As Log4j sent defenders scrambling, this startup made its threat data free

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more


In the hours that followed the disclosure of the widespread vulnerability in Apache Log4j, one week ago today, people were kind of freaking out. The enormity of the software flaw—found in applications and services used by just about every business—was simply overwhelming. And hard data to help fuel a defense strategy was in short supply.

Andrew Morris realized that he and his company, GreyNoise Intelligence, were in a unique position. The company operates sensors in hundreds of data centers worldwide, capturing data from around the internet that can pinpoint malicious actors and their activity. The 30-person company entirely focuses on this work, and so as word spread about the Log4j vulnerability and its impact on countless Java applications, the startup knew it had to get its data out there.

But how, exactly?

“We could push everyone to become a customer—which would have probably made us a lot of money,” Morris said. “Or, we could treat this as an emergency—and just get the information to as many people as we can, as quickly as possible, whether or not they’re GreyNoise customers.”

The company opted for the latter. That same day, the company released its trove of data for free. This included a raw list of every IP address that was attempting to exploit the vulnerability, as well as data on potential compromises and the payloads being used by threat actors. The data was posted on public websites—and didn’t require users to register, or provide any information at all, in order to access it.

And GreyNoise has been keeping that data current and updated on an hourly basis ever since.

Critical threat data

The data has been critical in helping defenders both to block known malicious actors—buying them time to patch their systems—and also to give an overall barometer of what’s going on in the attacks, executives at cyber vendors told VentureBeat.

“GreyNoise really led the way in detecting this activity on the internet and disseminating data for defenders,” said Jess Parnell, vice president of security operations at breach prevention firm Centripetal Networks. “They’ve basically provided the world indicators of who and what everyone should be shielding against.”

By distributing the list of known malicious IPs, for free, defenders were able to feed this data into their security tools and blacklist those attackers from entry. This essentially “crippled” much of the infrastructure used by attackers, Parnell said.

While not a permanent solution—attackers can always change their infrastructure—in this emergency situation it reduced the attack activity so that patching could be carried out, he said. Sort of a “flatten the curve” for the Log4j vulnerability.

“You’ve now bought enough time for your IT people to get in there and fix the issue before they’re compromised,” Parnell said.

In other cases, the telemetry from GreyNoise has been used to identify which issues are the highest priority to focus on for customers—which is how the data has been used by attack surface management firm Randori, said Aaron Portnoy, principal scientist at the firm.

Attack insights

GreyNoise has also helped to provide crucial insights into who’s doing the attacks, where they’re coming from, and how sophisticated the attacks are, Portnoy said. “They’re letting people know that this is serious, and they’re giving data to back it up,” he said. “And they’re giving the information for free.”

Backed by venture investors and headquartered in Washington, D.C., GreyNoise, in more normal circumstances, offers its technology to help with reducing “alert fatigue” from the onslaught of security alerts that cyber tools produce. Users have also recently been using GreyNoise as an intelligence product to help identify compromised devices and the exploitation of novel vulnerabilities.

“Our goal as a company is just to solve internet background noise—to make sure that ‘opportunistic’ scanning and attacks aren’t something that people have to think about,” said Morris, CEO of the company, which he founded in 2017 following a stint in research and development at Endgame.

The Log4j vulnerability has been found to affect a broad swath of software and cloud services due to the ubiquity of the open source logging library. Interest in GreyNoise surged almost immediately after the vulnerability’s disclosure, including from the highest levels of industry and government, according to Morris.

‘Forget about the money’

From a technical perspective, the company had known right away that the bug was going to be very bad, Morris noted. “But we didn’t necessarily think that was going to be as apparent to the entire security community,” he said.

But suddenly, “we had members of leadership of major cloud hosting providers reach out to us. We had members of leadership of government organizations reach out to us. We had members of leadership of banks, and leadership of oil and gas companies, reach out to us,” Morris said. “A lot of our customers, and pretty much every prospect that we had in the pipeline at the time, was reaching out to us. That was when we realized that this is a really big deal.”

In that moment last Friday morning, as the company realized how useful its data could be, a second thing became apparent. In getting the data out to people, there could be a lot of friction that would slow the defense effort, Morris said.

“And so we decided basically, ‘Forget about the money. Forget about getting users. Forget about any of that stuff,’” he said.

Surveying the damage

Now, a full week into the response effort to the Log4j vulnerability, aka Log4Shell, the way that people are utilizing the data from GreyNoise has shifted more to surveying the damage. People are using the data to figure out the likelihood that they have been compromised—and if so, from where—and then “cleaning out” the systems, Morris said. The data is now useful for “trying to evict the bad guys— hunting for any bad guys that might be still lurking on the systems or on their networks,” he said.

At this stage, while there’s still a significant amount of attempted exploit activity going on, “the fog of war is just now starting to lift,” Morris said. “Things have started to stabilize.”

Still, GreyNoise has begun to see a lot more “crafted” attacks that are tailored to specific software products that use Java heavily, he said. “That’s probably going to continue for some time,” Morris said.

All in all, “the long tail on this vulnerability is going to be pretty long,” he said. “It’s probably going to take a while for this to get completely cleaned up. And I think that it’s going to be a little bit before we start to understand the scale of impact from this.”

Sharing the data

Other companies have also had a lot of data on the attackers and exploits, of course. But others have not been as open around sharing it with the world as GreyNoise has been, Portnoy said.

“I just am extremely impressed with how they present their data, how community-focused they are, and how open they are with sharing in order to help defenders,” he said.

Morris said that he’s seen a few other cybersecurity vendors freely providing data and content that normally would’ve been behind a paywall during the past week—he mentioned Proofpoint as one example.

But on the whole, Morris said a lot more of that would’ve been justified in this situation. When the world is depending on a company with the size and resources of GreyNoise in a security crisis, “that’s never a good thing,” he said.

“We probably weren’t the only vendor who had useful information on this. We were just the only vendor who was willing to say, ‘We don’t care about making money on this. We want to just get this out because everything’s on fire,’” Morris said. “We’re just basically trying to make everything suck as little as possible for the security people who are going to be dealing with this nightmare over the next few weeks and months.”

Ultimately, “we all need to eat and we all need to grow our businesses,” he said.

“But sometimes things are sufficiently bad that you have to forget about that for a little while—and you just have to get the information out there as quickly as possible,” Morris said. “When theres’s a sufficiently bad security event like this, for every security company out there that has something useful to say, they should be saying it—and not asking for anything in return. Forget about sales. Forget about marketing. We’re actually here to to make bad guys’ lives as miserable as possible. That’s why we’re really here.”


Originally appeared on: TheSpuzz

Scoophot
Logo