Shodan is a well-known tool by both security experts and malicious actors. Launched in 2009, it gained popularity in 2013 following media coverage on CNN and Forbes.
Where OSINT Meets Port Scanning
Shodan is at a crossroads between Open Source Intelligence (OSINT) and port scanning. The data it presents is nothing new – port scanning is a well-known and well-integrated process in mature security environments. The main novelty it brings is the availability of the data for anyone, anonymously and passively.
For a malicious actor planning an attack, scanning for open ports presents certain risks, including the detection by an Intrusion detection system (IDS). Shodan allegedly uses distributed scanners throughout the world to collect its data, bringing powerful anonymity and stealth capabilities to anyone, from an untrained attacker to a state actor.
Since Shodan scans any and all IP addresses, it also increases the chance of an organization being the victim of a non-targeted attack. Where a sensitive port accidentally left open might never have been found by a malicious actor before, the tool now gives quick visibility to an actor looking for a ripe target. A few weeks ago, Shodan was allegedly used by malicious actors to quickly identify potential targets on which to exploit the Microsoft Exchange vulnerability.
Why You Should Be Monitoring Shodan
The end-result is clear: malicious actors can easily gain access to information about potential vulnerabilities on an organization’s infrastructure.
Should you be monitoring Shodan even if you have a port-scanning solution? The answer is yes, simply because malicious actors are doing it. In the case of an accident, it is critical for an organization to have the same information as these actors, and at the same time as them.
Note that you should not rely exclusively on Shodan for port scanning. It does not provide a complete picture of your own infrastructure, and does not guarantee any frequency in their scans. It cannot replace a well-configured scanner since it could take months before it detects and associates a misconfiguration to your organization.
Following the in-depth security approach, it’s important to have both an inventory of your public facing assets and their versions, as well as monitor Shodan as an extra layer in case an asset is missed or hidden away in a shadow IT environment.
Adding Shodan monitoring to an organization’s capabilities can be done in two ways:
- An account can be created directly with the service, and a security analyst assigned to managing the tool.
- An existing platform, that also covers other risks, can use Shodan as a data source and monitor it without any significant overhead for a security team.
Flare Systems’ product, Firework, monitors Shodan as part of its monitoring. Contact us to learn more.
> Read next article about “Shodan: How We Evaluate Risk and Prioritize Alerts”