Intelligence From Internet Background Noise

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 126 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

When we talk about threat intelligence, we often put it in the context of bringing information to the surface, creating context and alerts to let you know what you need to be concerned with. We also speak of cutting through the noise of pulling the signal out and transforming it into actionable intelligence.

Our guest today is Andrew Morris. He's CEO of GreyNoise Intelligence, a company that describes itself as “anti-threat intelligence,” which is not to say they're against threat intelligence; quite the opposite, in fact. Instead of focusing on what should keep you up at night, Andrew Morris and his team analyze the background noise of the Internet to determine what you don't need to worry about. It's a unique approach, perhaps a bit counterintuitive at first, but ultimately, they say, it helps you filter out useless noise and focus your time and resources on what really matters. Stay with us.

Andrew Morris:

I've been working in cybersecurity professionally since 2011, so for the past eight years. Then I've been involved in cybersecurity since before it was even really an industry, since I was pretty young. I got into computer hacking when I was a preteen, so I've been doing it since then.

When I was, I don't know, maybe 18-ish, I got my first job in cybersecurity as a pentester for a medium-sized consulting company, doing a little bit of government work, a little bit of private sector work, always on offense, just doing security assessments. Then from there, I went to another security consulting shop that was a little bit more specialized, a little bit more boutique. Did the same thing for a couple of years. Then went over to Endgame where I worked on the R&D team for the next three years. Then I left Endgame to start GreyNoise. That was about two years ago, so I founded GreyNoise about this time two years ago.

Dave Bittner:

What was the motivation? What was the impulse to make you decide that starting GreyNoise was where you wanted to go?

Andrew Morris:

I always knew I wanted to start a company. I have no idea why, but I always knew in the bottom of my heart that I was going to start a company. I didn't know what the company was going to be or how I was going to do it or anything like that, but I mean, since I was probably a teenager, I knew I was going to start a company.

Then I think once I had already swallowed that reality, it became like, "Cool, what's my company going to do?" I've been super, super fascinated by the internet background noise problem or the concept of internet background noise for years now. It's just a fun, unexplored frontier in cybersecurity. I could see that problem was starting to grow a little bit.

Over the years, I just kept waiting for someone to start the company that was doing what we're doing now. I wasn't seeing it, so it was like, "Okay. Well, I'm just going to leave and I'm going to start the company myself."

Dave Bittner:

Well, let's explore that a little bit together. What exactly do you mean when you say internet background noise?

Andrew Morris:

The concept of internet background noise at a technical level, well, we'll start at the highest level humanly possible: internet background noise is basically all of the traffic that's hitting everybody omnidirectionally on the entire Internet that's generated by people broadly scanning and crawling the Internet. It's people that are hitting every single IP address on the whole Internet looking for something.

At a technical level, when you attach a device to the Internet, directly on to the Internet so that it's completely routable and you look at a packet sniffer like tcpdump or Wireshark or something like that, even though you haven't advertised the system to anyone yet, you're going to see a lot of unsolicited scan traffic coming in from IP addresses all around the world.

You're like, "What is this? I haven't even told anybody that this system exists yet. How could people already try to be communicating with it?" That's because it's the combination of scanners, search engines, good guys, bad guys that are constantly scanning and probing the entire Internet. That is internet background noise.

Dave Bittner:

Now, help me understand the difference between something like that and, say, I guess I'm thinking of radio spectrum. All the RF energy that is the stations that I'm not tuned to that's still out there all the time, how does that differ from what we're talking about with this internet version of background noise?

Andrew Morris:

That's a good question. I would say that the difference is that it's not really noise. It's not noise in the conventional electrical engineering perspective or the electrical engineering definition of noise. It is still in certain ways directed, it's just directed in 4.2 billion directions at the same time.

At a technical level, and I think I'm splitting hairs a little bit, but I would say that internet background noise, as a term, is probably the most accurate metaphor for the concept of internet background noise. It's a nice phrase and a nice metaphor, but really, all we're talking about is untargeted internet traffic or omnidirectional internet traffic. It's just shooting in every possible direction. Does that make sense?

Dave Bittner:

Yeah, I think so. It really just casting that wide net.

Andrew Morris:

Exactly.

Dave Bittner:

Seeing what you're going to grab rather than, I don't know, to use a fishing metaphor, casting a line to try to hit specifically under that log that's out there in the middle of the pond.

Andrew Morris:

Exactly.

Dave Bittner:

How does this affect us day-to-day for folks who are out there trying to use the Internet in positive ways? What's the effect on us?

Andrew Morris:

You want to know how does internet background noise affect regular day-to-day internet users?

Dave Bittner:

Correct, correct. I'd say individual users, but also on an enterprise level.

Andrew Morris:

Okay. I would say individual users, it doesn't really affect you at all. Just normal, regular-use internet users, people browsing the Internet, it doesn't affect you, really, almost at all.

For the enterprise, it absolutely affects you. The reason for that is, especially in cybersecurity, in a SOC, in a security operation center or as a network defender or as a network analyst or as a sysadmin or as a blue teamer or something like that, I mean, almost any network-related cybersecurity or even just ops position, it's going to affect you in the enterprise because, quite simply, internet background noise when you're looking at it from the perspective of one individual device on the Internet is negligible.

But when you're looking at the amount of internet background noise that hits someone who may own hundreds of thousands of IP addresses that are facing the Internet or millions of IP addresses that are facing the Internet if you own a very large network and you have a tremendous perimeter, that's when it's really going to start to add up and you're going to start to have hundreds or even thousands of alerts or lines of logs that are generated by internet background noise. That's when it's going to interfere with your day-to-day security operations in a pretty meaningful way.

Dave Bittner:

I see. Right, because if you're logging every single one of those attempts to interact with your systems and most of those are random and meaningless, it's going to be harder for you to notice the ones that need your attention.

Andrew Morris:

That's exactly right. That's a good point. If you're trying to log everything and then you're trying to look and figure out what is hitting everyone versus what is just hitting me, what's important, then that makes it makes it really difficult from that position.

Even if you're not logging everything, though, even if you are just logging, I would say if you have an IDS, an intrusion detection system, or if you're doing threat hunting or something like that, it can actually still be relevant to you because if you find out that a device was compromised on your perimeter, maybe an IoT device, or if you find out that something gets infected with a piece of ransomware that spreads opportunistically, or a crypto miner or something like that, then you may start to freak out in your triage and in your investigation.

Again, we're well past that being a, "I'm logging everything." This is a post-fail situation now. This is, "Hey, we have a device. It was compromised. Oh, my god, I'm freaking out. What do I do?" To be able to have that insight into, well, yes, it was compromised and that is really bad, but it was compromised by this botnet that's using commodity exploits and it's not targeted to you or your vertical, it's actually targeting everybody on the entire Internet, so it's not that bad. I mean, it's actually a lot better than it could be. It was not a targeted attack. Does that make sense?

Dave Bittner:

It does. It's a really interesting thing to think about. What specifically are you addressing here with the company itself? What is the service you're providing?

Andrew Morris:

The shortest answer I can possibly give you is we're providing context to our customers and we're providing negative ground truth in a big way, which means you have a security operation center, it's busy, you have too many alerts, and some of those alerts don't matter that much. Instead of telling you which things that you definitely need to freak out about, we're just going to tell you what 10 or 20 percent of things you definitely don't need to worry about. That's it. That's all we do.

Dave Bittner:

For someone who is consuming threat intelligence, how does this fit into that spectrum of things that are coming in?

Andrew Morris:

I would say that we augment other threat intelligence really, really well. Conventionally, what you might do is you might ask a question like, "Show me all of the indicators that are pointing to an asset that belongs to me." Or you may do something like, "Show me all of the devices that are scanning or probing me or that have fired in an IDS alert today," and you may say, "that are also in one of these 10 feeds." That's really useful for you to know.

With GreyNoise, what we would let you do is you'd ask questions like, "Okay, now that you've shown me all of the things that have alerted me today that are also in one of these feeds or even that are in one of these feeds that haven't alerted me today," your follow-up question might be, "Great. Now let me subtract out all of the lines or events or alerts or whatever that are hitting everyone on the entire Internet so I can only see the things that are just hitting me." Does that make sense?

Dave Bittner:

It does. It seems to me as though in some ways, it aligns with this move we've seen, this momentum we've seen towards risk-based assessments, particularly we hear this in the boardroom and so forth that people are taking more of a business-centric approach to determining where to spend their money, how to spend their time. What you're describing here seems to really connect with that.

Andrew Morris:

I agree with everything that you just said. I think to add on to that, in order to provide value from a threat intelligence perspective, I think that there's a ton of value to be added doing what all of the threat intelligence providers do conventionally. "Here are things that you should consider working on. Here's additional insights into that thing that you wanted to know about." I think it's super valuable, but I also think that there's a lot of value in approaching it from the exact opposite perspective.

The way that I think a lot of threat intelligence providers provide value is to say there's a bad thing that you don't want to happen and we're going to help you have that bad thing not happen. That bad thing is going to cost you an unknowable amount of money, but probably a lot, enough that you should be worried.

We're doing our best to provide you with insights that are going to prevent this bad thing from happening and all of the cumulative bad things that you've prevented from happening and some unknowable dollar value, dollar amount that you can add up, that's your cost savings for buying our products, which I think is great. Do that. That's totally fine. That's just not how we think about the problem at all.

The way that we provide value is, okay, you have this many alerts or events per day that make it to an analyst. I would say of those, 10 percent of them you don't really need to worry about. They're just not a big deal, they're hitting everybody. No one should be looking at them.

What's your average ticket time to close or incident time to close or incident time to triage? What's your average time to do that? Is it 30 minutes, five minutes, an hour? Whatever. Then how many of those things are actually covered? How many of those things are contextualized and filtered by GreyNoise? Oh, it's 5 percent, 10 percent. Okay, multiply that together to figure out, great, this is the amount of things we don't really need to look at. That's great, that's fantastic.

That's where we provide value to organizations. It's in a completely reductive context and that's the way that we prove value. I think that we're really complementary in that way, but we just think about our value proposition in a completely different way from other threat intelligence providers. Does that make sense?

Dave Bittner:

It does. Help me understand this notion that because something may be attacking everyone rather than someone specifically, how that aligns with the seriousness of it. Andrew Morris:

Yeah, that's a really good question because to your point, there may be things that are attacking everyone that you should care about, right?

Dave Bittner:

Right.

Andrew Morris:

I would say that basically the reason that we provide value is that unless you know who's hitting everyone and who's only hitting you, you have to assume everything is only hitting you. It's just overwhelming.

I would say that when one is thinking about the idea of seriousness or how seriously to take an incident, I do not think that the only data point to feed into that should be directionality or targetedness, but I do think that it is an extremely important factor that should be taken into consideration.

That having been said, if something is hitting everyone and it affects you and you are compromised by that thing, that's a big deal. At that point, you have way bigger problems than buying threat intelligence feeds. You were just impacted by a commodity vulnerability. Patch your stuff. You have a much bigger problem than thinking about the maturity of your threat intelligence program. You need to spend time and energy and resources in making sure that your perimeter can at least handle the commodity bottom of the barrel attacks that are hitting everybody on the entire Internet. At the very least, that's where you need to focus.

If I were on a sales call and someone came to me and said, "Hey Andrew. We really want to use GreyNoise to figure out when our devices get compromised, which ones are directed compromises, and which ones are undirected compromises." I would probably say, "Hey, that's awesome. Maybe invest those dollars over here and not on us yet and let's talk again in six months."

Dave Bittner:

In terms of the background noise itself, what do you see in the future? Is this a problem that you anticipate is going to get worse? Do you think we're going to have technologies or techniques to do better with it? Where do you think we're going?

Andrew Morris:

That's a good question. I think that it is going to continue trending in the way that it has over the past few years to a decade, which is to say that from a volume perspective, it's certainly going to increase.

What does that mean for security professionals and enterprise security professionals? I think that that just means that figuring out the attacks that matter is going to get a little bit harder. I think that strictly from the lens of internet background noise, I think that because there are so many people attacking systems opportunistically now, I think that it's just going to be something that more and more people have to start thinking about over the next few years because you'll burn yourself out if you sound the alarm over every single bad thing that happens.

Dave Bittner:

I have to wonder, are we headed towards a reality where the noise is getting so noisy it's harder and harder to have signal?

Andrew Morris:

Yeah. I mean, I think that that's where we are right now. I mean, I absolutely think so. I don't think that's in the future. I think that's today. I mean, I think another interesting thing to think about is: What is the noise? Let's not even think about noise from an operational perspective and from an efficiency perspective.

I mean, I think at this point, let's start thinking about the weaponization and automation timeline for vulnerabilities as they're announced. I think the things that really affect people the most there is once a vulnerability has been weaponized or once a vulnerability has been announced, how long before it becomes completely automated and weaponized in a completely opportunistic botnet or something like that. That's something that affects everybody.

Dave Bittner:

Well, and I can't help wondering about how are the bad guys out there, are they using the noise to their advantage? Are they using the noise as camouflage?

Andrew Morris:

Absolutely. I would say that that's going to be your APT stuff. I mean, I think about that all the time. That's nightmare fuel for me is thinking about GreyNoise telling somebody not to worry about something, but then it actually totally being something that they should totally worry about.

Dave Bittner:

Right, right.

Andrew Morris:

Yeah, that's horrifying from my perspective. I mean, honestly, yeah, it's not something that I have observed happen firsthand yet where I'm 100 percent sure that it has happened. I am acutely aware that it is a thing that has been done before and that certain actors do. If I was a big, scary bad guy, I would certainly want to do that.

I mean, to answer your question: Do bad guys do that? Yeah, but it's the same bad guys that are doing other super ultra sneaky stuff that have high budgets, that is the boogeyman bad guy. It's not all of them and it definitely isn't going to impact most people. I would say that it impacts the same people that already have APTs in their threat model.

Dave Bittner:

Right, right. If this is something that's going to potentially impact you, chances are you know it.

Andrew Morris:

Yeah, exactly. But I mean, everybody has things that they tell themselves to sleep at night and one of the things that I tell myself to sleep at night is: "Just because people bypass antivirus right now does not mean that antivirus is a thing that doesn't and hasn't provided an incredible amount of value over the past 10, 20 years."

AV has provided a massive amount of value. Sometimes it's bypassed. Then what is the philosophical way to think about being the provider of a tool that is providing a sense of security to somebody and then it's subverted and then they do that thing even though you were telling all your customers, "Hey, we're here to protect this one thing"?

This isn't new to us. People have been addressing this for years. Honestly, my prognosis of this is just that internet background noise is a really specific thing. I think it's a problem to be solved. We're not curing cyber cancer. We're helping make security operation centers incrementally more efficient and illuminating context where there was none before. That's all we do.

The way that I would think about GreyNoise is, "Hey, this is like a cool thing that is solving this problem that makes my life better." That's what we think about and that's what we want to keep doing. We're going to provide context where there was none or little before and that's what we're going to do.

Dave Bittner:

Our thanks to Andrew Morris from GreyNoise Intelligence for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.