Did you miss a session at the Data Summit? Watch On-Demand Here.
GreyNoise Intelligence today unveiled a new tool that aims to help security teams to more easily block known attackers who are seeking to exploit critical vulnerabilities on a large scale.
Throughout the past two years, an especially “big, bad and scary” vulnerability has cropped up about once every two months or so, says GreyNoise founder and CEO Andrew Morris. The discovery of such vulnerabilities inevitably leads to a scramble among cybersecurity professionals, and “everyone freaking out about it,” Morris said.
The latest was the vulnerability known as Log4Shell, an easily exploited remote code execution (RCE) flaw in Apache Log4j. The RCE vulnerability in the widely used logging software component was disclosed on December 10.
The vulnerability in Log4j “was particularly bad,” Morris said. “But it made us realize, it’s just going to keep happening.”
GreyNoise operates sensors in hundreds of data centers worldwide, capturing data from around the internet that can pinpoint malicious actors and their activity. Shortly after the disclosure of the vulnerability in Log4j, the Washington, D.C.-based startup released its trove of data for free to the public.
Now, with its new tool, Investigate 4.0, GreyNoise is aiming to streamline what it did for Log4j for future vulnerabilities that are especially severe. The tool will provide defenders with access to information that they can use to make decisions — as well as a way to more easily do automated blocking for IP addresses that have been attempting to exploit the vulnerability, Morris said.
Protecting against exploits
For security teams, using the tool will be able to buy them some time while they patch their systems, he said.
“The strategy is, try to get out ahead of it as best we can and get as much information as possible about whose exploiting the vulnerability at scale. And then, get that information to as many people as possible — in as low-friction a way as possible,” Morris said.
The way that GreyNoise has decided to do that is by providing dynamic block lists, which “people can feed into a ton of different security products — that just automatically update with the IP addresses of all of the hosts that are exploiting a vulnerability at scale,” he said. “So people can basically punch it in and just walk away.”
Investigate 4.0 is aimed at protecting against opportunistic “scan-and-exploit” attacks — involving vulnerabilities that affect the perimeter and are being exploited at a large scale. In addition to Log4Shell, other vulnerabilities that have fit this criteria include the Pulse Secure VPN vulnerability, EternalBlue (which was exploited in the WannaCry ransomware attacks), Azure “OMIGOD” and the recent Apache path traversal vulnerability, according to Morris.
Key capabilities for the GreyNoise Investigate 4.0 tool include rapid triaging of alerts based on classifications of the alerts as malicious, benign or targeted, and identification of trending internet-based attacks that are targeting certain vulnerabilities. The tool will also allow users to block and hunt for IP addresses that are opportunistically attacking a certain vulnerability, according to GreyNoise.
‘Less friction’ for users
With the new tool, “we’re really just trying to repeat what we did for Log4j — except do it at scale, do it all the time and do it with a lot less friction for the user,” Morris said.
For users that have a free account with GreyNoise, the user just has to copy the link for a particular vulnerability and then feed that link into their security tool — such as a next-gen firewall or threat intelligence gateway, he said. The tool will then continually pull in the dynamic block list, to keep the list of bad hosts up-to-date, and will block those bad hosts, Morris said.
GreyNoise, which has about 100 paying customers, is in the process of figuring out what features to offer to those customers on top of the free capabilities, he noted.
Ultimately, GreyNoise is seeking to learn from the Log4j experience, “so that the next time this happens — which it will — we’re a little bit more well-prepared,” Morris said. “We want to do as much as we can to make the problems suck less, for as many people as possible.”