IP Reputation Sites Overview

In today’s video, we discuss IP reputation sites that help in understanding and gathering context about IP addresses during investigations. It's crucial to know the reputation and usage of an IP when analyzing artifacts such as IP addresses.

Importance of IP Reputation

• Determine if an IP is a scanner (e.g., Shodan, Census) or belongs to a threat actor (e.g., command and control server).

Top IP Reputation Sites

1. VirusTotal

• Introduced in previous videos.
• Search IP addresses for:
  • Location
  • Internet Service Provider (ISP)
  • Reputation score
  • Community comments for additional context

2. AbuseIPDB

• Secondary reputation site.
• Provides:
  • Number of reports against an IP address
  • ISP, country, domain name
  • Community comments

3. Gray Noise

• Service collecting data from honeypots on scanners and suspicious activities.
• Use case scenario:
  • As a SOC analyst, you may receive an alert on an inbound port scanner.
  • Checking AbuseIPDB shows multiple reports (100% confidence rating).
  • Checking Gray Noise might indicate it’s benign (e.g., linked to Shadow Server).
• Importance of multi-source verification for context.

4. IBM X-Force Exchange

• Resource for IP reputation scores and historical use.
• Useful for understanding past activities of threat actors:
  • Example: An IP may have been linked to malicious activity but is no longer active.

5. IPVoid

• Similar to the previously mentioned sites.
• Provides:
  • Reputation score
  • ISP, country, and DNS information.
  • Reports and potential reasons for those reports.

Conclusion

• Importance of context-based investigations in IP analysis.
• Encouragement to utilize multiple sources for better client value and understanding of the bigger picture.

If you found this video informative, please like and subscribe for more!