A Security Professional‘s Guide to Search Intelligence

Hey there! If you‘re reading this, odds are that you deal with the thankless job of safeguarding our digital infrastructure from endless threats. As connected systems explode exponentially, we security gurus wage an endless arms race to protect what matters most.

Content Navigation show

But here‘s the hard truth: the adversaries have gotten smarter, faster, and more targeted in recent years. Legacy defenses can only withstand so much. Simply reacting is no longer sufficient — we must actively hunt for the blossoming vulnerabilities before they bloom into full-blown attacks.

This is where search engines have become essential power tools in a security practitioner‘s toolkit. They light up the forgotten corners of global cyberspace to reveal threats and intelligently fight modern security wildfires.

In this guide, I‘ll illuminate specialized search engines that transcend traditional tools like Google or Bing. I‘ll uncover what makes each engine tick, their notable superpowers, real-world examples, and effective applications for security teams.

Let‘s shed some light!

Why Search Visibility is Crucial for Security Success

Like oxygen to an inferno, visibility fuels every effective security program. As connected devices explode exponentially — expected to reach 75 billion by 2025 — vast digital territories outside enterprise walls thrive unchecked. Whether due to shadow IT, mobile workforces, cloud expansions, or supply chain integration, organizations brim with unseen devices and access points.

This situation enables unchecked threats to penetrate networks completely undetected. 91% of successful cyber attacks start with a phishing email opened by an employee. Scary! 😱 Without comprehensive visibility, most organizations are essentially firing weapons blindfolded at enemies that continue breaching terrain.

Search intelligence grants visibility that allows security teams to finally gain advantages against digital threats:

  • Discover security gaps and abnormalities before adversaries exploit them
  • Rapidly map attack origin points and compromised assets
  • Block newly identified malicious infrastructure preemptively
  • Gain empirical business and market intelligence to hone security posture
  • Develop threat models that predict future attack trajectories

While traditional search engines index general web documents well, they lack the dynamic crawling, processing, and contextual focus required for security use cases.

Thankfully, several pivotal search engines built for security practitioners illuminate unseen threats. Let‘s uncover them!

Criminal IP – Finding Overlooked Internet Assets

Criminal IP provides an emerging all-in-one search engine for security teams needing scalable threat detection and intelligence.

Rather than just indexing websites, Criminal IP continuously crawls security datasources utilizing IP addresses as an asset tracking mechanism. This produces extensive visibility on Internet-connected systems often hidden from traditional search engines or security products.

criminal ip example

Some examples of Internet-facing assets illuminated:

  • Exposed databases, storage buckets
  • Unpatched services with vulnerabilities
  • Overflowing log files with sensitive data
  • Embedded devices like CCTVs, mobile phones
  • Misconfigured network or cloud assets

By consolidating threat intelligence sources and collating asset metadata, Criminal IP enables practitioners to access:

  • IP Search: Comprehensive host and sub-domain data on a given IP. Useful for tracking adversary infrastructure.
  • Domain Search: DNS and SSL certificate information to assess hygiene and security posture.
  • Image Search: Reverse image lookup powered by computer vision to identify visual threats.
  • Exploit Search: Discover assets actively being exploited by attackers for situational awareness.

For lean security teams struggling with limited time and resources, Criminal IP condenses expansive threat data into simple, actionable intelligence.

While still maturing, Criminal IP shows immense promise as adoption continues growing globally. It democratizes search visibility for practitioners needing to secure modern attack planes.

Shodan – The Gold Standard for Internet-Wide Asset Discovery

Well before mainstream recognition of search engines‘ security superpowers, Shodan began mapping the forgotten pockets of cyberspace in 2009.

While traditional engines index the public web, Shodan specializes in detecting all Internet-connected devices and systems – the doors and windows enabling hacking attacks.

Some examples of Internet-facing assets indexed:

  • Embedded systems in automotives, aviation
  • Building access control and alarm systems
  • Industrial control systems (ICS) like pipelines, power grids
  • Cloud infrastructure and storage buckets
  • Network devices like routers, switches, firewalls
  • Medical devices and services in healthcare
  • Retail infrastructure like point-of-sale (PoS) systems

Supported by a growing member community, Shodan crawls billions of IPs daily to produce the most comprehensive asset visibility globally. This intelligence powers various security use cases:

  • Vulnerability Assessments: Shodan indexes software banner data to reveal unpatched services prone to exploitation.
  • Infrastructure Monitoring: Track configuration changes and newly connected devices or accounts.
  • Incident Response: Quickly determine scope and impact of confirmed breaches by locating compromised hosts.
  • Threat Intelligence: Detect and block newly observed IOCs like malicious IPs.
  • Compliance Audits: Continuous auditing to meet industry regulations around assets and access.

With flexible filters, tags to understand context, and historical data access, Shodan sets the gold standard for search-driven security.

ZoomEye – Optimized for Asian-Pacific Assets

As innovation in connected devices and digital infrastructure burgeons in Asia, so too have threats evolved to capitalize on new attack surfaces.

Domestic search leader ZoomEye brings localized visibility of regional cyber assets by scanning China and surrounding areas more broadly.

Some trends covered in ZoomEye:

  • Rapid IoT growth – webcams, wearables, smart vehicles
  • Fintech adoption by traditional institutions
  • Cryptocurrency exchange hacks
  • Supply chain network attacks
  • State-sponsored hacking groups

ZoomEye‘s component-based navigation crystallizes asset visibility for security analysts through filters like:

  • Device types: Gateways, load balancers, databases, middleware
  • Vulnerabilities: Search for assets by CVE tags
  • Industries: Finance, education, healthcare, transportation
  • Countries: Assets associated with specific region tags
  • Technologies: CMS platforms, web servers, CDNs, cloud providers

With coverage that leading engines sometimes miss, ZoomEye integration makes sense for teams operating across eastern regions.

Censys – Illuminating Websites and Certificates

While many search engines focus on devices and infrastructure, Censys chose a different path – comprehensive visibility into global websites, networks, and certificates.

Censys use cases

It‘s crawling engine performs TLS handshakes and queries DNS records to extract structured data. This powers unique security and IT use cases like:

  • Subdomain discovery: Enumerate additional sites tied to a domain for attack surface management.
  • M&A cyber risk assessments: Understand IT infrastructure of companies being acquired or merged.
  • Brand protection: Detect fraudulent domains, typosquats, or trademark violations.
  • SSL/TLS posture: Get certificate details and identify soon-to-expire or vulnerable certificates.

Of all engines discussed, Censys offers the most export and integration options for feeding data into other security tools. This flexibility allows enriching threat intelligence.

While limited to websites and certificates, Censys excels at accelerating certificate lifecycle management and internet-wide security assessments.

GreyNoise – Filtering Out Harmless Noise More Intelligently

The greatest irony in my security journey is that abundant log data intended to protect enterprises instead drowns analysts in oceans of alerts daily. Upwards of 99.9% of security signals trigger false positives unnecessarily thanks to limited context.

GreyNoise tackles this signal-to-noise problem through smart web scanning and classification of traffic. Internet-wide activity gets classified across various benign categories like:

  • Public network services – CDNs, DNS resolvers, mail servers
  • Business SaaS applications – cloud storage, video conferencing, chat
  • Consumer devices and home internet – gaming consoles, Roku

By attributing metadata and risk scoring to assets, GreyNoise allows practitioners to filter out irrelevant activities with confidence. This means less manual threat hunting through false positives to identify real malicious threats.

Additional ways GreyNoise supercharges security capacity:

  • API integrations: Enhance all security tools by importing GreyNoise data
  • GNQL Query Language: Flexibly investigate threats using custom proximity metrics
  • Command line access: Batch search IPs or check IPs within code or scripts
  • Research community: Collaborate with peers in the GreyNoise Community research group.

While many security search engines focus on casting wider nets, GreyNoise‘s magic comes from precisely filtering and classifying threats. The time savings this creates for resource-strapped analysts can‘t be overstated.

SecurityTrails – Internet Infrastructure & DNS Intelligence

With enterprises and infrastructure now entirely web-based, understanding the Internet plumbing driving connectivity has become critical. SecurityTrails tackles this requirement through historical and real-time DNS and IP WHOIS data.

SecurityTrails Dashboard

DNS translates human-readable domains into machine IP addresses – functioning as the internet‘s directory. By cataloguing and allowing analysis of DNS records, SecurityTrails uncovers hiddenrelationships:

  • Subdomain discovery: Link sites and assets to parent domains.
  • Network mapping: See all hosts and sub-nets tied to a company‘s IP space.
  • Merger & acquisition analysis: Understand relationships between companies.
  • Domain age and history: Identify newly registered or dropped domains.
  • DNS anomaly detection: Profile normal traffic and detect misconfigurations.

With access to both current and monthly-updated historical DNS data, SecurityTrails analysis can reveal unseen connections and changes. This power fuels several unique applications:

  • Threat infrastructure tracking: Monitor DNS IPs and domains associated with malware campaigns.
  • Brand protection: Detect typosquats, fraudulent domains, or trademark violations.
  • Surface attack vectors: Continuously discover new attack surfaces as an organization‘s domains and assets grow.

For illuminating the internet infrastructure driving modern software, SecurityTrails is unmatched.

Let There Be Light!

As this guide has hopefully revealed, search intelligence has become the catalyst empowering security programs with the visibility desperately needed to compete amidst unrelenting threats.

Each engine discussed offers superpowers specially honed to accelerate initiatives like threat detection, vulnerability management, and cyber risk quantification. Even narrow use cases often provide high ROI based on the risk exposure identified.

But procuring search technology marks only the beginning of the visibility journey. To leverage new data meaningfully, security teams must build thoughtful processes, models, and capacity. They should:

  • Strategically centralize search data into security infrastructures like SIEMs and SOARs. Avoid visibility silos.
  • Establish processes to continuously hunt for abnormalities and emerging threats identified by search capabilities.
  • Quantify exposure levels and develop data-driven risk models that enable executives and boards to make strategic mitigating controls and investments.

As search technology continues maturing rapidly, so too will applications. The next generation of search engines will assist practitioners through integrated analytics, threat intelligence platforms, and advanced automation. Security programs proactively building competencies today will gain advantages over adversaries in the future.

I commend anyone still reading for your commitment to securing our increasing fragile digital civilization! Please reach out with any follow-up questions as you being your search visibility journey!

Jen Wike
Head of Security, Acme Corporation

US Cybersecurity Workforce Statistics, (ISC)2 : https://www.isc2.org/Research/Workforce-Study
Global IoT projected growth – Statista: https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/
91% of cyber attacks start with phishing – PurpleSec: https://purplesec.us/resources/cyber-security-statistics/

Tags: