Learn
Tools
Connect

Newest CVE, Featured Search Queries, Updates & Announcements

1-2 posts per week

Important Updates, Sales & Promos

Email newsletter

3-4 times per year
Please, sign in to manage newsletter subscription

Security Analysis
Security Research
Featured Reads
Reading cover
BLOG POST Complete Guide on Attack Surface Discovery
Reading cover
BLOG POST Mastering Online Camera Searches: Techniques, Tools, and Best Practices
Reading cover
WHITE PAPER Security research and analysis with Netlas.io

NETLAS FOR SECURITY RESEARCH

Reputation Scoring using Netlas.io

IP reputation is a critical element in the cybersecurity landscape, aiding SOC analysts in identifying and mitigating potential security threats.

Netlas data can significantly enhance threat intelligence feed providers and cybersecurity analysts’ algorithms for detecting suspicious hosts.

Score IP reputation based on IP scan results

You can rely on Internet scanning data when deciding whether a host is suspicious or not. Netlas can reveal a wide range of information, such as exposed ports, running services, known vulnerabilities, or unexpected behaviors that deviate from what is considered normal or safe. It is possible to identify number of IoCs using scan results. These indicators can include evidence of malware, phishing, spamming activities, or connections to known bad domains. Each IoC contributes to the reputation score of an IP address.

For example, hosts containing numerous vulnerabilities are more likely to be compromised and may host malicious agents or proxy services (e.g., web shells) through which adversaries can carry out attacks. During Internet scanning, Netlas tags vulnerabilities that the scanned applications may be susceptible to if the software version is determined. You can also assess the reputation of a host, for example, based on how frequently the software is updated. To do this, you can compare Netlas scanning results taken at different time intervals.

Phishing resource sample Try this search on Netlas

Search for malicious hosts using IoCs

There are numerous reputation scoring algorithms based on the comparison of devices or services. Using available threat intelligence data, you can query Netlas for the scan results of malicious devices, identify distinctive features (create IoCs), and search for similar nodes in the Netlas database. This way, other instances of malicious services or previously unidentified parts of the attackers’ infrastructure can be discovered.

Search phishing framework by HTTP page title Try this search on Netlas

Reputation of networks and ISP

There are also reputation scoring algorithms based on the idea that the reputation of a whole should be defined by the reputations of its parts. In other words, the more malicious hosts there are in a certain network segment, the worse the reputation of that segment should be.

Data on malicious nodes should be obtained from third-party sources, such as threat intelligence feeds. WHOIS and DNS data libraries, which Netlas constantly collects and publishes for its users, become useful in this case. Having data on the relationship between domains and IP addresses, as well as data about the relationship of IP addresses to domain zones, countries, providers, networks, autonomous systems, etc., allows you to score the reputation of these entities.

For example, you can assign reputation levels to countries depending on the concentration of malicious hosts or assign ratings to ISP based on the number of malicious hosts they serve.

Gruop phishing framework search results by ISP name Try this search on Netlas

Get your free Netlas.io account!

Sign up to get up to 50 requests/day for free

Sign Up Read the Guide