In the InfoSec community, sharing knowledge and expertise is key to moving the industry forward and crucial to creating the next generation of security professionals. As part of our commitment to building and investing in the community, we’re excited to announce our new online conference series: NetNoiseCon.
NetNoiseCon is a livestream conference viewable on the GreyNoise YouTube channel on April 19th, starting at 12pm ET / 9am PT.
The conference will feature both technical and career-advice focused talks, with speakers from across the InfoSec industry and the GreyNoise researcher community. We’ve curated a set of talks with the goal in mind that all viewers should come away with new skills or insights that they can use in their work ASAP.
Here’s our NetNoiseCon v1 speaker lineup:
Matt Johansen, Vulnerable U newsletter
Santiago Holley, VP of Threat Management at RedTrace
Kimber Duke, Senior Product Manager at GreyNoise
Greg Lesnewich, Senior Threat Researcher at Proofpoint & GreyNoise Ambassador
Joseph McDonagh, GreyNoise Ambassador
floofpwn, independent security researcher
YouTube Livestream event:
Click the “Notify Me” button to receive a notification when we go live or sign-up for a reminder here. Join us on the livestream for the event and hang out in our community Discord server to join our post-event voice chat / StarCraft sessions 👾.
We hope to see you there!!
- Sam Houston, Senior Community Manager, GreyNoise
All of my friends (and my bathroom scale, honestly) will tell you that I love tortillas. Not just any tortillas, however…they have to be homemade. I make sure we have homemade tortillas every week and keep them in the fridge. They are better than anything you can buy in a store, and they are simply amazing when they are hot off the comal. My kids know this; when they see the comal on the stove, they make a point of hanging around the kitchen to snag one (often a few!) while they are fresh because they understand that freshness is everything for tortillas.
It turns out the same is true for vulnerability intelligence!
In just the first 6 months of 2024, we’ve seen over 2,000 remotely exploitable, no-authentication-necessary CVEs be published. These are the kinds of vulnerabilities that are exploited on the Internet - via APTs and criminals or botnets driving mass exploitation - every minute of every day. This is a huge amount to deal with, and what we’ve seen this year is that they are occurring more frequently on edge devices that don’t have many mitigating controls to protect them. When these things happen, it forces security teams to drop what they are doing and scramble for a fix.
There are many existing vulnerability prioritization solutions that can help by including information like “Known Exploits Available” or “In the Wild”. The issue is that these attributes quickly become stale. Technically, a snippet of proof-of-concept code is an available exploit, but it isn’t the same as a mass exploitation attack by a criminal organization. A hard-to-exploit race condition that requires a lot of time and effort might be “In the Wild”, but that doesn’t require the same urgency to fix as something an actor is actively exploiting today. In many ways, these attributes (in addition to CVSS Base Scores, Vendor bulletins, etc) are like stale tortillas - edible but ultimately unsatisfying.
At GreyNoise we believe that security teams deserve actionable information that is fresh enough to know what attackers are doing right now, so that they can respond with the speed and urgency required. Consequently, today we’re launching GreyNoise for Vulnerability Prioritization to give our customers exactly that.
Here’s how it works:
We run a global network of thousands of sensors that emulate the types of assets enterprises have exposed to the Internet: web servers, network gear, etc. We see when attackers and bots start probing them, and we collect the data as they are attacked in real-time. We compare this against known bad behaviors and known IPs; our ML models are even capable of alerting us to unknown but suspicious or malicious activities that are the hallmarks of novel exploits. This is all unique, primary data that we collect rather than simply aggregating from third-party sources. In other words, we make fresh tortillas from scratch rather than just reselling ones we bought from a supermarket.
As we collect this information, we make it immediately available via our Visualizer for ad-hoc usage and through our API for inclusion in your existing automation. We ensure that information is always fresh, so that you can get the most up-to-date intel for as long as you need until you fix the problem.
There are many good vulnerability prioritization tools out there, but we believe that only we can tell vulnerability teams which CVEs need attention now based on what attacks are actually happening today. Because Vuln Intel is based on all the same data that powers GreyNoise, you’ll also be able to share what you know seamlessly with your SOC analysts and threat hunters.
We think you’ll enjoy having fresh and actionable information with Greynoise Vulnerability Prioritization. You can visit our website to learn more or schedule time to talk with us directly.
I know you’ll also love having fresh and delicious tortillas, so please enjoy this recipe. I look forward to hearing from you about both!
Flour Tortillas Recipe
Ingredients:
4 parts all-purpose flour
.1 part salt
1 parts lard (or shortening, but lard is the best)
2 parts water - hot water for thin and chewy tortillas, cold water for thick and fluffy
For example, I find 300gm (4 x 75gm) flour + 75gm lard (1 x 75gm) + 8gm salt (.1 x 75gm) mixed with 150gm (2 x 75gm) hot water makes 8 burrito-sized or 12 fajita-sized tortillas.
Instructions:
Place flour, salt, and lard in a bowl. Add in water; if using hot water, give it 30 seconds to melt the lard.
Knead for 1 minute - it should be tacky but not so sticky it won't easily come off your fingers; you can add a little flour if needed.
Let stand covered for 30 minutes.
Heat a cast iron griddle (a skillet works too) on med-high for 5 minutes (i.e. at the 25-minute mark)
Divide the dough into golf ball-sized portions.
Using a rolling pin, roll one into 6-9 inch diameter rounds.
Cook 30 seconds on one side - you'll see bubbles form on the top when it is time to flip. Now is a great time to roll the next round while it cooks.
Flip and cook for another 15-30 seconds; I like longer to get a few charred spots.
Stack on a plate and cover with a towel.
Eat them soon — they will be unbelievably good for 60 minutes, very good the rest of the day, and better than anything you can buy in the store for at least a week if you keep them in the fridge.
Why I liked it: I'm a sucker for the Alien/Predator universe content, and this was a cool one-off. Shld be a fun read/listen if folks want one multiverse explanation of what happened to everyone's fave synth.
TLDR: Sociologist Arlie Hochschild spent five years visiting and interviewing the Lake Charles area of Southern Louisiana to explore the political motivations and social frustrations of right-wing voters following the 2016 election. Hochschild approaches the subject with a non-partisan appeal to humanity in an attempt at understanding the evolution of right-wing populism following the collapse of the Tea Party movement.
TLDR: Alan Moore's graphic novel series about the adventures of various classic literature protagonists as they assist British Intelligence in countering supernatural threats. Pitched as "the Justice League of Victorian England", Moore creates a multi-verse of literary characters that explore the otherworldly and occult and has served as an inspiration to fellow writers such as Neil Gaiman and Warren Ellis.
GreyNoise was founded to see what others don’t. That quest led us to build a unique global network of thousands of sensors across hundreds of strategically selected points of presence, giving cybersecurity practitioners unparalleled insight into online activity, whether malicious or benign.
And in 2023, we saw something new.
In the second quarter of 2023 GreyNoise researchers observed a substantial change in internet scanning behavior. Malicious inventory scans significantly reduced in frequency and scale, and the vast majority of these types of scans now come from benign sources. This, along with the speed at which compromises follow vulnerability announcements, strongly suggests more capable attacker groups have implemented their own form of “attack surface monitoring”, to avoid tripping existing defenses. Attackers are now less likely to risk their reconnaissance infrastructure being detected and flagged prior to establishing confidence in a successful attack path.
A change in attacker behavior is rendering current defenses less effective. But an established technique is ready to rise to the challenge. Honeypots are back.
With attackers routing around observation and detection, traditional third-party threat intelligence cannot provide the targeted attack visibility that defenders need. A first-party, honeypot-based approach is ready to step into the breach.
While honeypot programs have traditionally struggled with deployment, operation, and data analysis, new technology is changing the game. Advances in infrastructure automation, network traffic shaping, cloud computing, and artificial intelligence make it possible to consistently identify novel attacks and reveal attacker infrastructure. New honeypot networks are easy to deploy, with flexible impersonation, believable personas, and automated analysis. Whether on an organization’s perimeter or deployed across the globe, they provide the insights defenders need to protect key systems before a breach.
At GreyNoise, we haven’t just focused on tech leadership — we’ve brought in thought leadership as well. In order to educate the market about these new challenges, and how honeypots can help tackle them, our deception and intelligence experts Andrew Morris and Bob Rudis have published the Honeypots Are Back report. This report:
Breaks down targeted attacks
Compares third- and first-person threat intelligence
Discusses traditional honeypot challenges
Establishes a new honeypot maturity framework
Provides a security checklist for defenders to implement this necessary capability
To dive deeper into each of these topics, read the report here. To see a demonstration of the new honeypot capabilities under development at GreyNoise today, watch our on-demand honeypot webinar here. And if you’re ready to discuss standing up a mature honeypot network in your own environment, talk to our team.
We had a blast at NetNoiseCon on April 19th and we hope you did too! If you missed out, don't worry - we've got you covered with this recap.
From incredible technical talks to insightful career advice from industry leaders, there was something for everyone. We strongly encourage you to watch each of the talks and soak in the wisdom shared by our stellar lineup of speakers.
Special Storm⚡️Watch briefing from boB Rudis - GreyNoise’s boB Rudis shares a fun and insightful brief on several active APT groups and the targeting of industrial control systems.
Methods of Finding Threat Signals - Proofpoint’s Greg Lesnewich presented his methods for finding signal within the noise, finding anomalies in the data, and how to use layering techniques to find threats.
Vintage Internet Noise - GreyNoise’s Kimber Duke dives into the vintage internet vulnerabilities, many of which are 20+ years old, that still haunt us today.
Brain skills | functions | AI - Santiago Holley, VP of Threat Management at Redtrace Technologies, shares his thoughts on the strengths of AI and the inherent strengths of humans and how our brains work - and how we can bring those two together.
Stress, Mindfulness, & Mental Health in Cybersecurity - Matt Johansen, writer of the Vulnerable U Newsletter, explores the particular challenges and stresses that many in cybersecurity face, and how to deal with them. This is a fantastic honest look at our work in InfoSec and the struggles that many have with mental health.
How I Got Into CyberSecurity - GreyNoise Ambassador Joseph McDonagh shares his unorthodox career path from the military into cybersecurity. At the end, Joseph also shares how he uses GreyNoise “backwards” and leverages Splunk.
---
Huge thanks to all of our speakers - we really appreciate their time and insight.Also - Thank you to everyone who tuned in and joined us live at NetNoiseCon, we had a blast!
We will bring NetNoiseCon back later this year, so stay tuned for more news about the next event. In the mean time, join us on Discord and say Hi!
Thoughts: Ezra’s Klein’s interview with the CEO of Anthropic is an interesting discussion about the speed of growth of the industry and the impact AI will have on our electricity consumption, the impact on jobs, and more. Very interesting listen!
Why I like it: It has stylistic and narrative elements like The Expanse novels, and presents an intriguing future where some humans (dubbed Wardens) have outgrown their humanity thanks to bioengineering and rule the galaxy with ruthless efficiency. This story centers around the folks impacted by a particularly horrible Warden who decides to mess with the pseudo-stability of the regime in order to gain control. Excellent writing.
Thoughts: It was a good read as well. I don't necessarily agree with all the points, but the author's practical take on making real-world apps with "AI" is very refreshing amidst all the hype.
Why I like it: This brilliant, disturbing novel centers on a psychiatrist suddenly convinced his wife has been replaced by an imposter (presumably a reference to a real disorder, Capgras delusion) and that the secret to finding his real wife is hidden in an obscure paper by a research meteorologist—clearly based on the author’s own father. Hilarious, insightful, surprisingly punny—and though written in 2006, the bite-sized chapters are perfect for our age of internet distractions (just me?).
Thoughts: Incisive, bizarre, and with a last-act twist that slides perfectly, yet shockingly, into place, TheSaint of Bright Doors is certainly deserving of its string of award nominations. I saw Chandrasekera read an excerpt from this book on his tour; he chose the scene where the protagonist’s mother tells her son “the doctors will tell you I’m dying of cancer . . . but really it’s because I’m disappointed in you.” But Bright Doors does not disappoint.
TLDR: Neil Gaiman wrote that this book “contains no dragons”. It’s not quite true—and Gaiman’s full quote contains a qualifier that I’m cunningly concealing from you—but close enough. Now consider what it means to recommend a dragonless book about dragons. Familiarity with the Wars of the Roses and strong opinions about the Byzantine empire will be greatly rewarded.
Why I like it: It is a book about having a more interesting stage presence as a magician. I'm not a (professional (or good)) magician, but telling stories and being interesting on stage applies to all of us!
Backstory: Vampire fiction might be too embarrassing to post…for context, I go to the local used bookstore to buy random books. I bought "The Passage" by Justin Cronin and got sucked into (🥁) the story about the world being overrun by a vampire virus. Halfway through, I realized it's a trilogy; now I'm halfway through the second book ("The Twelve"), with the third ready to go.
Thoughts: It is a nice read. Basically, “the entirety of perceptual experience is a neuronal fantasy that remains yoked to the world through a continuous making and remaking of perceptual best guesses, of controlled hallucinations.” Or how I stopped worrying and learned to love the absence of free will.
AI is so hot right now, and the cybersecurity space is no exception. Technology leaders are unveiling exciting new capabilities, vendors are making extravagant claims, and practitioners are working hard to understand how to separate the wheat from the chaff, leveraging AI where it can make the most difference to their operations’ and their organization’s risk.
Here at GreyNoise, we’ve been investigating where AI capabilities can have the biggest impact, and then working to deploy them internally, externally, and in partnership with other security vendors. In this blog we’ll discuss several GreyNoise AI projects and how they’re helping defenders identify and understand threats and secure their environment.
Sift: AI for Anomaly Discovery
Traditional automation is rule-based and rigid. “IF a packet matches this malware signature, THEN block it AND generate an alert”, etc. AI-based approaches are different. AI makes it possible to automate pattern recognition—and its inverse, anomaly discovery. With AI, defenders can rapidly process high volumes of data, and automatically identify the most suspicious observations for high-priority analysis and triage.
Sift is GreyNoise’s tool for solving this problem. It leverages multiple advanced AI techniques, including:
custom-built LLMs (Large Language Models)
nearest neighbor search and vector databases
unsupervised clustering
Sift runs daily, helping our research team process the data generated by our global sensor fleet to identify novel behavior, traffic, and attacks.
But Sift doesn’t stop there. The same techniques can be applied to the data generated by targeted subsets of our sensors, helping specific organizations generate intelligence insights and reports tailored to observations from their own networks. This AI application will bring the industry-leading research capabilities of GreyNoise into any organization’s internal security processes, reducing triage overhead, accelerating attack identification, and making life easier for defenders—and harder for attackers.
For more on how to bring the insights of Sift into your own organization, talk to our team.
Copilot: AI for Interpretation
The capabilities of AI aren’t limited to stochastic data analysis. Recent advances in transformer architectures and LLMs have cracked the natural language barrier, making it possible to generate well-formulated utterances at scale. This has opened up a new frontier of AI assistants. Microsoft Copilot for Security is leading the charge to bring these capabilities into the cybersecurity space, and GreyNoise is working together with Microsoft on this initiative. We’re a partner in the Microsoft Copilot for Security Partner Private Preview, and our plug-in means that both free and enterprise users can access GreyNoise insights from within their Copilot interface with natural language prompts.
The future of AI is hard to predict, and the evolution of the field has famously surprised both boosters and skeptics. Organizations looking to leverage these rapidly transforming capabilities will need to roll with the punches—and continue to partner with security vendors who can do the same. Here at GreyNoise we’re committed to doing just that. We’re excited to share how AI is already empowering our security—and we can’t wait to see what’s next.
In the InfoSec community, sharing knowledge and expertise is key to moving the industry forward and crucial to creating the next generation of security professionals. As part of our commitment to building and investing in the community, we’re excited to announce our new online conference series: NetNoiseCon.
NetNoiseCon is a livestream conference viewable on the GreyNoise YouTube channel on April 19th, starting at 12pm ET / 9am PT.
The conference will feature both technical and career-advice focused talks, with speakers from across the InfoSec industry and the GreyNoise researcher community. We’ve curated a set of talks with the goal in mind that all viewers should come away with new skills or insights that they can use in their work ASAP.
Here’s our NetNoiseCon v1 speaker lineup:
Matt Johansen, Vulnerable U newsletter
Santiago Holley, VP of Threat Management at RedTrace
Kimber Duke, Senior Product Manager at GreyNoise
Greg Lesnewich, Senior Threat Researcher at Proofpoint & GreyNoise Ambassador
Joseph McDonagh, GreyNoise Ambassador
floofpwn, independent security researcher
YouTube Livestream event:
Click the “Notify Me” button to receive a notification when we go live or sign-up for a reminder here. Join us on the livestream for the event and hang out in our community Discord server to join our post-event voice chat / StarCraft sessions 👾.
We hope to see you there!!
- Sam Houston, Senior Community Manager, GreyNoise
Welcome to our Monthly Roundup, where we curate a unique mix of articles, books, podcasts, and more that have captured the attention of the GreyNoise team. From deeply technical articles to literary treasures, join us on this eclectic journey through the media that sparks our curiosity each month. Explore + discover as we share the gems that have fueled our inspiration!
🐲 Thoughts: It's a Norse-inspired fairytale incongruously grounded in the very real history of the Byzantine Empire and Eastern Europe; beautifully humane and strikingly alien. It also might be the lost ancestor of all the princess-and-dragon subversions that are so (thankfully!) common these days.
Why I like it: It's a real page turner of a horror novel about quite literally facing your demons. Highly recommend it if you like horror, if you are socially awkward and want a relatable protagonist or if you like books about queer people taking down a conversion therapy camp.
Thoughts: Great book that I think I'll keep coming back to; this is my second time, as I always seem to find something new. It's a nice, albeit brutal, reminder that life is short and time cannot be "managed" the way other productivity books would make it seem. You will always have to make sacrifices; just make sure you pay attention to what you're sacrificing.
Why I liked it: In a similar vein, I read Slow Productivity, Not my favorite by Cal Newport, but it was still a good read. Probably not a lot in here that you haven't heard before but probably don't think about regularly. Still, there was some great insight, especially in regard to the difference between "obsessing over quality" and "perfectionism." Definitely recommend it for the the productivity nerds.
Why I like it: A recommendation by a co-worker, Mike Baker, exploring the results of a study done by CEB on behaviors and attitudes that drive performance in complex sales in-spite-of market fluctuations. The authors were surprised that they did not arrive at their hypothesis, so it makes a highly interesting read backed by research data.
Thoughts: This one is taking some time, clocking in at a thick 400 pages, but Andreas Malm did an impressive amount of cited research constructing a narrative that challenges the traditional thinking that energy production was driven by market forces, arguing instead their hypothesis that it was not economic incentive, but centralized control of labor and means of production. Malm offers a deep dive into the political and social ramifications of disrupting the status quo of fossil fuel-driven infrastructure.
Welcome to our Monthly Roundup, where we curate a unique mix of articles, books, podcasts, and more that have captured the attention of the GreyNoise team. From deeply technical articles to literary treasures, join us on this eclectic journey through the media that sparks our curiosity each month. Explore + discover as we share the gems that have fueled our inspiration!
TLDR: The premise is to demonstrate the catastrophic consequences of cyber warfare in a modern-day, fictional setting. The series starts with "CyberStorm," and is centered around a blizzard that's compounded by a cyber attack. Mather uses it to explore the fragility of urban life when faced with the breakdown of logistical systems and the ensuing chaos that disrupts the fabric of civilization.
In "CyberSpace," the story picks up six years after the events of "CyberStorm," with the original protagonist reuniting with old friends amidst rising international tensions and a new wave of satellite destruction that cripples global communication. "CyberWar" concludes the series with a depiction of the world's militaries struggling to cope with the aftermath of a Chechen separatist attack that has decimated thousands of satellites, leading to widespread power and communication failures. It does require some suspension of disbelief, but it's not "farcical" and would likely be a good read for cyber folk. The narration in the audiobooks is 👍
Thoughts: If you ever wonder why everything's fucked in Housing, Healthcare, Retail, Prisons, Income Inequity- this book will shine a light on the people screwing up America and how the government made it easy for them. They gobbled up your houses and affordable/quality healthcare, and now they're trying to get their grimy paws on your 401K (I'm feeling...angry but informed). [ Editor was told not to remove profanity, that’s how worked up this book has gotten her]
Thoughts: I Love Will Larson's insight. He has given so much insight into how effective Engineering organizations should run. Staff Engineer focuses on the technical leadership career track.
Why I like it: If you ever thought that "good management" is just a "gift" or something people just get. This "textbook" (Yes, I read textbooks for fun 🤓) breaks down mgmt into system-level constructs. One of the best books I have read in a long time.
Why I like it: I've always felt like there was more to her story than what I saw on the news, and it turns out that was true in ways that make me want to drop kick half the music industry into the sun.
Why I like it: I am reading both of these books at the same time, I like to play both sides, so I always end up on top. These books are great if you want to feel just a little bit paranoid
Why I like it: As a college dropout and "self-taught" dev, I've always felt like a bit of an outsider when folks start talking about computer science topics. This has been filling in those gaps in a really approachable way that I feel will make me a better engineer in the end.
Why I like it: If you're interested in the tech market and enjoy financial analysis from insiders, check out this new podcast from VC investors Bill Gurley & Brad Gerstner. I'll shoutout the episode with Box's CEO/cofounder Aaron Levie as especially interesting and entertaining.
Thoughts: My former genetic engineering self revels in Sapiens’ ending on essentially the intro of RNAi and CRISPR into the realm of medicine, Homo Deus is more on the “what’s going to happen next” for humans with the continued advancement of technology (not just medicine).
(Bonus Article: in case anyone wants to nerd out on those RNAi days of mine when my friends referred to me as the “Lord of the Flies.”)
I started GreyNoise in 2018 by myself in an apartment in Arlington, Virginia to bring visibility into what scanners and attackers were up to on the Internet. My theory at the time was that the edge telemetry from a single internet-exposed device or sensor was not useful or interesting, but the edge telemetry of a large, diverse set of internet-exposed devices or sensors would tell really interesting stories in aggregate. Better yet, I figured if this feed of data was enriched and analyzed properly and was directly integrated into the tools being used by security analysts around the world, they would have more context on the threats they were responsible for defending their organizations against.
The first pain point this approach solved for customers was alert fatigue: Security analysts could now easily “subtract” all the internet noise, automated attacks, and benign scanners from the attacks targeting their networks, giving them a cleaner signal of which targeted attacks to focus on. I closed a handful of customers for this use-case, raised some money, and hired a small team of incredibly talented people. Since then, GreyNoise has launched community and enterprise products that are trusted by tens of thousands of security practitioners, our customer-base includes over 150 of the most advanced organizations in the world, and our team has grown to over 50 of the smartest people I’ve ever known. We’re integrated into the most widely deployed security products and are cited by government intelligence agencies and news media on a near weekly basis.
As we continued to refine the security efficiency use-case at GreyNoise, a second use-case started to emerge: Every time a critical software vulnerability was disclosed, security analysts were left in the dark about whether attackers were actually exploiting it in the wild or not. Simultaneously, many of the times this would happen, we would start to see interesting new shapes and patterns show up in our raw sensor data. At first, this happened a few times per year. Now this happens every week.
Initially, we would detect in-the-wild exploitation by luck. But this use-case quickly became the most frequently asked by customers, as it was something they were not getting fast enough or clearly enough from their other vendors. So, at GreyNoise we started investing in new approaches that would enable us to consistently detect in-the-wild exploitation of software vulnerabilities within minutes. Not once, or twice, but every single time. We re-invented our core sensor and data processing architecture, deployed sensors to hard-to-reach places, and partnered with other security companies to get further and further ahead of attackers.
Entering 2024, a few things feel different:
Our business and employee-base is bigger now than I have imagined in 2018.
Critical vulnerabilities in widely-deployed software are being disclosed faster than ever.
A critical mass of our customers are asking for our help to keep their networks safe, not just make their security teams more efficient.
AI changes the equation in ways we don’t yet fully understand.
These are all really hard problems. As such, last year I started looking for a partner to take over the business so I could focus on the things I’m uniquely passionate about. I found that partner in Ash Devata.
Ash is relentlessly customer and employee-focused. His reputation in the security industry is phenomenal, and his experience at the intersection of technology and business is unbeatable. I could not be more grateful or excited to partner with him to continue growing GreyNoise. I’ve spent the last few months getting to know Ash and, after every conversation or dinner we’ve had, I am more and more impressed with his outlook and thoughtfulness. Ash is joining us from Cisco where he was Vice President and General Manager for the Duo and Zero Trust business. He joined Cisco by way of acquisition from Duo where he built and ran a world-class Product organization since the early days of Duo. Ash’s brain and my brain are very different, but our hearts are very much the same.
Moving forward, I’ll be stepping into the role of Chief Architect at GreyNoise. My job will be to drive technical innovation specifically to stay ahead of cyber attackers, evangelize our products to the security community, set and implement our AI strategy, trawl through our data to document and understand attacker tactics, and be the first and most critical user and customer of our own products. It’s literally my dream job.
My ask to all of our customers, users, partners, and followers is that you greet Ash as warmly as you have always greeted me.
I have never been as excited as I am now about the future of GreyNoise and serving the broader security community.
Welcome to our Monthly Roundup, where we curate a unique mix of articles, books, podcasts, and more that have captured the attention of the GreyNoise team. From deeply technical articles to literary treasures, join us on this eclectic journey through the media that sparks our curiosity each month. Explore + discover as we share the gems that have fueled our inspiration!
TL;DR: The team learned valuable lessons from the experience, such as the satisfaction of decluttering, discovering tech issues with file sharing, and improving version control. They recommend planning the event well in advance, involving team members in identifying priorities, and considering including training elements for better file management.
Why I like it: Now that we have a new Sentinel integration, I've been using it more and more (sorry Splunk!). One of the first things that I needed to do was get some data in to learn how to actually write a KQL query instead of just copying and pasting and hoping that it works. I've been using this blog by Martin Rothe to get honeypot and Suricate data into Sentinel to start building out some pretty slick dashboards.
Why I like it: Business Wars is an entertaining and informative storytelling of the historical milestones of two corporations competing with each other. I love it for long car rides especially. They have covered a VARIETY of wars. They range from things like “Nintendo vs. Sega vs. Microsoft”, “Starbucks vs. Dunkin” , “Covid Vaccine Wars” and “Crypto Wars”
Why I liked it: Listened to this audiobook on my morning walks. The challenges that Nike faced, the great team that Phil built, and the singular focus and determination he had in the early days of Nike resulted in a captivating and entertaining read.
The GreyNoise Labs team is proud to have hosted the GreyNoise NoiseFest 2023 CTF - who knows if we will do it again, but we had fun, so here’s a walkthrough on how and why we did it.
But first: your winners!!
1st:t3mp3st w/ 4060 points in 5 days, 2 hours, 24 minutes and 19 seconds
2nd: An00bRektn w/ 3060 points in 1 day, 2 hours, 9 minutes and 57 seconds
3rd:jk42 w/ 3060 points in 19 hours, 35 minutes and 27 seconds
4th: mtaggart w/ 3060 points in 1 day, 0 hours, 24 minutes and 18 seconds
Honorable Mention: MyDFIR for the early lead
We’re incredibly proud of everybody who even attempted to play - all 280 participants! Our community team has contacted the winners, and they will be receiving some sweet swag as a prize, plus 1st, 2nd, and 3rd places are getting a beautiful trophy.
Crafting the CTF was one of the best parts of hosting the competition. Competitors in the CTF may have noticed that there was no usage of GreyNoise - and that was by design. When we thought about all the cool things we do daily on the Labs team, we narrowed it down to around 25 tags with CVEs that have led us down rabbit holes or taught us something interesting about how the internet works.
We used these selected examples and packaged them in industry standard PCAP format and set our community loose on the CTF challenges. This allowed us to observe the methods, tools, and pain points in dealing with network traffic that may defy typical expectations. We know that this format of network capture is the highest level of proof that something occurred - the direct record of bytes on the wire. A detection engineer is not only familiar with PCAP but may even live in it daily, noticing how bytes live and breathe just as the GreyNoise Labs team does.
Our new sensor fleet also captures full PCAP, and we wanted to hype that fact! Any difficulties encountered with a single-packet CTF challenge will be grossly exacerbated when working with millions of real-world packets. We’re greatly looking forward to analyzing the pain points from this CTF and providing the tooling that our Detection Labs team and the community need to make network analysis a pleasure to work with. Your feedback has been heard!
(The final scoreboard)
So we learned some things about hosting a CTF - mainly that creating “medium level” challenges in a PCAP-based CTF is hard. We also learned that we like trivia - the challenge “fullsignature” is an excellent example of this, where the answer was the name of the patent holder and original author for the MSMQ protocol. Most importantly, we learned that our community is SUPER SMART in PCAP. Some of the players have done writeups already (this one by An00bRektn, or this one by t3mp3st), and if you’d like to walk through the challenges yourself, we’ve uploaded the challenges and associated PCAP to GitHub at https://github.com/GreyNoise-Intelligence/NoiseFest-CTF-2023/
Altogether, we learned a lot from this experience and had a great time crafting and solving each other’s challenges here on the GreyNoise Labs team. We look forward to hosting again!
GreyNoise today announced that it achieved SOC 2 Type 2 compliance in accordance with American Institute of Certified Public Accountants (AICPA) standards for Systems and Organizational Controls (SOC). Achieving SOC 2 compliance with unqualified opinion serves as third-party industry validation that companies provide best-in-class enterprise-level security for their customers’ data.
SOC2 is a difficult undertaking, especially if you do not have dedicated compliance or security resources who will contribute to creating the policies and implementing the changes. If you take one thing away from this post, let it be this: hire for Systems Administrator and IT operations roles before you think you need them because it will be too late by the time you do need them. Systems Administration tech debt and work is an exponential curve; the longer you go without them, the harder it becomes to fix. Aside from the struggle of collecting evidence through screenshots and questionnaires, both systems administration and engineering cycles will be required to meet the framework standards and controls.
Foundation
SOC2 is broken out into five pillars:
Security of a service organization's system.
Availability of a service organization's system.
Confidentiality of customer information.
Processing integrity of a service organization's system.
Privacy of customer personal information.
Approaching the controls one-by-one can be a daunting task. We found it was more manageable to divide the process into general phases, the last of which is the audit itself.
Phase 1 - Pick the platforms
Our advice here is to not go it alone. From evidence collection and auditor documentation delivery to infrastructure and compliance control scanning, there are myriad different vendors which make every step of the process easier. Take time choosing the auditor that is right for you. Some are very “by the book” and others will be more lenient on “acceptable risk” controls.
You will need platforms for a lot of controls - including SAST, vulnerability scanning, asset tracking/management, version control, and more. For the most part, free open-source software exists for each step along the way. We found it best to mix and match, opting for paid platforms where open-source implementation was going to take too much engineering time value away from other ongoing projects. For example, gosec and tfsec for some language-specific SAST scanning, CloudFlare’s Flan for internal vulnerability scanning, and Grokability Snipe-IT for asset management versus GitHub Advanced Security licenses, Tenable Nessus, ServiceNow ServiceDesk, or Oomnitza. These latter are perfectly useful products, but it’s important to decide what you want to pay for versus what you can run yourself for free. The value any company puts on each function or service the platform provides compared to the cost or time value of money will be different.
The two direct SOC2-specific platform choices are the auditor and the compliance automation platform. SOC2 is significantly more difficult without a compliance automation platform - we estimate using such a platform saves over a hundred hours of work.
Auditors: Check which audit firm was used when you collect your SOC2 and SOC3 reports from your vendors. Turn that list into your potential auditor review list, and make a decision for an audit firm based on your meetings and due diligence with those firms. GreyNoise went with Prescient Assurance. They have a security arm that can provide your third-party penetration test, which is optional for SOC2, for a bundle discount.
Compliance Automation: Auditors will need access to a mountain of evidence in the form of read-only access to your environment, screenshots, and questionnaire answers. This is made easier with a compliance automation platform. Whereas an audit firm may not have a process in place for provisioning roles for their access, compliance platforms do, and they make it easy to both roll out and roll back. GreyNoise decided to use SecureFrame as their pricing, offering, and overall functionality/featuring was more directly suited to our needs. Some other popular options include Drata, Vanta, HyperProof, Anecdotes, and Tugboat Logic.
Phase 2 - Knock out the big stuff
Implement, document, and be able to explain the following eight “heavy-hitters”.
SSO and IAM
PRs, CI/CD, and Version Control
SIEM or Centralized Logging
Infrastructure and Provisioning
MDM
Vendor Management
Scanning
CorpSec
SSO and IAM
Set up Okta, Google Cloud Identity, OneLogin, Azure Active Directory, or Auth0. The choice here depends on what technology you are already using for business productivity. If you are already using Office 365, then Azure Active Directory is the easy choice. If you are already using Google Workspace, then Google Cloud Identity may be the best option. When an employee logs into anything, they would ideally use their work credentials as much as possible. Enforce multi-factor authentication everywhere. Ditch single-user access and access keys and switch to “AssumeRole” if you are leveraging AWS, GCP, or Azure. In our environment, we added SAML tokens to each user in Google Workspace allowing them to assume a role (Read Only, Billing, Administrator, etc.) in the corresponding AWS accounts.
Set a secure password preference order:
Require login via SSO (Okta / Google Cloud Identity)
Require sign in with Google Workspace or Office 365
Require 2FA with standard login OR “magic” link
Standard login
Leverage an organization-wide password manager like 1Password or Bitwarden, with separate “vaults” for departments and roles. Use something with automatic detection of weak or reused passwords, and enforcement of strong password policies.
PRs, CI/CD, and Version Control
Implement some approval processes for your pull requests. Don’t limit it to just a manual review by engineering management or leadership. Include automated testing and the scanning of code for unit, integration, and end-to-end tests to ensure builds are passing and security policies/controls are green. Diagram out the overall process, like this:
You will need different environments - such as development, staging, and production. Deployments move across each, and are tested in each before actual implementation in the production environment. Ideally, changes to these environments would be tracked and dictated by GitHub, GitLab, BitBucket, or some other code version control platform.
SIEM or Centralized Logging
A SIEM is not a requirement for SOC2, but extensive logging capabilities with alerting are. If there is a resource or storage essential to the operation of your product or business, access and audit logs for the resource should be easily retrieved and reviewed.
If an employee logs in to a resource from Washington, DC and then logs in from Seattle, WA, a few moments later from a different device, you need to know about it immediately through logging or block that second login altogether. If 100GB of data is downloaded from an S3 bucket when the daily average is 10GB, alarm bells should go off. Establish what “normal” is, and have a process in place to regularly review anomalous activity or anything outside of that normal bound.
Collecting logs will help you in post-incident response situations. Regularly reviewing and alerting on those logs will help you to avoid post-incident response situations.
Infrastructure and Provisioning
Have a reproducible process in place for spinning up infrastructure resources. This can be implemented with Infrastructure as Code and configuration management tools like Salt, Ansible, Terraform, Chef, Puppet, or CloudFormation.
SOC2 will be significantly more painful if infrastructure in your environment is created manually by the engineering or IT team without an approval process or automation. GreyNoise infrastructure is entirely in Terraform and Salt. This way, approval and automation are shared with the CI/CD and pull request pipeline. If a process already exists that can be leveraged, it will save time.
The general idea here is that you should do as much as possible NOT in the web console for something like AWS, Azure, or vCenter. Take note of any actions you perform in the web console - this is your automation list.
Mobile Device Management (MDM)
Install an MDM platform on all company-owned desktops, laptops, and phones. Any device which will access the internal systems of your product or customer data. Roll out the “compliance” packs for SOC2 to enforce things like password complexity, disk encryption, and software update cadence.
This is a crowded space, often undergoing expansion and consolidation. Fleetsmith was a great Mac OS and iOS MDM tool. Apple acquired the company and quickly removed all capability to install third-party (non-Apple and non-App Store) apps. Apple killed the product two years after the acquisition. The gold-standard for Mac OS and iOS seems to be JAMF/JAMF Pro.
GreyNoise ended up splitting MDM platforms - one for Mac and one for Windows/Linux. It is a difficult choice to make between a broader platform that covers three Linux distributions, Windows, and Mac OS at a percentage of what you need and two or three platforms that cover almost all of what you need for each.
Vendor Management
A lot of time will be spent on scoring vendor risk based on their operational reliance and the data they access or contain. Part of SOC2 requires collecting compliance reports from these vendors (SOC2, SOC3, ISO 270001, etc.) and reviewing them annually. A comprehensive list of vendors is an important one to keep up to date for both compliance and cost control reasons.
In developing this list, GreyNoise found a handful of vendors we were still paying but either not using or the service/functionality they provided was duplicated by another platform. Ultimately, SOC2 required us to enumerate our vendors, generate a Software Bill of Materials (SBOM), and led to cost savings by eliminating or consolidating redundant platforms.
Scanning
An understandably broad topic, but for SOC2 specifically you should be scanning for:
Vulnerabilities in dependencies/packages
Vulnerabilities in infrastructure in general - both internal and external
SOC2 compliance controls
Each finding should have a rating from informational to critical, and each rating should have a time-to-resolution SLA which dictates how quickly or how much time it takes you to respond to and remediate. There are some free solutions which offer compliance control monitoring, such as SteamPipe compliance packs for AWS. GreyNoise decided to partner with SecureFrame to streamline the monitoring of these controls and to provide auditors with access to our provided documentation and evidence quickly and securely. A compliance automation vendor is strongly recommended for time and sanity's sake.
CorpSec
SOC2 includes some business operational aspects which will encompass a few different departments or teams in your organization. The following are some examples required for SOC2:
Background checks for employees.
Annual security and privacy training for employees.
Documented processes for onboarding, offboarding, encryption, data retention, etc.
Regular board meetings, with meeting minutes and bylaws.
Quarterly access security reviews.
Job descriptions for all roles.
Many compliance automation platforms include auto-generated policies which require slight tweaking and adjustments to pass the “policy” controls. Invest time in either writing your own or significantly building on the automated policy output from your compliance platform. There are plenty of great security companies who publicly publish their policies (https://tailscale.com/security-policies/) which you can build on and adapt to your needs. GreyNoise will also publish our policies in the near future.
Phase 3 - Red to Green
Failing controls and tests will pop up after rolling out the compliance automation platform. The time to resolve these controls varies significantly, so consider this phase will take the longest time. In our experience, the longest controls to flip from red to green were all data encrypted in transit and all data encrypted at rest.
You will want to resolve these tests until at least 90% are green before kicking off the audit itself. Work with your team to bucket the failing controls, and turn them into issues or projects to be assigned. You can even provide screenshot evidence of these projects and issues as proof of your organization’s incident tracking from discovery to resolution for the SOC2 audit.
This is the phase which will likely take the most time, money, and effort from your team. Unless you “shifted left” right out of the gate and began developing on day one with a security mindset baked in, plan to dedicate a few weeks or a couple of months to remediating failing controls.
Part of the phase also includes screenshot and evidence gathering. SecureFrame helped GreyNoise to easily organize this evidence and gave us an easy way for auditors to access it. This may take several days or weeks to complete and you will wind up with hundreds of screenshots, documents, templates, and examples.
Phase 4 - Audit
One thing to note is that you will never see a failed SOC2 report or audit. You either get a report or not. If you fail to get a report, you can always try again when you are better positioned. Failure means you get to try again until you succeed. Success means you still need to do it again next year.
Timeline
From project kickoff to completion, SOC2 took GreyNoise about 18 months for the first time. Recertification, which needs to be completed annually, will take us about four months moving forward.
The time to complete SOC2 accreditation can be greatly reduced by the more dedicated resources you have to the implementation and maintenance of compliance. The shortest amount of time we imagine possible for first-time SOC2 accreditation is six months.
Keep in mind that you will be reperforming the audit exactly one year after you receive the accreditation. You may decide to add some other compliance certifications, such as ISO 270001. As time goes on and your company grows, compliance becomes harder and will require a dedicated team.
Two Audits
The audit process is broken down into two phases, Type 1 and Type 2. Type 1 is a short audit period, usually a couple of days, and Type 2 is longer, usually between 60 and 90 days.
Type 1 means you meet the audit criteria at a single point in time; Type 2 means you maintain compliance with those same criteria over a period of several months. In other words, Type 1 is meeting the compliance standard, and Type 2 is maintaining that compliance standard with any changes over time.
Conclusion
Here are some of our opinions, takeaways, and advice:
SOC2 will take you longer than you think
Hire System Administrators and IT operations early, as part of the first 20 employees
Use a compliance automation platform to save time and effort
Break out compliance with the framework into phases, with the audit happening last
Plan to build a compliance team to manage the process in the future
Treat documentation as a first-class citizen as early as possible
Use SOC2 to change process for the better, not just as a compliance checkbox
The way your organization approaches SOC2 compliance can be the easy way or the hard way. Attitude could be easy, to treat compliance like a checkbox and do the minimum to pass the audit. Or it could be hard - to take the input and output from the framework and make significant changes to processes to bake in security as a priority early on for everyone. For those serious about security, the hard choice is easy to make.
GreyNoise is built on a strong foundation of mutual respect from our community. While we love doing swag drops on Twitter (or maybe Bluesky - anyone have an invite?), we wanted to recognize community members that go above and beyond.
Enter the GreyNoise Ambassador Program! We couldn’t think of a better way to celebrate our users' constant support, spirit of collaboration, and mentorship within our community. I’m here to answer all your burning questions about the program and how you can apply!
Who Is the Ideal Ambassador?
Ambassadors are pillars of the GreyNoise Community. This program celebrates their efforts to support community growth and accessibility, focusing on three key elements:
Collaboration: This is not only sharing information, detection, or memes with the team at GreyNoise but with each other! We all win when we share.
Mentorship: People who are helpful and educate their peers.
Transparency: This is a core GreyNoise belief that you can and should be honest whenever possible.
Ambassadors are folks who have dedicated time and resources to bettering GreyNoise, whether through continuous feedback, bug reports, integrations, conference talks, or they’re just deeply dedicated to reducing Internet Noise.
Why Join the Ambassador Program?
If you are on the fence about being an ambassador, let us tell you about the perks you get:
Premium swag (see below)
5 VIP passes to give out to your friends, in line with our VIP guidelines
Early access testing for any new GreyNoise features and products (including the forthcoming GreyNoise honeypot)
Swag sneak peek!
What Is Expected of Me As An Ambassador?
In exchange for being our Ambassador, we ask that you will do 1 or more of the following:
Lead a “How I Use GreyNoise” session (these can be pre-recorded or live & public)
Participate in a product feedback session
Write a guest blog
Speak at a GreyNoise event (In person or virtual!)
Continue to spread the word about GreyNoise :)
Your term as an Ambassador will last a year, and when Spring 2024 rolls around, you will be asked to reapply.
How Do I Apply?
If this all sounds good to you, we ask that you fill out this application. We will evaluate applications until the end of May and send notice to our Ambassadors in early June!
If you have any questions, don’t hesitate to reach out to the Community team.
At GreyNoise we recognize the value of partnership and intelligence sharing when it comes to protecting internet citizens. Today the GreyNoise Labs team wants to give a shoutout to Trinity Cyber.
Last week the Threat Analysis team at Trinity Cyber reached out to GreyNoise providing evidence of exploitation for CVE-2023-1389, a command injection vulnerability in TP-Link Archer AX21 firmware. With the provided information, in under two hours, GreyNoise deployed a tag to detect and confirm exploitation in the wild. You can read more about this here.
Shortly after shipping that tag, Trinity Cyber then provided evidence for five more CVEs which we were able to get tagged and published this week for all of our users! They are as follows:
CVE-2023-0640: a remote code execution vulnerability in TRENDnet TEW-652BRP
CVE-2023-27240: a remote code execution vulnerability in Tenda AX3
CVE-2019-20500: a remote code execution vulnerability in D-Link DWL-2600AP
CVE-2022-29303: a remote code execution vulnerability in Solarview Compact 6
CVE-2022-27002: a remote code execution vulnerability in Arris TR3300
Thank you for your transparency and continued support, Trinity Cyber! Together we make the internet safer.
At GreyNoise, we're excited to announce that our Voluntary Product Accessibility Template (VPAT) is now available. We believe that everyone should have equal access to our product and service, regardless of their disabilities or abilities. By providing a document that evaluates our product's accessibility for people with disabilities, we are taking a step forward in ensuring that our product meets the needs of all users. We are committed to creating an environment that is inclusive and accessible to everyone, and we believe that our VPAT is an essential part of this initiative.
What is a VPAT?
VPAT stands for Voluntary Product Accessibility Template, which is a document that outlines how accessible a product or service is to individuals with disabilities. It provides information on how well the product or service conforms to the Web Content Accessibility Guidelines (WCAG) and other accessibility standards. It's an important tool for ensuring that everyone, regardless of their abilities, can use and benefit from our product and service.
What does a VPAT contain?
A VPAT is a detailed report on how well a product or service conforms to accessibility guidelines such as Section 508 of the Rehabilitation Act in the United States. It typically contains information on the product's conformance to accessibility standards, including how it complies with various criteria related to accessibility, such as keyboard accessibility, color contrast, and assistive technology compatibility. Additionally, the VPAT provides details on any known limitations or barriers that may exist for users with disabilities and any plans for future development or improvement.
Why is a VPAT important?
Accessibility is a fundamental human right, and it's crucial that our product and service are designed with everyone in mind. People with disabilities make up a significant portion of the population and deserve equal access to information and services. A VPAT is a valuable tool for organizations to demonstrate their commitment to creating and providing accessible products and services, as well as fulfilling legal obligations. By completing a VPAT, we're ensuring that GreyNoise is accessible to as many people as possible.
Why is accessibility important?
Accessibility is important because it ensures that everyone, regardless of their abilities or disabilities, can access and use our platform. In the United States, approximately 61 million adults have a disability*, representing a significant portion of the population. By making our platform accessible, we're opening up our product and service to a much broader audience, leading to increased engagement, more meaningful interactions, and, ultimately, better outcomes for everyone.
In addition, accessibility can lead to better user experiences. People with disabilities may face significant challenges when accessing websites or online tools not designed with their needs in mind. By making our platform accessible, we're reducing these barriers and making it easier for everyone to use our product and service.
What's next for GreyNoise's accessibility efforts?
At GreyNoise, we're committed to continuous improvement. We're constantly looking for ways to make our platform more accessible and inclusive. In addition to providing a VPAT, we're also working on other accessibility initiatives, such as improving our keyboard navigation, adding alternative text to images, and ensuring that we meet accessibility standards.
We believe that accessibility is an essential part of our platform, and we're committed to making our tools and services accessible to everyone. By providing a VPAT, we demonstrate our commitment to accessibility and inclusivity, which can lead to a better experience and outcomes for everyone. We look forward to continuing our accessibility efforts and making GreyNoise a platform everyone can use and enjoy.
Yesterday, our founder & CEO, Andrew Morris, got to join Ed Bailey from Cribl for a live stream conversation discussing how to help SOC analysts overcome common struggles and improve security detections. Over the years, we’ve built a great relationship with Cribl and truly believe in our “Better Together” message. The Cribl + GreyNoise integration is available now, so if you want to learn more about it, let us know.
Check out the full live stream below:
The Highlights
GreyNoise Released the Triple Threat
During the conversation, Andrew mentions our new product features. We put out a series of blogs and a press release last week if you want to learn more.
You can feel Andrew’s excitement when Ed poses this question. Here is how Andrew broke it down:
The internet is extremely noisy.
The SOC is being asked to "do more with less."
False positives are wasting their time
In addition, Ed explains that 30% of your detections are things that just don’t matter. With better data & context (like GreyNoise) you can finally ignore the noise. This prevents wasting hours and hours analyzing alerts and events that don’t matter.
All Logs Are NOT Created Equal
Some security teams are left with a problem of determining which logs matter. Or that storing logs or processing data is all or nothing. Those with years of experience in the SOC know this isn’t true. Not only do different event types have different analytical value, but also logs from certain places matter more than others. So, how do you scale this knowledge?
Stop Chasing Ghosts
So what does GreyNoise do? We help our customers understand the alerts and events that DON’T matter. It’s kind of the opposite of a typical threat intel feed. By eliminating the noise you can focus on what really matters.
Cribl + GreyNoise Are “Better Together”
GreyNoise solves the problem of what log content matters and what is noise
Cribl allows you to use that GreyNoise insight to funnel and store your logs in a way that optimizes for better detections, lower bills and faster decisions that result in a more secure organization.
Big thanks to Ed Bailey and the Cribl team for letting us join. Hopefully you found this information interesting and insightful. If you want to learn more about our Cribl integration, contact us.
Figuring out if a security product is right for you is hard. Beyond the technical problem it solves, you have to make a business case for why those with purchasing power in your company should buy your favorite security tool vs. putting the money to another use. Most of the time, the rationale is “Gartner says it’s cool” or check out this testimonial that is definitely not from the company’s CEO’s cousin. We wanted to take a more data-based approach, which is the inspiration for creating our ROI calculator.
To do this, we surveyed our customers, the people that pay us real-life dollars to use GreyNoise, about how our products have been used in their day-to-day work. We asked about their company: how big it is, what sort of security team they have, what sort of work they do, and the number and average time of investigations. We also asked about GreyNoise’s impact, how often it is helpful in an investigation/project, how much time it saves, threats found, IP coverage, efficiency gain, etc.
A screenshot of the new GreyNoise ROI Calculator.
From aggregating this data and segmenting it by the size of the company and type of work, we’re able to use real customer insights to give you an expectation of what GreyNoise’s value to your company could be. We know you love GreyNoise, and we hope this proves helpful when advocating to get the tooling you need to do your job effectively!
Not yet familiar with GreyNoise? We collect, analyze and label data on IPs that scan the internet and saturate your security tools with noise. This unique perspective helps analysts spend less time on irrelevant or harmless activity and more time on targeted and emerging threats.Sign-up for our free plan to see for yourself!
.png)
