The Department of Defense recently awarded GreyNoise Intelligence a potential five-year $30 million contract to help the agency identify and understand Internet-wide scan and attack activity. The contract extends the work GreyNoise has already been doing with the Defense Innovation Unit since March.
Considering every machine on the Internet is bombarded by network requests and other types of communication activity, the Internet is a noisy place. However, only some of the traffic would be considered legitimately part of a transaction or in response to some kind of application activity. That doesn’t mean the rest of the traffic is bad — most of it is just junk, actually.
Threat actors may be scanning the Internet to discover what ports are open or what services may be running. Or it could be a routine scan by a business application. Whether junk or malicious, the security tools flag them to indicate there is something unusual, leaving security analysts with the challenging task of sifting out the targeted attacks from scanning activity that would be considered either opportunistic or benign.
Know Which Ones Aren’t Important
That is where GreyNoise shines. The company’s Internet-side sensor network collects scan data and analyzes the origins in order to give analysts the context for the scans. Threat researchers can look for spikes in scanning to identify new outbreaks of worm activity or attackers probing systems looking for known (and unpatched) vulnerabilities. Security analysts can confidently filter out irrelevant or harmless activity and focus their energies on uncovering and investigating true threats.
Being able to identify what can be ignored is one of the most common use cases for GreyNoise, says founder and CEO Andrew Morris. An organization may receive a security alert about an unknown IP address attempting to communicate with a high-value system. Depending on the sensitivity of the targeted system, the alert could be escalated for further investigation and potential remedication. An analyst can look up the IP address in GreyNoise — and upon discovering it was an opportunistic scan and not a targeted attack, the team could deprioritize the alert. Investigators can focus on other, more pressing, threats.
Many of the anomalous behavior organizations have to deal with tend to be “indiscriminate, opportunistic, untargeted, and Internet-wide,” Morris says. “While it's possible that opportunistic attacks can be successful and cause harm, this is statistically rare against hardened networks.”
GreyNoise is being used across multiple teams and functions across the Department of Defense in a defensive capacity, the company says.
Fewer Alerts, More Time Saved
Analysts are faced with hundreds of alerts a day. If they are spending their time investigating alerts that aren’t important, that is time the analyst is not noticing, or responding to, an actual targeted attack.
GreyNoise says customers reduce their alert loads by 25%. In many cases, the reduction can be as high as 38%, Morris says.
Knowing the difference between a targeted and opportunistic attack saves analysts a lot of time, especially on huge networks, Morris says. The actual amount of time saved would depend on the organization’s alert volume and the ticket time-to-close (or time-to-triage). For a small shop with a fairly small number of alerts, the time savings resulting from reduced alert volume may not seem like much, but for a larger organization with a heftier alert volume, the amount of time saved is “massive,” Morris says.
“To a Security Operations Center (SOC), telling security analysts what they don’t need to worry about is ideal because it means less time spent working alerts that are not a threat and more time digging into suspicious activity,” wrote Dusty Miller, an engineer at security services provider Hurricane Labs, in a recent blog post discussing how the company uses GreyNoise.