The Internet is chock full of really helpful people and autonomous systems that silently probe, test, and evaluate your corporate defenses every second of every minute of every hour of every day. If those helpful souls and systems aren’t probing your network, then they’re diligently recording and cataloguing everything they’ve found so others can quickly enumerate your online business or list systems like yours that are similarly vulnerable to some kind of attack or other.
The Evolution of Internet Scanning
Back in the dark ages of the Internet (circa the 20th century) everyone had to run their own scans to map the Internet in order to spot vulnerable systems on the network. Today, if you don’t want to risk falling foul of some antiquated hacking law in some country by probing IP addresses and shaking electronic hands with the services you encounter, you can easily find a helpful soul that’s figured it all out on your behalf and turn on the faucet of knowledge for a paltry sum.
Shodan: A Double-Edged Sword
One of the most popular services to shine light on and enumerate the darkest corners of the Internet is Shodan. It’s a portal-driven service through which subscribers can query its vast database of IP addresses, online applications and service banners that populate the Internet. Behind the scenes, Shodan’s multiple servers continually scan the Internet, enumerating and probing every device they encounter and recording the latest findings.
As an online service that diligently catalogues the Internet, Shodan behaves rather nicely. Servers that do the scanning aren’t overly aggressive and provide DNS information that doesn’t obfuscate who and what they are. Additionally, they are little more troublesome than Google in its efforts to map out Web content on the Internet.
Public Perception and Security Concerns
In general, most people don’t identify what Google (or Microsoft, Yahoo, or any other commercial search engine) does as bad, let alone illegal. But if you are familiar with the advanced search options these sites offer or read any number of books or blogs on “Google Dorks,” you’ll likely be more fearful of them than something with limited scope like Shodan. Unfortunately, Shodan is increasingly perceived as a threat by many organizations. This might be due to its overwhelming popularity or its frequent citation amongst the infosec community and journalists as a source of embarrassing statistics. Consequently, security companies like Check Point have included alerts and blocking signatures in a vain attempt to thwart Shodan and its ilk.
The Challenge of Differentiating Friend from Foe
On one hand, you might empathize with many organizations on the receiving end of a Shodan scan. Their Internet-accessible systems are constantly probed, their services are enumerated, and every embarrassing misconfiguration or unpatched service is catalogued and could be used against them by evil hackers, researchers, and journalists.
In some realms, you’ll also hear that the bad guy competitors to Shodan (e.g., cybercriminals mapping the Internet for their own financial gain) are copying the scanning characteristics of Shodan so the target’s security and incident response teams assume it’s actually the good guys and ignore the threat.
The Futile Effort to Block Shodan
On the other hand, with it being so easy to modify the scanning process – changing scan types, modifying handshake processes, using different domain names, and launching scans from a broader range of IP addresses – you’d be forgiven for thinking that it’s all a bit of wasted effort… about as useful as a “keep-off-the-grass” sign in Hyde Park.
Although “robots.txt” in its own way serves as a similarly polite request for commercial Web search scanners to not navigate and cache pages on a site, it is most often ignored by scanning providers. It also serves as a flashing neon arrow that directs hackers and security researchers to the more sensitive content.
Conclusion: The Inevitability of Online Probing
The ongoing adaptation of detection rules for Shodan scans by reputable security vendors underscores a significant vulnerability in prevailing network security strategies. Although the virtual "keep-off-the-grass" signs offer minimal deterrence against determined probes, they nonetheless equip network administrators with a semblance of control and a basis to enforce security measures.
However, the relentless activity of both well-intentioned and malicious scanning entities persists unabated.
In navigating the intricacies of services like Shodan and their impact on cybersecurity, it becomes evident that only sophisticated, forward-thinking solutions can assure comprehensive digital protection.
Vectra AI stands at the forefront of this initiative, harnessing advanced artificial intelligence to deliver real-time threat detection and proactive response capabilities. This technology enables organizations to not only detect but also effectively counteract the cybersecurity threats posed by the extensive scanning practices of platforms like Shodan.