Security news that informs and inspires

Q&A: Andrew Morris

The Internet is lousy with scanners, some malicious, some benign, and separating the traffic that matters from what doesn't is a thorny problem. TTaken together, those scanners create a tremendous amount of background noise, an issue that manny a security analyst has faced over the years. To find the traffic that matters from a security persepective, Andrew Morris built a massive set of sensors that listen to, rather than scan, the Internet, and that network has become the foundation for GreyNoise. Morris spoke with Dennis Fisher on the Decipher podcast recently about the company's origins and the challenges of finding the important traffic. This is an edited transcript of that conversation.

Dennis Fisher: Where did the initial idea for this come from?

Andrew Morris: It's a long story. Originally as a pet project in maybe 2013, I set up a bunch of honeypots on the internet. There was this hosting provider that in retrospect it was probably a Ponzi scheme, but there was this hosting provider that allowed you to spend like $10 or $50 and buy like a VPS for life. I bought like 10 VPS and I set up a bunch of honeypots and I set up these honeypots in 10 different data centers around the internet and I'd never set up a honeypot before. And so I monitored the honeypot. I set up like a few different types of tech. And I looked at who logged into them and who tried to brute force those honeypots. I started getting attacks immediately and I was like, wow, the bad guys are coming for me. And I was looking at all this data. And then at some point, you know, I added like the 10th honeypot and I was like, man, this is a lot of data. So I'm going to, instead of logging in and checking the data on all these things, I'm going to put it into like a central place. And I'm going to look at the data from one place inside.

I streamed it into Splunk and I'm looking at the data and I was like, man, look at all these bad guys, like, this is crazy. And then I noticed kind of out of nowhere that like a lot of the over a lot of the IP addresses that were attacking these hosts on the internet, there was a lot of overlap.There were a lot of IPs that were attacking all of them. They're all in completely different data centers in different countries around the world, like in very different locations geographically. I'm seeing the same one, two, three, four, five, 1,000 IP addresses, attacking all these things. And I was like, man, that's crazy. And so I remember thinking about it, like this is threat Intel, right? I found the bad guys! And after I had a lot of conversations and I talked to a lot of people some switch flipped in my head where I was like, wait, this isn't the stuff that people should be worried about. This is the stuff that's hitting everybody. This is just like internet background noise. This is like anti threat intelligence. And then when it got extremely interesting, was when you overlaid what you were seeing from these honeypots on the internet on top of like an actual network that has actual business users. And what I found is that it creates this noise canceling effect where you basically have, what's hitting everybody on the internet totally opportunistically.

And you subtract that out from what is hitting somebody's network. And what you're left with is only the things that are hitting that network specifically, both legitimate, regular business users, but also, you know, targeted attacks. So I built this thing at, I built this thing and I presented it at ShmooCon 2014 or so. And that was when someone asked the question, what is the expected amount of scan traffic that any host on the internet should see? And that question is so hard to answer and is so vast and so massive. And the implications of properly answering that question took me down this massive rabbit hole, but I'm still going down with GreyNoiseright now. But that's functionally kind of like where the idea came from

Dennis Fisher: So until you gave that talk at ShmooCon and somebody came up to you and was like, Hey, you know, this is a real thing. Had you thought about like, Oh, maybe there's a business in this, or was that kind of the spark of it?

Andrew Morris: No, no, no, no. Not, not even a little bit. That just isn't what really motivated me at the time. It was like, I just wanted to do cool stuff. I wanted to solve problems and do cool stuff. So even if somebody came and said, Hey, I'll give you a bunch of money, but you have to solve a different problem. I would have been like, well, but I don't want to solve a different problem. I just found this one really cool. And so I wasn't even thinking about the business aspect of it. I only ever started thinking about the business aspect of anything and making money once it became apparent to me that the only way to properly have control of building this thing in the exact way that I think it needs to happen was to build a company around it and to build a company around something, you have to think about money.

Dennis Fisher: So what were you doing at the time? What was your job when you set up the honeypots?

Andrew Morris: I was on a staff augmentation role for a customer and they wanted to hire me. And so I was like, Oh, sick. Right. Like I'm going to join this company full time. And then like, right at the last second, the offer was rescinded after I'd already quit my other job. So it was like, I didn't actually get fired. I got like un-hired, which it felt like getting fired. And so I was like, well, you know, I'm looking for something to do. And this just seemed like a fun thing to do. And that, like, I've never really told anybody that before, but that's honest to God where I was, I had some downtime between jobs and I was kind of looking for a cool thing to occupy my time.

Dennis Fisher: Honestly, that's where some of the coolest ideas come from, not just in security, but, or even technology, but in life in general, if you just have some time to think about things that maybe you're vaguely aware of, but you have too much other stuff going on.

Andrew Morris: That's exactly right. It's like when you meditate and you clear up your mind and you clear it out, you give yourself all this new space to be creative and to think about new things. And so sometimes taking a step away, taking a step back from your slog or the grind or the knife fight that is kind of the day-to-day, it gives you some flexibility. And unfortunately it's the kind of thing that not everybody has the opportunity or the option to do, because sometimes you just got to slog. I didn't choose to take two weeks to just think about cool stuff and what I wanted to do.

"I just found this one problem really cool. And so I wasn't even thinking about the business aspect of it."

Dennis Fisher: How close to what GreyNoise is now was the original vision? What's the delta between what you originally produced and where it is now?

Andrew Morris: Oh, it's a great question. So it's gone through so many different iterations. I would say that GreyNoise right now is the exact embodiment of what the vision was several years ago before it got bigger and cooler. I was imagining Shodan, but the opposite. So the same kind of layout, similar workflow, similar kind of usability, similar freemium, similar feel, except obviously the data that we collect is the exact opposite of the data that Shodan collects, right? We don't scan the internet. We listened to the internet. But laying out the data similarly, I've always been a huge fan of Shodan. So it was like, borrow and borrow from those who do good stuff, borrow from those who have figured it out. We have thousands of users. We have all these customers. And so now there are so many more things for us to do and the vision has gotten a lot bigger. And so where we're going is not at all where I envisioned a few years ago. We've kind of already surpassed that, which is exciting.

Dennis Fisher: What are the most common use cases for your customers right now?

Andrew Morris: So our elevator pitch that we give to people when we're talking to customers or potential customers is every security operation center is, too busy. One of the reasons they're too busy is they have way too many alerts. Some of those alerts don't matter very much because they're generated by completely pointless, opportunistic internet wide scanning attack traffic. That's not even a little bit targeted towards them. We'll tell you which alerts are generated by that, you know, maybe 20, 30, 40% so that you can focus on the alerts that really matter to you and like noise canceling headphones for your center, for your security products. That's our two second sales pitch for what we tell our enterprise customers. We run a gigantic network of collectors, kind of like honeypots and all these different countries. We collect data in a bunch of places. We analyze that data. We make that data available in a web interface, APIs and security integrations. What can you use GreyNoise to do? Really three main use cases. The first one is, to answer the question, is this thing hitting everybody, or is it just hitting me? I just saw this thing hit my network and it looks weird and it raised an alert, or it did a thing. I'm gonna look it up in GreyNoise. And if it comes back in GreyNoise that means that it's hitting everybody on the entire internet. Not just you, it's not a targeted attack. Number two, show me where compromised devices are. As a byproduct of all the data that we collect, we know where a massive amount of compromised devices are on the internet, hundreds of thousands every day. So we can tell you, Hey, these 300,000 IP addresses were compromised in the last day, right? And now that's useful. That's useful to people because we can tell you if something that you have is compromised, we'll use our alerts feature to do that.

And then the third, most common use case, is this identification of emerging threats and which vulnerabilities are being opportunistically exploited, and from where. What we do is our engineering teams and our engineering and research teams will put something together on our side so that we're able to get some visibility. We'll make something that looks like the thing that's vulnerable. And we'll instrument the crap out of it. And then we will look to see what happens. What does the internet, what did the scanners do when they found it? Do we find anybody who's checking for the existence of the vulnerability? Do we find anybody that's opportunistically exploiting the vulnerability? Do we find anybody that's doing that at scale? Anybody that's doing that in multiple places.

Dennis Fisher: You mentioned earlier that a large part of the stuff that hits a given enterprise in a given day is stuff that they don't really need to be all that concerned about. It's mass scan stuff. I know this is going to vary widely by organization, but in general, how much of the attack activity that organizations see is something they need to worry about?

Andrew Morris: That's such a great question. So I don't ever advise that our users filter out anything because you can't get that. You don't want to drop data. You can never get it back. And if the tool is wrong, then you're in a bad position. So you may want to put things in a lower priority on the queue. You may want to deprioritize things. You may want to put certain events in cheaper storage. The answer is, it depends. It depends on a lot of different factors, but every organization that we work with on average, from just about any organization is going to find a hit rate of the alerts that they're seeing that are making it to a security analyst through all of their other automation of at least 20%.

"Where we're going is not at all where I envisioned a few years ago. We've kind of already surpassed that, which is exciting."

Dennis Fisher: I've had conversations with people that work in SOCs many times over the years. And they all have kind of that thousand yard stare after a while. Reducing the noise must be such a huge thing for them.

Andrew Morris: Yeah. At the end of the day, security people don't want more things to worry about, right? I promise you, they don't, the people in the SOC are overworked. They are exhausted. It is a very hard job. They are getting alerts from a zillion security products. They are desensitized to a massive amount of those alerts being absolutely useless wastes of time. And they are frustrated. We focus on getting you to the conclusion of this isn't really a big deal as quickly as humanly possible because of the exact reason that you were just describing before. The people who work in SOCs are exhausted. And the security industry is not making it any better. We're just making it worse. And so we're trying to do the exact opposite of what every security company, or every product company in the SOC has ever done. And that's just give more context.

Dennis Fisher: Are there any non-security applications for the data that you guys see and collect?

Andrew Morris: I'm asked that question a lot. The answer is mostly no, but if there are, I just haven't seen them yet. The two things that immediately jump out to me though, is that one, there is a massive operational spend that goes into storing logs that are generated by internet wide opportunistic scan and attack traffic sometimes just for compliance reasons. So, I mean, it's going to sound insane, but I'm going to tell you right now, there's a lot of organizations out there that capture firewall logs of everything that's happening on their firewalls may have to store it for compliance. And a lot of that stuff is,, I cannot stress this enough, meaningless. And we know the difference between what is and isn't meaningless. The only other thing is when the internet goes off somewhere, all of the internet background noise stops there. And so there is some applicability of using GreyNoise in the capacity of trying to identify problem areas of the internet, or even just like pipeline issues and the internet.