We spoke with a large European government contractor named John* about how he’s been using Censys data to help do his job, which is primarily focused on threat intelligence. While many Censys users are tracking infrastructure, both known and unknown, in order to discover unknown devices and servers, government agencies and military institutions typically focus more on getting access to data to defend against nation-state attacks.

Threat intelligence with Censys

John uses the data gathered from Censys alongside his threat intelligence providers to gain insight into adversary behaviors. But he also puts in a lot of work and effort into doing his own searches, as none of the existing solutions offer the breadth of data he needs access to in order to do his job to his high standards.

The threat intelligence platforms he’s used in the past provides feeds from different organizations, such as dangerous IPs and domains, which are useful, but they’re only the known threats and they don’t provide any data on new and emerging threats. Without that data, he would be missing threats that could be just as damaging to the government agency, if not more, than known threats.

John and his team are more often focused on emerging threats, which they hunt using Censys data. This search often is the simple tactic of locating new domains that were registered recently or an IP that’s new and suddenly has a new or unexpected structure.

Infrastructure discovery to get ahead of new and emerging threats

He explains, “there were six domains that Microsoft had identified as related to the upcoming election hacks. We identified those domains using Censys and we notified the United States government so that they were aware of them and could mitigate the risk. We regularly write these threat reports on any new infrastructure that could potentially be a security risk and most of that is found using Censys data.”

In addition to these formal reports, there’s a lot of peer-to-peer knowledge sharing between this particular government organization and similar institutions. We love to see this type of activity because everyone benefits and can band together to play defense against malicious attackers and nation-state efforts. In years past, there tended to be a resistance to sharing any information about information security threats with peers because many organizations thought that keeping those incidents close to the chest was the best way to protect themselves. In fact, the emerging philosophy of sharing known threats is a more effective way to help protect your organization and those you do business with - not to mention that with not enough talented threat researchers and limited funding, it’s often the only way to properly fight the good fight. John agrees that this has benefitted everyone involved so far.

Using Censys over other scanning solutions on the market

“Censys’ search functionality is light years ahead of its competitors,” John said. “The other solution we looked at treats every port as a separate entity, so I can’t search for something on port 80 and port 443. What that means is that if I’m looking for something that’s in bulk ports, I’m going to get zero results, and that’s really frustrating.”

The IPv4 tabs were a big benefit for John and his team, as well. “Along with that IPv4 tab, you have the certificates tab, where you can do hunting off of a search that’s no longer seen on the web, but is still in your database. That allows you to do some retrospective and historical searches that you couldn’t do otherwise. Censys is really the only database that allows you to do those things easily without requiring you download an entire database and build your own tool.”

The benefit of having this type of retrospective data is the intelligence it provides to your team. John explains that it can often be useful to know if a piece of infrastructure is new, compared to the last few scans or to determine if a behavior/action is new. Those data points can throw up red flags for a threat intelligence team trying to track adversary methodologies and infrastructure.

Overall, John and his team are using the data they’re getting from Censys for threat hunting, tracking both adversary infrastructure and methodologies. “The breadth and depth of the data Censys provides has been invaluable for our team,” said John.

*John is not his real name