Pentagon Partners With GreyNoise Intelligence for Internet Scans

The Department of Defense, Pentagon recently awarded GreyNoise Intelligence a potential 5-year $30 million contract to help the agency identify and understand internet-wide scan and attack activity. The contract extends the work GreyNoise has already been doing with the Defense Innovation Unit since March.

Considering every machine on the Internet is bombarded by network requests and other types of communication activity, the Internet is a noisy place. However, only some of the traffic would be considered legitimately part of a transaction or in response to some kind of application activity. That doesn't mean the rest of the traffic is bad — most of it is just junk, actually.

Threat actors may be scanning the internet to discover what ports are open or what services may be running. Or it could be a routine scan by a business application. Either junk or malicious, the security tools flag them to indicate there is something unusual, leaving security analysts with the challenging task of sifting out the targeted attacks from scanning activity that would be considered either opportunistic or benign.

That is where GreyNoise shines. The company's internet-side sensor network collects scan data and analyzes the origins in order to give analysts the context for the scans. Threat researchers can look for spikes in scanning to identify new outbreaks of worm activity or attackers probing systems looking for known (and unpatched) vulnerabilities. Security analysts can confidently filter out irrelevant or harmless activity, and focus their energies on uncovering and investigating true threats.

Being able to identify what can be ignored is one of the most common use cases for GreyNoise, says founder and CEO Andrew Morris. An organization may receive a security alert about an unknown IP address attempting to communicate with a high-value system. Depending on the sensitivity of the targeted system, the alert could be escalated for further investigation and potential remedication. An analyst can look up the IP address in GreyNoise — and upon discovering that it was an opportunistic scan and not a targeted attack, the team could deprioritize the alert. Investigators can focus on other, more pressing, threats.

Many of the anomalous behavior organizations have to deal with tend to be “indiscriminate/opportunistic/untargeted and internet-wide,” Morris says. “While it's possible that opportunistic attacks can be successful and cause harm, this is statistically rare against hardened networks,” he says.

GreyNoise is being used across multiple teams and functions across the Department of Defense in a defensive capacity, the company says.