BSidesLV Preview: Who Watches the Watchers?: Understanding the Internet’s Background Noise

The instant a device is connected to the internet, it gets scanned and interrogated for open ports, software versions, and default passwords. Who conducts these scans and why? When you connect to the internet, what kind of attacks will you immediately see? The days of mass exploitation are upon us and encouraged, in part, by the rise of the Internet of Things. When every device is connected, a new paradigm for mass exploitation emerges.

Vulnerabilities, specifically in core computing components, linger for decades. Many white hat organizations scan IPv4 constantly to assess the potential impact of a vulnerability or to understand the shifting technology landscape, while less reputable actors scan for more nefarious purposes. These scans often aren’t cheap. The economics of simple port scans at scale, and the associated costs for enthusiasts and enterprises alike requires analysis and exploration.

There are a number of insights you can gain into the systems and tools being used to conduct these scans. From Massscan to Zgrab to AutoSploit, internet-scanning tools are prevalent and can reveal patterns of threat behaviors.

There have been a lot of talks about scanning the internet, but actively tracking those who scan the internet is a new and interesting concept. Observing scanners allows us to find patterns, determine and predict behaviors, and coax out tactics, techniques, and procedures. Additionally, with the rise of IoT, the ability to use these devices as proxies to scan or exploit IPv4 at scale makes this a timely topic. The methods used by red teams and black hat hackers to enumerate and interrogate networks has changed. Tools like Shodan, Censys and Common Crawl are effectively performing network reconnaissance as a service. There are now attacks and scans today at a scale that is unprecedented thanks to the rise of IoT.

Anyone in cybersecurity (Read more...)