in the Censys Search Language.
Searchable Data from Censys
Censys Search 2.0 datasets are centered around foundational asset types of the Internet: IP addresses and X.509 certificates. Each dataset has a schema composed of structured key-value pairs.
When writing a query, key names must be formulated in dot notation, showing the exact location of the key in the nested structure, e.g., services.http.headers.server.headers.
The schema docs for each Censys dataset lists every searchable field and the data type of its value:
To learn more about how Internet Hosts are modeled by Censys, read this introductory article.
Key Use Cases for Censys Search 2.0
-
Investigate Indicators of Compromise (IoCs): Track and investigate a variety of threat actors on the Internet via the infrastructure they’ve set up.
-
Enrich Internal Threat Feeds with Host and Certificate Data: Augment network logs with the most accurate, up-to-date information about external entities connecting to your network.
-
Create a Timeline of Adversary Infrastructure: Investigate how and when infrastructure was weaponized by an adversary. See the history of a compromised or suspicious host.
-
Understand the Global Impact of Vulnerabilities Across the Internet: Conduct security research to understand the global impact of vulnerabilities across the Internet from CVEs to zero-days like SolarWinds or Microsoft Exchange.
-
Map Your Attack Surface: Investigate and view your attack surface from an external perspective by finding your Internet-facing assets and evaluating for vulnerabilities.
Investigate Indicators of Compromise
Threat hunting is detailed work, and Censys' highly indexed datasets allow you to find the needles in the haystacks. With Censys, you can take threat intelligence from sources like AlienVault to build, validate, and investigate IoCs on hosts across the Internet.
Search moves:
In the Search 2.0 web UI, search for:
-
services.http.response.body_hash: {SHA1-hash of a site serving malicious content}(See an example search) -
same_service(services.port: {port number} and services.service_name: {service})
Advanced Technique:
-
Create reports to see a breakdown of different values for interesting fields from your search results.
See an example report for host operating systems in this AWS CIDR block.
Enrich Internal Threat Feeds with Host and Certificate Data
As you monitor network activity, you can use our API to look up IPs that your hosts are connecting to or receiving connections from. The Search 2.0 view host endpoint is fast and performant, so you can immediately enrich your network security logs with host profiles from Censys.
Search move:
Use the API to programmatically retrieve host profiles:
-
GET https://search.censys.io/api/v2/hosts/{ip-address}-
Parse the host’s
locationto look for geographic irregularities -
Check for non-standard protocol/port pairings
-
Look for suspicious certificates (self-signed, issued by Let’s Encrypt, or containing suspicious names)
-
Advanced Technique
-
Layer Censys host profiles with Greynoise analysis and IP reputation data
Create a Timeline of Adversary Infrastructure
See how a host has changed by viewing it at different times. Observe how services appeared, disappeared, or how new certificates were presented in order to track how this infrastructure was weaponized.
Search move:
Use the API to view a host at different times:
-
GET search.censys.io/api/v2/hosts/{ip-address}?at_time={RFC3339-formatted-timestamp}
Understand the Global Impact of Vulnerabilities Across the Internet
Search for hosts vulnerable to a new or existing vulnerability across the entire Internet. CPE-formatted software fields integrate with the Common Vulnerability Enumeration (CVE) framework.
Search move:
In the Search 2.0 web UI, search for:
-
services.software.uniform_resource_identifer: {a CPE-formatted software URI}
Advanced Technique:
-
Upgrade to a Pro account to use regular expressions for even more fine-grained searching.
Map Your Attack Surface
Look at your organization’s Internet presence from the outside. Profile hosts, services, and certificates to assess your overall security posture and make improvements by reducing public exposure, patching outdated or vulnerable systems, and practicing good hygiene with Internet assets.
Search moves:
In the Search 2.0 web UI:
-
On a certificate details page, use the Explore menu to find related certificates and hosts presenting the certificate.
-
Search within CIDR blocks assigned to your organization using
ip: X.X.X.X/# and …
See an example search within a CIDR.
Advanced Technique:
-
Check out the Censys Attack Surface Management platform, which helps you shrink your attackable network surface area with best-in-class asset discovery, comprehensive inventory, risk analysis, and a Cloud Security Offering tailored for cloud-based organizations.
Advanced Search Move
Pivot Off the Largest Repository of Digital Certificates: Censys maintains the largest publicly searchable x.509 certificate repository in the world, which helps you more easily and accurately pivot from certificates to other similar certificates or to hosts presenting the certificate.
Comments
0 comments
Please sign in to leave a comment.