Introduction

VulnCheck IP Intelligence includes tracking of potentially vulnerable systems that may be targeted by initial access exploits as well as tracking of command & control (C2) attacker infrastructure and honeypots.

Detection Types

Command & Control (C2) and Other Attacker Infrastructure

VulnCheck fingerprints dozens of Command and Control (C2) attacker infrastructure types, including Havoc, Sliver, Meterpreter, etc. VulnCheck leverages these fingerprints alongside existing Internet infrastructure mapping technologies (like Shodan or Censys) as well as VulnCheck developed scanners, to maintain a list of known bad IP addresses.

VulnCheck's C2 denylists, which maintain an index of live Command and Control (C2) infrastructure, may be easily imported into commercial TIPs and threat intelligence workflows, to immediately begin denylisting communications with known C2 infrastructure.

Vulnerable (and Potentially Vulnerable) Systems

For vulnerabilities VulnCheck has developed detection artifacts for, VulnCheck measures their potential exposure on the open Internet.

VulnCheck leverages both publicly available systems for measuring exposure (e.g., Shodan) as well as VulnCheck scan infrastructure tailored to the vulnerability. For example, in the case of PaperCut, VulnCheck would measure the exposure using Shodan search queries that may uniquely identify potentially vulnerable systems. Whereas in the case of the Cisco IOS XE vulnerability, VulnCheck would measure the exposure using VulnCheck authored scanners focused on detecting already-compromised implanted devices.

Honeypots

The plethora of honeypots on the Internet can make counts of potentially vulnerable systems misleading. VulnCheck IP Intelligence provides tracking of honeypots on the Internet, so that when we report on potentially vulnerable systems, we do not include counts of honeypots. Additionally, real-time and historic tracking of honeypot detections are available via API.