in today's video I'll be discussing some of the IP reputation sites that we can use to understand and gather additional context about the IP address that we're investigating when looking into an artifact such as an IP address it is very important to understand what that IP is known for for example is that IP of Interest a scanner such as Shodan or census or is it a IP address that belongs to a threat actor and is currently being used as a command and control server so without further Ado let's just jump right in so number one is virustotal virus total is something that I've introduced in the past and I've created a video for it however you can search IP addresses here and it'll provide you with what it knows also along with the location the internet service provider also known as ISP along with a reputation score details and comments posted by the community again providing you additional contacts into what others may have seen in the wild the next one I like to use is called abuse ipdb I've been using this as a secondary reputation site it provides you with information on how many times an IP address was reported along with the additional information that you expect when you're looking into an IP such as your ISP your country your domain name and of course the nice part that abuse ipdb has are the comments itself number three gray noise I'm a big fan of gray noise the moment they released their service picture this a bunch of honeypots scattered across the internet just collecting information about scanners and anything that's just hitting those honey pots how awesome is that anyone performing investigations on an IP address especially those in the sock will greatly benefit from this so let me provide you with a scenario you're working as a sock analyst and you received an alert inbound Port scanner you go ahead and you check abuse ipdb and it is reported multiple times with a confidence abuse of a hundred percent that is the highest abuse you can get with multiple comments about web attacks so you're about to escalate it to the client indicating that hey there might be a potential attack onto your asset but before you do that you go and check gray noise and you notice hmm benign interesting what does that mean well if we go over to the documentation I want you to focus on the second Point gray noise has determined that the actor is not malicious in nature interesting and if we Google that IP it belongs to Shadow server a non-profit organization that gathers and analyzes data on malicious internet activity now is that malicious I can see why people may think that is because it's scanning a bunch of things and hey probably doing a bunch of vulnerability scanners too now do we need green noise to tell us that probably not I mean we could have simply Googled the ISP and found our answer from there but it's always nice to have multiple sources to provide you as much context as possible if you are curious about gray noise and want to dig a little deeper into it I highly recommend you go and read their documentation as it will provide you with a bunch of information regarding gray noise the fourth one is IBM X-Force exchange IBM has a great resource page for reputation scores for IP addresses and also has a historical use as well for example a threat actor may have been using a IP address of some sort but is no longer using it anymore but certain threat feeds still report on that and alert you on it you as a sock analyst you take that IP and you're wondering why is it being alerted on threat actor activity for example you jump over to IBM exports exchange you post that IP in there and you look at a historical search and then you can see in the past that hey maybe this thread actor had used this IP but it's been retired since then and of course look at different sources and see what they say about that IP the last one I'll mention is ipvoid this one is similar to the IP reputations out there that I've listed it provides you with a score along with its ISP country and DNS if you scroll down a bit you can actually see where this IP was reported and sometimes identify why it was reported understanding context is something that I'll always preach we must get into the habit of Performing context based investigations to not only provide better value to our clients but also help us understand the bigger picture so with that I hope you enjoyed this video and found this informative if you did let me know by hitting that like button and subscribe if you want to