What Is Censys Search Used For?
Censys builds searchable data sets to support security practitioners in their efforts to make Internet-facing systems—and the Internet in general—more secure and safe.
Tip
A new tool currently in Beta leverages the natural-language processing of ChatGPT to produce valid query syntax in the Censys Search Language. Give it a try here.
-
Investigate Indicators of Compromise (IoCs): Find and track threat actors on the internet via the infrastructure they set up.
-
Enrich Internal Threat Feeds with Host and Certificate Data: Augment network logs with the most accurate, up-to-date public profile of the entities within and connecting to your network.
-
Create a Timeline of Adversary Infrastructure: Investigate how and when infrastructure was weaponized by an adversary. See the history of a compromised or suspicious host.
-
Understand the Global Impact of Vulnerabilities Across the Internet: Conduct security research to understand the global impact of vulnerabilities across the Internet from CVEs to zero-days like SolarWinds or Microsoft Exchange.
-
Map An External Attack Surface: Investigate and view your attack surface from an external perspective by finding your Internet-facing assets and evaluating them for vulnerabilities.
The Censys rich, highly indexed data sets allow you to find the needles in the haystacks when you’re threat hunting. With Censys, you can take threat intelligence from internal or public sources to build, validate, and investigate IoCs on hosts across the Internet.
You need a strong understanding of the Censys host fields where the indicators you seek are located, so be sure to understand the Host and Certificate schemas.
Search Questions
In the Censys Search web UI:
-
Ask a question like, "Which hosts are serving reused/reusable malicious content?"
Query for fingerprints using hashes:
services.http.response.body_hash: {SHA1-hash of a site serving malicious content}
-
Ask a question like, "Which hosts that I tagged have another characteristic I’m interested in?"
Search within your tags:
tags: {my-tag-name, my-other-tag-name} and services.service_name: DNS
Advanced Technique
-
Ask the question, "What are the most common values for this one field on hosts matching my query?"
See a breakdown of values for interesting fields from your search results by creating reports.
Here’s an example report for operating system vendors of hosts in this AWS netblock.
As you monitor network activity, you can look up IPs that your hosts are connecting to or receiving connections from. The Search view host endpoint is fast and performant, so you can immediately enrich your network security logs with host profiles from Censys.
Search Questions
Use the API to programmatically retrieve host profiles:
-
Ask a question like, "What does this host that’s connecting to my network look like from an external perspective?"
Use the API to
GET https://search.censys.io/api/v2/hosts/{ip-address}
-
Parse the host’s
location
data to look for geographic irregularities -
Check for non-standard protocol/port pairs in the service info.
-
Look for suspicious certificates (self-signed, issued by Let’s Encrypt, or containing suspicious names)
-
Check the DNS names resolving to the host.
-
Advanced Technique
-
Layer Censys host profiles with Greynoise analysis and IP reputation data to help answer the question of whether a host is suspicious.
See how a host has changed over time. Observe how services appeared, disappeared, or how new certificates were presented to chart how this infrastructure was weaponized.
Search Questions
In the Censys Search web UI:
-
Ask the question, "What changes have been observed on this host by Censys in the past?"
On any host details page, a tab called Host History lists reverse-chronologically ordered host events.
You can browse events, seelct 2 points in time to calculate a diff, or go back in time to view a host as it was known to Censys then.
Advanced Technique
-
Ask questions like, "What are the differences between 2 different hosts?"
Use the host diff API call, which offers greater flexibility than the UI for generating diffs.
Search for hosts vulnerable to a new or existing vulnerability across the entire Internet. CPE-formatted software fields integrate with the Common Vulnerability Enumeration (CVE) framework.
Search Questions
In the Censys Search UI:
-
Ask a question like, "Which hosts are running a software version that I know is vulnerable to a particular vulnerability?"
Search for CPE-formatted software identifiers:
services.software.uniform_resource_identifer: {CPE-formatted software URI}
See an example search for hosts with Pulse Connect Secure software.
Advanced Technique
-
Upgrade to a Pro account to use regular expressions for even more fine-grained searching.
Look at your organization’s Internet presence from the outside. Profile hosts, services, and certificates to assess your overall security posture and make improvements by reducing public exposure, patching outdated or vulnerable systems, and practicing good hygiene with Internet assets.
Search Questions
In the Censys Search UI:
-
Ask a question like, "What other entities are connected to this one?"
On Host Summary pages, click the Explore tab to use the visual explorer to find related certificates, names and hosts.
-
Ask a question like, "Which hosts within my organization’s registered netblocks are online or have this characteristic?"
Search for and within CIDR blocks assigned to your organization:
ip: X.X.X.X/# and …
See an example search within a CIDR.
Advanced Technique
-
Check out the Censys Attack Surface Management platform, which helps you shrink your attackable network surface area with best-in-class asset discovery, comprehensive inventory, risk analysis, and a Cloud Security Offering tailored for cloud-based organizations.
Now that you understand what you can accomplish with Censys Search, learn how to write queries using the Censys Search Language.
Comments
0 comments
Please sign in to leave a comment.