Ahead of the Breach

GreyNoise’s Andrew Morris on Internet Background Noise as Data

Listen Later

What if you could predict major security vulnerabilities weeks before they're publicly disclosed? Andrew Morris, Founder & Chief Architect at GreyNoise Intelligence, built a global sensor network that does exactly that by tracking internet-wide scanning patterns that spike 3-4 weeks before critical vulnerabilities become public knowledge. This transforms the chaotic noise of billions of daily internet scans into precise threat intelligence that helps organizations focus on real attacks.

Andrew walks Casey through how he created what he calls the "opposite of Shodan." Instead of cataloging what's scannable on the internet, GreyNoise tracks who's doing the scanning and why. The technical challenge required learning new programming languages and building infrastructure across hostile network environments globally, but the result is a system that functions like noise-canceling headphones for cybersecurity. 

Topics discussed:

  • The methodology behind building internet-wide sensor networks across multiple cloud providers and regional hosting environments.
  • How network fingerprinting techniques using MTU overhead, TLS signatures, and protocol implementations reveal the true origins of scanning traffic through VPNs and proxies.
  • The correlation between massive scanning spikes for specific software or hardware and vulnerability disclosures that follow 3-4 weeks later.
  • Why embedded systems and edge devices represent the most vulnerable attack surface on the internet.
  • Technical challenges of processing and indexing billions of daily network sessions while applying pattern matching and classification rules at line rate performance.
  • The operational realities of maintaining distributed infrastructure in hostile network environments.
  • How threat actors use geographic and software-specific targeting patterns that become visible only through comprehensive internet-wide monitoring capabilities.
  • The discovery of zero day vulnerabilities through automated classification pipelines that identify previously unknown attack patterns.
  • Why traditional threat intelligence approaches fail to distinguish between legitimate research scanning and malicious reconnaissance activities targeting organizations.
  • Strategic approaches to handling sensor network detection and fingerprinting by adversaries, including infrastructure rotation and traffic obfuscation techniques.

    • Listen to more episodes: 

    Apple 

    Spotify 

    YouTube

    Website

    ...more
    View all episodesView all episodes
    Download on the App Store
    Ahead of the BreachBy Sprocket