Every packet has a story: Speaking with Andrew Morris from GreyNoise Intelligence
Reading time: 13 minutesImagine this scenario: You're at a security operation center, looking through your firewall and Nginx logs, and you see an IP address scanning your network. Is it someone targeting you specifically or just mass scanning? How can you be sure either way? How can you know with certainty which incidents really matter?
GreyNoise Intelligence knows. The security company has found a way to collect omnidirectional Internet-wide IPv4 scan traffic and present researchers with the IPs that are targeting them specifically — thus creating a rock-solid negative ground truth of what everybody should expect to see when looking at their logs.
We had the good fortune to meet GreyNoise founder Andrew Morris at DEFCON 26. We were excited by the system that Andrew built and decided to make him our first interview of the year.
Andrew is a young entrepreneur who lives in Washington, DC. His interest in cybersecurity started early; by age 13 he was a hacker who put the word "grey" in his handle to trick people into thinking that he was from the UK. Andrew chatted with us about his background, how he started GreyNoise, why security people all come to Washington, and the origins of his obsession with finding out who is connecting to any given server.
SecurityTrails: In the past few years we've seen Washington becoming sort of a cybersecurity hub. As someone who is living there, what do you think is the reason for all these security experts coming here?
Andrew Morris: I would say that it's likely due to the federal government. All the headquarters of the federal agencies are here, which means all of their security has to be here as well. That has definitely led to the tremendous amount of cybersecurity DNA being here in the region. It's similar to New York City being the financial center and San Francisco having lots of startups.
So did the industry also brought you to Washington or are you originally from here?
Andrew: I'm not originally from Washington. My parents were in the military and we've moved quite a lot, so I can't really say I'm "from" anywhere. But I've spent the majority of my life in South Carolina. So yes — the cybersecurity industry has also brought me here.
You should never give up on a potentially great idea even if the fifth time's a charm. Would you mind sharing the story about beginnings of GreyNoise with our readers?
Andrew: I've been through many iterations of the system that ultimately became GreyNoise. It took a lot of time to get it to the system that's providing value and that people actually wanted to use.
It's not possible for traffic to be generated out of nowhere; there is a reason behind every packet, but some reasons and explanations are more complex than others.
I built the first version of GreyNoise in 2013; I've set up a bunch of honeypots before realizing that the tremendous amount of traffic they were all seeing from different parts of the Internet had a lot of overlaps. Those weren't some sentient attackers, there was just a lot of traffic that was hitting the entire Internet, and once I figured that out I ended up building a similar system for different organizations and clients. In the meantime I left my job and tried proposing GreyNoise to a business partner but things went south from there. After 4 or 5 years of trying I was close to giving up and finding another job in cybersecurity, but I gave it one final go. A year and a half ago I built the alpha GreyNoise API and just exposed it to everyone for free and constantly tweeting about it. This time I knew I'd gotten it just right. Since then we've doubled our usage every month. It did take a lot of time and effort to get here, but I think that it will just keep attracting more people that see the real use and value.
Was GreyNoise a joyride project that somewhere in the process turned into a company, or you knew the direction of such project from the get-go?
Andrew: At the beginning it was hard to know whether it would be a science project or a business since nobody had done something quite like it. There were these systems of distributed honeypots but nobody had ever positioned them like we did, nobody repurposed that data and articulated it quite as we had. With nothing to compare it to, I had to figure out myself the value and adoption of this kind of system and the amount of money that people are willing to pay for it.
'It’s not rocket science — you have a product or a service you’re trying to get people to use and pay for. As long as you keep that in mind, everything else is details.'
At the beginning I was 80% sure that it was going to be a science project, but as more and more people started to use it and as more organizations started adopting it, I started to realize that there was a business I can build around it. Now it has come to the point where this product is used daily and we have a number of enterprise clients that have GreyNoise integrated into their offerings, so I can say that I'm at the 100% certainty this can be a viable business.
You once said that every packet has a story. Is finding out that story the reason you've started GreyNoise?
Andrew: That's a big part of the reason. The etymology behind that specific phrase is that there is a tremendous amount of Internet-wide traffic that hits everybody, and it's easy to think that it's a natural thing, that it's a byproduct of the Internet, but it's not like that! It's not possible for traffic to be generated out of nowhere; there is a reason behind every packet, but some reasons and explanations are more complex than others. There is an answer to every one of them, so what we're trying to do is dig and find an explanation and context to many of these, to keep people more informed and efficient.
What are the most surprising or interesting thing you've seen from your data?
Andrew: The volume of data we see never ceases to amaze me. There are millions of devices constantly scanning and crawling the Internet. And every now and then we see something really weird. The most recent example of that would probably be the "mass printer episode".
Tell us a bit about your background. You've previously worked as a red teamer, right?
Andrew: That's right. I got my career started in infosec in offense, pen testing/red teaming. I did that for a number of years, doing rapid-fire full scope assessments for different customers, and around that time I started getting really interested in the Internet background and got a job at Endgame. My main role there was to red team the endpoint security product that was supposed to protect against advanced threats; I had to make sure these detection and prevention systems were were hard to bypass. In the meantime I also was silently waiting for somebody to build the system that would later become GreyNoise. And when nobody did it, I thought, "Well, then, I should be the one."
Do you have experience in Internet scanning and did that bring you to actually track scanners? Or was your route always more passive, just as it is now with GreyNoise?
Andrew: There was a period of time that I did Internet scanning research. This was in 2012–2013. It was right around the time when Shodan was coming around and I did some work with mass scanning the Internet and macro-targeting sections of the Internet. But I was always more interested in the prospect of collecting that data, like I do now with GreyNoise. It's one thing to look and see how the Internet looks and map it, but I've always been more interested in knowing what everyone is looking for and working backwards from there. The fact that it's far more complex and fewer people are doing it is just more exciting to me.
GreyNoise helps security operation centers know which things matter and are hitting them specifically. What is for you a difference between a well-run SOC and a badly run one?
Andrew: Obviously I'm inclined to say that the difference is in them knowing which security alerts matter, but that's not even close to being the full picture. There a number of factors that dictate the difference between a well-run SOC and a badly run SOC, and there a limited number of sources, so the best thing to do is to stay on top of things and be proactive about threats.
You call GreyNoise an anti-threat intelligence. Tell us a little bit more about that.
Andrew: There are many cybersecurity companies telling people what to freak out about. Instead of doing that, we're trying to tell everybody what's expected and what not to be scared of. We're approaching the problem from the opposite direction: instead of piling more things onto people's plates, we're taking away the things that don't matter and providing the negative ground truth. Human beings are predisposed to be afraid of things; the fear resonates with everyone in a primal way, and there are many cybersecurity companies that use that fear to their advantage. And while that's completely legitimate, it's just not the route we want to take.
What were the biggest challenges you faced in the beginning of GreyNoise, and what are some that you still experience today?
Andrew: The first big challenge was trying to figure out how to position what we do in a way that people are able to understand. The next one was identifying the target users. After we figured out how and to whom to tell our story, our next challenge was the sheer amount of work that goes into it; building all the APIs, building all of the integrations without a shortcut, and all of that for a solo founder. I'm not that good of an engineer, so a lot of that was done via trial and error.
Today the biggest challenge is taking GreyNoise through a transition from a fun hobby project into a scalable business that's bringing value to a lot of people. Our community is a big part of GreyNoise, but we can't give everything away for free, although I wish we could. We just need to keep walking that line of returning value to our community but still making sure we can keep everything rolling. We need to be honest about our expectations; GreyNoise will never be a billion dollar company, but it will be a successful company that will provide a lot of value to its customers.
A lot of people don't know this, but GreyNoise was developed and is maintained only by you. How did you handle the jump from working in the private sector to becoming an entrepreneur and your own boss?
Andrew: I handled it mostly by outsourcing my to-do list to the rest of the community. Once I got GreyNoise off the ground and there were people using it, everything else that needed to be done, the list of work and list of tasks that need to be executed, was right there for me because people asked for it. For the longest time I listened to what people wanted, so there was no boss, there were million bosses. I just needed to listen and execute.
The next part of that question is about me transitioning from being a cybersecurity professional to an entrepreneur and a business person: There's no other way of describing that transition than that I just threw myself into situations and clawed my way out of them. It's not rocket science — you have a product or a service you're trying to get people to use and pay for. As long as you keep that in mind, everything else is details.
What's the best advice you can give to someone looking for confidence to transition from their 9 to 5 job to being an entrepreneur and developing something on their own?
Andrew: My main answer is going to be that you are going to have to fail and make a lot of mistakes. Second thing is, look at it as an experiment and not as a game where you win and lose. If you look at it as a game to win or lose, if you lose you're going to feel like a failure. Look at it as an experiment — one way or another, you'll learn something about yourself and acquire a new set of skills. From that perspective, it's win-win.
There's no right time to do it, it's always too soon, so you just have to start. One of my favorite quotes is from Felix Dennis: "On Being in the Right Place at the Right Time: It is always the right time and this is the only place we have."
Do you have any new features we can look forward to in 2019?
Andrew: We have a number of new features coming out, but unfortunately I can't share any of them yet! The only thing I can say is that we have a new easy to use command line tool, so now people can use GreyNoise directly from the command line to query IP addresses, subnets, domains, ASNs, even organizations.
Our front-end is getting a facelift in the first part of the year. It's going to be much prettier with more functionality.
What are some future plans for GreyNoise, but also what are Andrew's plans?
Andrew: For the future of GreyNoise — we're hiring right now, so if you are interested in working for GreyNoise just send me an email (I'm incredibly easy to find).
For the longest time I listened to what people wanted, so there was no boss, there were million bosses. I just needed to listen and execute.
How does the future look like for Andrew? I'm going to take GreyNoise to fruition and I'm going to be with GreyNoise until I feel like I've done all that I can and that I brought all value that I can find here. I"ll be there even if it all crashes and burns — I'm going down with the ship, or up!
It's really hard to look into the future and say how I'm going to feel when it's time to walk away from GreyNoise, and I don't even know when that time will be. But I think the most likely next thing is that I'm going to go back to playing music for a little while. I used to play music full time in house bands in South Carolina, I played mostly the drums, the guitar and the piano; I even played blues in a restaurant every other night. As the paradox goes — when I was a musician computers were my hobby; now that I work with computers I can't even look at them when I get home, so I guess that when I go back to music, computers being a hobby again will reignite my passion for them.
You can visit GreyNoise Intelligence yourself and see how you can filter out the background noise of the Internet, and follow them on Twitter. Thank you, Andrew, for sharing your story and the story of your company.
We'll be featuring more interviews with cybersecurity professionals and entrepreneurs from all around the world, so come visit us again soon.
Here at SecurityTrails, we work hard to make any security investigation accessible, instant and relevant. [Schedule a demo][10] Schedule a demo with us and see how our SurfaceBrowser helps provide deeper knowledge of your domains and IP addresses.
