How GreyNoise Helps Validate Vulnerability Exploitation | Shortcuts
Can you just give the quick take on what GreyNoise is and what it does for its users and customers?
Andrew Morris: GreyNoise is a cybersecurity company. We operate a gigantic network of collector sensors, kind of like honey pots. So we run a big honey pot network in thousands of places around the globe and a bunch of different corners of the internet, so in cloud hosting providers, residential and business internet service providers, et cetera. We run a ton of honey pots in probably 40-50 different hosting providers and about 40ish different countries. And there are really two primary use cases or problems that we solve for our customers.
Number one is, “Is this alert that just got raised in my SOC hitting everybody or is it just hitting me? Help me understand the things that are just hitting me specifically, because those are the ones that I want to focus on.” And then number two is, “Who’s exploiting what vulnerabilities out in the wild? And where are they doing it from so that, ideally, I can a) orient around it and b) hopefully block some of the attackers that are doing that to buy myself a little bit of time.”
So, at the end of the day, there’s obviously a lot of different factors that go into which vulnerabilities you want to prioritize and which ones you don’t. But as you know, one of the biggest factors out there is the question, “Is anybody exploiting this in the wild.” And then number two, the one that we are really acutely interested in is, “Is this being weaponized or operationalized? Is this vulnerability being exploited at scale?” Because if GreyNoise sees something, that means that everybody is seeing it. Because we get all of our data from networks around the world that we are running our honey pot sensors in, that means that we’re not getting data from networks that have existing business value. So if GreyNoise sees something, then that means that kind of by definition, everybody on the whole internet is seeing that thing.
Tell us more about how GreyNoise can help with validating vuln exploitation?
Andrew: The best thing that you can do is just browse the GreyNoise web interface and just go to the trends page or the tags page. Basically, that’s where we’ve got all of the exploitation of what we call GreyNoiseable Vulnerabilities. What that really means is that we’re really good at providing additional context around vulnerabilities that are specifically remote code execution or vulnerabilities in commonly deployed software on network perimeters, ideally pre authentication. Then, by and large, it usually really pops off once the public POC is available to everybody. That’s kind of the combination of things that have to be the case for it to be a “GreyNoiseable vulnerability.”
You’re focused on vulns that are remote code exec, commonly deployed software, pre-off, those types of things… the really nasty stuff, right?
Andrew: Yeah, exactly. I mean, really it’s the same ones that the bad actors are interested in, as well. “Can I use this thing to gain access to lots and lots and lots of computers?” If the answer to that is yes, then it is probably going to be a vulnerability that we’re going to dig into and most likely see active exploitation out on the internet for.
We have a project together that we’re using GreyNoise for – the CISA KEV Enrichment Dashboard – where we take the CISA KEV vulnerabilities and use GreyNoise to help put validation on those because not all of those are necessarily relevant to everyone. Can you talk a little bit about that?
Andrew: Number one, you got to ask yourself, do I actually run this software or not? Because if the answer’s no, then you definitely don’t care. Number two is going to be, okay, so I do run this software and CISA says that it is a known exploited vulnerability, right? That means that you’re probably going to need some slightly further context. That’s really useful information that you have in order to prioritize things from a vulnerability management perspective, but you may also need to know where is this being exploited from, right? Because you also might want to know what does this actually look like on the wiring and what can I do about it? Am I going to actually catch this if anybody’s slinging it at me? Am I capable of detecting this, et cetera. So, those are some of the other additional questions that I think that defenders should be asking themselves when consuming either the Nucleus KEV Enrichment Dashboard data directly from CISA KEV or data directed from GreyNoise.
If it’s one of those vulnerabilities that GreyNoise does provide some context on, then there’s a good chance that you’d be able to grab a dynamic block list from the GreyNoise web interface where you could just pop it straight into your firewall so that you can just block as much of that stuff in the perimeter as humanly possible.
Why is it important to have this technology to whittle down what you should pay attention to?
Andrew: Primarily, there’s just a lot of stuff out there. There’s a lot of stuff that’s happening on people’s networks. The Internet’s really, really, really noisy, and so there’s a few different kinds of cacophony. Number one, there’s literal network cacophony, right? Networks are noisy, the Internet’s noisy. Everybody who has a network perimeter is constantly getting the crap metaphorically kicked out of their perimeter.
Number two is that there’s also a lot of security community noise as well. This is less literal technical noise and more just discourse and conversations over which vulnerabilities matter and what really matters, et cetera. So ideally, GreyNoise can kind of help a little bit with both of those. Number one, we can help definitively tell people what they need to care about from on their perimeter, as well as really help security defenders, security decision makers, and security operations people actually figure out very quickly with very high confidence whether or not they need to care about something or to build out that list of things that they, on a given day, definitely need to care about.
Does GreyNoise employ any AI in this process?
Andrew: We don’t use any AI or ML in actually doing our tagging process. Everything that we use is basically pattern matching and statistics. It’s super basic – we just are doing it at relatively high scale. Separately, we do use AI and ML to assist our human analysts on our research team. Essentially, we use AI and ML to do kind of clustering and to surface interesting patterns that our research team observes and that they review in order to help us just make sense out of the colossal amount of data that we have. The only other thing that I can really add is that we are rolling out our first ever customer-facing feature that uses AI and ML, and it’s basically it’s IP similarity.
So, whenever you’re sort of tracking a malware campaign, or you’re tracking an actor, or you’re tracking a specific kind of behavior or something like that using GreyNoise, you’ll soon be able to quickly pivot off of IP addresses and say, “Hey, show me other IP addresses that are acting very similar to this one behaviorally.” And that actually uses AI and ML under the hood, but that’s the only feature that we’ve ever created that’s user facing that uses AI and ML. Other than that, we really just use it to give our analysts internally some superpowers to be able to slog through all the data that we get faster.
What’s the most important thing, in your mind, for folks to take away from what we’ve talked about today?
Andrew: Number one, create a free GreyNoise account. It’s free. You don’t have to pay anything for it and if it’s useful for you, you can keep using it for the rest of your life. Number two, the next time a alert gets raised in your security operations center and you want to know if it’s hitting everybody or if it’s just hitting you, just look that IP address up in GreyNoise. You don’t even have to create an account to do your first new lookups. Number three, the next time a really bad, scary vulnerability gets announced kind of like this OpenSSL vuln, anytime that a new, big, scary vulnerability is announced, pay attention to the GreyNoise Twitter account and the GreyNoise Trends page, and that’s where we’re going to tell you everything that we know about those vulnerabilities just to try to get the word out.