Andrew Morris, GreyNoise Intelligence: “SOC teams are overwhelmed with false-positive alerts”

Information Security teams are continuously slammed with false-positive threat alerts, forced to shift their attention away from real incidents.

About every 39 seconds, a cyberattack affects another company or individual. To mitigate each cyber threat – either before or during the exposure – we count on a multitude of cybersecurity tools. A VPN for encrypted online traffic, an antivirus for fighting malware and adware, and more. Yet, we have to deal with overlooked vulnerabilities and the aftermath of cyber incidents daily.

Cybersecurity researchers, on the other hand, have to deal with much more than cyber dangers alone. They have to screen vast amounts of data to separate threats from background noise. Andrew Morris, the CEO and Founder of GreyNoise Intelligence, explains what the most efficient way of approaching this process is.

How did GreyNoise come about? What has your journey been like?

The short answer is that I got into security research when I was around thirteen years old in the mid-2000s. My family had a computer with a failed hard drive. I learned on the Internet that it was possible to use a computer without a functional hard drive by using something called a "Linux Live CD." Many wasted blank CDs later, I recall installing Ubuntu 4.04 and feeling like an absolute cyber god. I decided I was good at doing things with computers, and I enjoyed it, so I just kept reading and learning. I would stay up late into the night reading technical docs and staring at Ethereal (which would later be renamed Wireshark).

There is something exhilarating about being the first person to solve an unsolved problem or make a discovery in the cybersecurity arena. I love that there are entire groups and communities of people that you've never met in your life who think it's just as cool as you do. I love the feeling of imparting the thought process to others so that they can learn from your work and replicate it for their benefit. I'm hopelessly addicted to the pursuit of solving unsolvable problems or finding "unfindable" answers. It forces you to adapt, consume information, and level up your skills. At the end of the day, the problems you've solved and the knowledge you accumulate in the process absolutely cannot be taken away from you.

Can you introduce us to what you do? What are the main challenges you help navigate?

GreyNoise Intelligence is a cybersecurity company that analyzes Internet scanners and crawler traffic to separate threats from background noise. We collect, analyze and label data on noisy IP addresses that scan and attack the entire Internet, saturating security teams with alerts. This unique perspective helps analysts waste less time on irrelevant or harmless activity, and spend more time focused on targeted and emerging threats.

What technology do you use to identify risks across vast amounts of data?

The traditional approach to threat intelligence is to identify more and more (and yet more!) threat indicators that are “suspicious”. Often, these threat indicators are low fidelity and come with very little context for a security analyst. The result - SOC teams are overwhelmed with false-positive alerts and alerts about events that turn out to be harmless to the organization.

GreyNoise is a little bit different; our core goal is to reduce the “noise” for SOC teams by eliminating as many false positives and pointless alerts as we can. So, unlike other threat intelligence vendors, we are solely focused on providing high fidelity data on IPs that are actively scanning the Internet (whether their intent is malicious, benign, or still unknown), and we deliver that to our users in the clearest and most enriched way we can so they can quickly and easily prioritize threats.

How did the recent global events affect your field of work? Were there any new features added to your services as a result?

In terms of our offer to support defenders in Ukraine, we've been in contact with dozens of different groups to help them get set up on our tools and leverage our data free of charge, as well as connecting them with others in the InfoSec community doing the same.

In addition, we've created a collection of data available to everyone, identifying source IP addresses that are only scanning destination IP addresses located in Ukraine. We have also filtered out potentially spoofed traffic from these files. The goal is to help provide visibility into potential cyber activity surrounding the Russia/Ukraine situation. This data can be accessed here:

• Human-readable/CSV
• JSON
• IP addresses only
• IPs with related context/metadata

Why do you think some organizations are unaware of the risks they are exposed to?

In many cases, it’s not an issue of being unaware, but rather the fact that alert fatigue is causing missed threats and analyst churn. Information Security teams are continuously slammed with alerts because Internet ”noise” triggers 1000’s harmless events that need to be investigated. Everything feels on fire all the time, every alert is critical with insufficient context. At the same time, new vulnerabilities are weaponized at an alarming rate. Unfortunately, everyone in the SOC is too busy, and there’s never enough time to do meaningful work to defend against new threats.

Which cybersecurity practices should companies follow, especially when dealing with large amounts of data?

1. Increase analyst capacity. On average, 20-40% of alert traffic is noise. By suppressing or deprioritizing alerts generated by common business services or benign IPs and reducing false positives in downstream security systems, security engineering teams can free up time for higher priority work.
2. Accelerate triage/faster time to verdict. Contextual data can help SOC analysts to triage noisy alerts instead of spending time researching harmless scanners, false positives, and common business services that trigger alerts.
3. Identify compromised devices. Contextual data can tell you if something belonging to you or your customers or partners is crawling the web, potentially indicating a compromise.
4. Track newly announced vulnerabilities. Contextual data provides unique, early visibility into CVEs being exploited in the wild, at scale, providing cyber threat intelligence teams with the lead time they need to mitigate the risk, and vulnerability management teams the data they need to prioritize patching.

Talking about average individuals, what personal security tools are essential for every Internet user?

In our data, we see a ton of compromised devices coming from residential IP address ranges. It's clear that individuals are getting hacked way more frequently than corporations, and it makes sense, as they are generally less well defended. We think that Internet service providers should be doing more to help protect their residential customers, but people also need to protect themselves. The basic toolkit that anyone on the Internet should be using includes:

• Antivirus - protection from malware
• Secure VPN - protect sensitive information like passwords and banking details when you’re online
• Password Manager - protect and manage your passwords

What kinds of threats will become a prominent problem in the next few years?

We are completely astonished by the sheer number of crippling vulnerabilities in Internet software being exploited every day. As an industry, we are seeing cybercriminals use unsophisticated methods to identify massive amounts of opportunities at targeted organizations around the globe. With both good and bad actors sharing knowledge and tools within hours of a vulnerability release, the ability to exploit software at scale becomes easier. Now, it’s become a game of volume, doing low-level hacking at scale. Some recent examples include:

• Apache Remote Code Execution vulnerability On October 4th, 2021 Apache disclosed a path traversal vulnerability CVE-2021-41773 that affects HTTP Server version 2.4.49. The vulnerability was introduced in this version (2.4.49) and is patched in version 2.4.50. This path traversal vulnerability allows sensitive files outside of the expected document root to be accessed, such as configuration files and Common Gateway Interface (CGI) scripts. This allows for specially crafted requests to read arbitrary files as well as perform Remote Code Execution (RCE) on systems that have the Apache “mod_cgi” module enabled.

• Microsoft Azure “OMIGOD” vulnerabilities A series of four vulnerabilities involving the software agent Open Management Infrastructure has left Microsoft Azure customers exposed to remote code execution. The flaws were reported Tuesday, September 14th, 2021.

Share with us, what’s next for GreyNoise?

We’d like to see GreyNoise recognized as the authoritative source for understanding communications on the Internet — the first place you go to find out more about an alert, ad domain, or a perceived threat. Our mission is to make security alerts useful again and help make security operations more efficient. Every security product that has GreyNoise integrated becomes more effective, and every SOC benefits from what we offer. We want to eliminate the amount of time security analysts waste on useless alerts.