Risky Business - Soap Box: How to dismantle Volt Typhoon-style relay networks
Episode Date: February 11, 2024In this Soap Box interview Greynoise founder and absolute legend Andrew Morris joins the show to talk about: Why Greynoise hasn’t seen a substantial drop off in Vo...lt Typhoon’s network of compromised routers after the US Government’s takedown action How vendors are using Greynoise as an early warning system to identify exploitation of their products How he’s using large language models to reverse exploitation attempts into actual exploits It truly is a great conversation, we hope you enjoy it!
Transcript
Discussion (0)
Hey everyone and welcome to this Soapbox edition of the Risky Business Podcast. My name's Patrick
Gray. For those who are unfamiliar, these Soapbox podcasts are wholly sponsored and
that means everyone you hear in one of these editions paid to be here. But honestly, this
is a terrific conversation, 10 out of 10. Last week I sat down with Andrew Morris, who
is the founder of Grey
Noise, to talk to him about quite a bunch of stuff, actually. So for those who don't know,
Grey Noise is a company that operates a global network of dynamically configurable honeypots.
So essentially, what they've done is they've made internet-facing honeypots useful by just adding a
lot of scale. And you can already access a bunch of GrayNoise's data
via its website for free.
You don't need to be a customer.
And that website is graynoise.io,
which is G-R-E-Y, noise.io.
So yeah, GrayNoise just has incredible insight
into what's happening on the internet
in terms of like any sort of attacks happening at scale.
So, you know know do you want a
list of devices on the internet that have been compromised by the vault typhoon actors they can
give you that uh do you want to capture a previously unknown bug that's being used to mass
compromise uh some device or some software andrew can get you that and you know the original idea
behind gray noise was to give SOX the ability to determine
what's mass scanning and what's just hitting them, what's targeted. But, you know, as you're going to
hear, there's a number of other use cases for something like this that turn out to be really
interesting. So, you know, one of them, as I mentioned, is spotting networks of compromised
devices that are being used as like, you know, proxy fleets by APT crews. That's one such use case.
But there's another one that we talk about here.
Some vendors have gone to Gray Noise
and asked them to spin up large numbers of honeypots
that mimic their devices and their software.
And this gives them basically an early warning system
that will tell them when people are starting to attack their products
with previously unknown exploits.
And these could be zero-day or they could just be new exploits for old bugs.
And there's a lot of unpatched stuff out there.
But either way, that's an interesting gig, right?
And Andrew's going to talk about that.
But we started off the interview by talking about the recent US government takedown
against the compromised router network operated by the
Chinese Vault Typhoon APT crew. And really, you know, Gray Noise hasn't seen a huge impact on the
group from that takedown. And here's Andrew sort of talking about that. Enjoy. Yeah. So, I mean,
like technical details wise, you know, it's really possible that what happened is that maybe a command and control server was taken down.
And so the accesses have stopped beaconing back.
But we're seeing Vault Tycoon in Grey Noise right now.
Vault Tycoon?
Did I say Tycoon?
We're seeing Vault Tycoon in Grey Noise right now.
And so basically we were, a researcher passed us some technical
indicators of how we might be able to see it in gray noise. And we punch those in and we're seeing
like hundreds of infections across residential ISPs. We're seeing them in the United States.
We're seeing them in Canada. We're seeing them in in a lot of different countries. And so
essentially, like literally, as I'm speaking right now, we're seeing active vault typhoon
infections that are going on right now.
So it is possible that, you know, command and control has been disrupted and there's something that we don't know.
But we are still seeing it right now as we speak.
Well, I mean, could this latest bloop of activity just be them rebuilding after a takedown?
Because that seems plausible.
It's really possible.
I mean, so we're seeing it come out of like kind of specifically routers and specifically residential IPs.
And we're seeing it like come with not only, you know, Vault Typhoon is spreading.
Like we're seeing it attempting to compromise other systems as well.
So, yeah, it might just be it trying to spread.
But we're seeing other bad stuff coming out of those IPs as well.
And it always feels kind of dirty because we call those IPs malicious, even though it's,
you know, the people behind them aren't doing anything wrong.
It's just, you know, those routers are absolutely infected right now.
We're seeing quite a few of them.
So you'd say like the disruption action has had a limited effect, I guess is the diplomatic
way of saying it.
Yeah, all I know is what we see.
And so what we see is that it's like,
it's popping off right now still as we speak. So you know, there's maybe there's been a dip in some places, but we haven't seen that dip. We've seen it be pretty consistent, actually going back as
early as you know, a few months from back from now. So yeah, we're, we're absolutely still seeing
it regrettably. Yeah, I mean, what you said about them being residential IPs, right? Like that's the whole point. That's why they're using them is so that,
you know, it just looks like normal residential traffic and just makes detection that little bit
harder. Right. So yeah, exactly. And it feels like basically at least some of the stuff that
was reported maybe six months ago, and even some of the stuff we're seeing right now is pretty
consistent. They're basically navigating their attacks through
a network of compromised routers to make it ultimately harder for people to, for the
authorities or for defenders to figure out where they're actually sitting at. You know, because a
lot of people have sort of a degree of telemetry of what goes into and out of a network. And then
obviously some nation states and security companies might even have telemetry
of what's going in and out of things over the internet.
And so this just makes that a lot harder to track.
And like that tracks from our perspective really well.
That's exactly what we're seeing as well.
Yeah, I mean, I think this comes back to the fact
that block lists are actually kind of working
to some degree, like the threat intel industry
has got to the point where you can't just rely
on like 12 orbs, right? Because you're going to get blocked, you're going to the point where you can't just rely on like 12
orbs right because you're gonna get blocked you're gonna get detected you're gonna get
tracked your campaign's gonna get rolled up so if anything i think the fact that countries
like china need to start proxying their attacks through these giant uh networks of compromised
home routers is actually a sign that we've done a lot right. And our detection has got better, I guess is what I'm saying.
That's right.
So like, yeah, anything you do that makes the attacker change their behavior
and like the more they change their behavior, the better the thing is.
So yeah, I like be suspect if you start to see things just like go away,
because if it goes away, that means that like they're just doing it somewhere
that you can't see it.
But herein lies an opportunity, right?
Because, you know, you've got your grey noises out there
pretending to be home routers.
I'm guessing you've got a lot of profiles out there
that are just pretending to be normal residential routers,
which puts you in a position to get a pretty early advantage
in terms of seeing what sort of exploits they're using
to try to build these networks
in terms of being able to
detect the activity coming out of them. So, I mean, it feels like this is a problem that GrayNoise
is probably quite well situated to chip away at. Yeah, that's right. And so like where it used to
be like, hey, let's figure out all of the malware and let's try to find all of the malware that people are dropping.
That's becoming more of a let's figure out all of the like vulnerabilities and the exploit shapes and sizes, because that's like basically like sort of one step to the left of that chain.
And part of the really big issue is just that you can't put an EDR product on a router like you just can't do it.
You'll never be able to do it. And so you just kind of
have to live in this universe where you assume that things are going to get compromised and you
just want to figure out how they're getting compromised and when they get compromised,
sort of like as soon as humanly possible. And your point earlier, yeah, like at a certain point,
you want to be able to say at the sort of nations, like at the national border level, like the
internet border level specifically, you really want to figure out,
like you need to get to the point where you can say like these 5,000 IPs until further notice are
not allowed to communicate with the IPs that are inside of my country. You're just blocked. You're
persona non grata. You're not allowed. Yeah. I mean, I guess the problem with
old typhoon though is a lot of the orbs are actually based in the United States.
That's exactly right. I mean, at some point it has to come back to somebody sitting somewhere. And at this point, you know, this is, or somebody sitting obviously like
probably in another country. So you really do have to unwind that and it sucks, but you're exactly
right. That's part of the problem is that they're just doing attacks from inside the United States
as well. So I guess, you know, the ultimate goal I would imagine would be for you to have a fairly
comprehensive real-time list of IPs associated with Vault Typhoon. You know, you would be able
to share that with customers, with government agencies, things like that. So, you know,
it depends how people are using these orbs too, right? Like, so for initial exploitation,
you might have an opportunity to block there,
but also post exploitation, you know,
that would be good to know, right?
Like if you can get a hit saying
there's any sort of communication
with a Vault Typhoon tagged IP,
you know that you've got a starting point
for an investigation there.
I mean, is that kind of the vision
or is that what's in use already?
Like how's all this working?
Yeah, you want to swat away as much of it as you possibly can. And you want to assume that you're going to be wrong,
at least a subset of the time. So when it inevitably happens, you're able to figure it
out as quickly as possible and rip it out. Right? Like that's, that's the big thing is you, you,
you can't live in this universe where you're going to be able to swat away all of it.
You have to kind of like, let it fail, let it crash, let it get popped. And then just be in that rhythm
of finding that as soon as humanly possible
and ripping it out.
Yeah, and I guess throwing like,
okay, we've got a new batch
of known Vault Typhoon IPs,
being able to cross-reference that
against like Corelight data or whatever,
like historical Corelight data
going back three months.
Like that I'm guessing is where this is headed.
Yeah, and working with the
hosting providers and the telcos to be able to say like, Hey, have you ever seen comms from these
IPs? Have you ever seen these IPs talk to a given place? Because like, they know they have to store
that data for compliance reasons to like take college students, you know, pirated music and
like, you know, stuff like that. Like they need to, they need to hold that data on behalf of the
recording industry anyway. Yeah, exactly.
They have to have it.
We know they have to have it.
So it's like from to that end,
like that's where, I mean, unfortunately,
you know, the internet service providers
didn't sign up to be, you know,
part of a bunch of security incident response stuff
and threat intelligence stuff.
But like, that's what the world wants
and needs them to be, unfortunately.
Like sometimes they're the only people who know.
Now, one of the things we were going to talk about today is the fact that uh a bunch of attackers
like gray noise has become a big enough thing now that they really know that they need to avoid your
senses and they've started and they've started actually figuring out how to fingerprint some
of your senses but as you've said yep they don't know about your new senses. So you are absolutely engaged in the cat and mouse at the moment in terms of attackers trying to avoid
your senses. So I've got a couple of questions there. The first is, have you noticed Vault
Typhoon trying to avoid your stuff yet? Because that would be pretty awesome.
Vault Typhoon is not avoiding our like old classic brain noise sensors.
They're showing up in both.
Yeah, right.
So who is avoiding your stuff?
I don't know who, who.
Like, I don't know who's sitting at the other side of the keyboard.
But you are seeing stuff in new sensors that you are not seeing in the old sensors.
Yeah, absolutely.
So we're seeing basically we've been seeing,
we see a couple of different kinds of fingerprinting.
There's a few different ways you can try to do it.
And then there's a few different ways that we like do something about that. So like one, the two largest buckets are
that you figure out in some way, shape or form, like what a gray noise sensor looks like on the
wire, like some identifiable detail on it. And then you avoid those, like you scan the internet
for all those and then you avoid them. And then the other way fundamentally is you use our very public web interface to like plant unique data in some kind
of way. Yeah. And then see where it turns up. See when it turns up. Yeah, exactly. Yeah, yeah, yeah.
And so the second one's a lot more fun because then we like actually know like where you're
pulling the data back to. And it's always like a Tor exit node or something like that. But that
one's a lot noisier. And so basically we've got this sort of silent fleet of green noise sensors where the data is like,
the sensor looks completely different. Like it looks like lots of different things. So you can't
really fingerprint it the same way. And then, uh, and then pulling it back from the web interface
doesn't work. The data doesn't flow through to the public web interface. Um, and so now the fun
part is for us to actually figure
out like how much or how little do we want to lie to people once you figure out that they're trying
to fingerprint green noise sensors because we can like do a lot of really fun stuff on that like we
can like give them sort of like fake lists of grid i mean there's there's all kinds of fun things that
we can do people running scanners people trying to do you know and doing mass exploitation
the mentality like
they're not going to think really that there's clever people on the other side who are with them
right but that's exactly what's happening but they're not going to think that that's what makes
it so beautiful unless attitudes have changed but you know that used to be the way like no one would
assume that there is someone actively on the other end trying to deceive them and mess with their
heads only only the a team knows but like as general rule, like the greener attackers are just going to
get really excited when they find something that they think that they can pop. And like,
just the same way that a greener security analyst is going to get really excited when they see like
an IP connection from China. And it's like, well, yeah, but you know, half the internet's China.
So like that's really mean. Bob's on holiday in beijing like it's not a yeah yeah exactly like who cares um and so like you know to that end you know that it
doesn't necessarily you know but but one of the interesting things is we're actually seeing like
this entire new like re i guess re-excitement from the security community around discovering
honeypots is like kind of interesting there's like new frameworks that you can use to detect honeypots that are
things like Metasploit.
Shodan has had a honeypot detector for a long time.
And then you're even seeing like Volnchek just wrote a really awesome
article that's called There's Too Many Damn Honeypots.
And it's about how like before the confluence vulnerability came out,
there were like, you know, a thousand confluence boxes on census.
And then after that, there's like 35 a thousand confluence boxes on census and then after that there's like
35 000 uh confluence boxes in aw and in census and like 34 000 of them are in aws and it's like
oh that's interesting um and so you know like i know someone i know somebody did sorry to cut you
off but i know someone who did a scanning scanning project across an entire country and i think like
one in three of everything
connected to the internet in that country was a honeypot it's hysterical like it's actually really
funny and so from my perspective like this is inevitable this was always going to happen this
way um i'm like i wrote i think the only um honeypot detection module in metasploit a really
long time ago um and so i've been like thinking about this for like probably 10 years. The cool part, the advantage that the honeypot deployer has, like the inherent advantage is that like
the attacker always has to talk first, like always, no matter what, like whether they do it
kind of sneakily or not very sneakily, like they always have to initiate the thing. And, you know,
they don't know where we are coming from. So like, they don't
know where we can place things at. They don't know where we get partnership data. And they have no
idea how often we rotate the sensors. So there's like, you spend all this money fingerprinting
stuff. And then like, you know, it might be that that data is useful for a day, it might be that
that data is useful for six months, it might be that that data was never useful, and you just had
no idea. So the cool thing is like, we get to sort of strategically lie to people and we get to like make them
kind of feel better about fingerprinting us than they really can or really
than they should. And that's part of it. Part of, you know,
the cool part about honeypots is you get to string people along for a long
time.
Well, I mean, it's the whole thing about listening devices, right?
Like you plant a couple that are easy to find so that if someone does do a
bug sweep, they, they feel really good that they got the bugs. Yeah, exactly. You know, but the real one
is like very, very, very, very hard to discover. So I guess it's the same sort of thinking, right?
Yeah, precisely. And so we're seeing a whole lot of that. We're seeing where this came up recently
is the Avanti exploitation, right? Where we were seeing all, you know, new slash old Avanti bug comes out again.
And we're seeing, you know, everyone's like,
oh my God, is this being exploited?
I look at old gray noise sensors, silent as a mouse.
I look in the new ones and it's like exploding.
And I'm just like, oh my God,
whoever is doing this is absolutely
fingerprinting gray noise sensors.
And then that always makes me go back to first principles and say like, well, what are the other things that we didn't see?
Right. And then we can, like, peer through and all the data.
And so it's a fun challenge.
Like, I love it.
It's something that is I don't know.
It's something that never gets old for me.
So that's interesting, right?
Because the idea that Avanti exploitation wasn't showing up at all in Classic suggests to me that it wasn't a bunch of crews doing the
exploitation it's one that's absolutely yeah that knows to avoid your some of your stuff right so
that's exactly right i can't remember if there's been public reporting on this but do we know who's
been behind that wave of ivanti exploitation i have no chinese as well i have no idea yeah
don't care just log it i was gonna say like i the the the the thing that's missing from
the threat intelligence game is like when people are willing to only say things that they know for
sure and like so i i tend to stick to things i've seen with my own eyes and uh and that's like stuff
that i wish more uh threat intelligence companies did so shots shots fired, et cetera.
Just going back to the vault typhoon thing again,
are you seeing other nation state backed adversaries building similar kinds of orb relay networks?
Is this just something that if you are to be taken seriously
as an APT these days, it's something you need to have?
Is having a relay network just table stakes for
apt crews these days i don't know uh so like part of the problem is that like botnet like your bot
net a botnet is a person's botnet until it's someone else's botnet or until it's everyone's
botnet and so like i would say like part of the challenge with that is that like the really
advanced actors like to co-opt botnets or sometimes just like buy pieces of it
or rent it.
So like an access is an access is an access.
And like who is to be attributed on the other side of it is just like a
really tricky game.
There's also the other side.
I mean,
that's going,
that's,
that's,
that's always been the way though.
Right.
Because these things,
the access to them is stolen and passed around and sold and given up
in exchange for other things.
And, you know, because they're a commodity, aren't they?
Like owned bots, like home routers and whatever,
they're just a commodity thing.
They're not precious, but they're work
and they're worth something.
Yeah, that's right.
The other side of it that makes it more complicated
is that there's a ton of not popped boxes that you can move through with relative ease.
So like not even like, okay, like there's the illicit stuff.
And then there's like transparent proxies and that sort of stuff.
Exactly.
So it's like you've got transparent proxies, which people can move through, which is like, okay, that's not.
But I mean, come on, they're always assumed malicious.
Let's not pretend that we all think that transparent proxies are some, you know, beautiful, wonderful, clean system on the internet, even though they're not technically popped.
Yeah, but what's really nasty is there are companies out there who do things like, for example, will pay app developers to include their SDK in their mobile apps.
And then it just lets anybody go through your mobile traffic and whatever.
And then they just pay you per installation or per like whatever.
And so like those networks are really big and that sucks.
That's really hard.
So there are people who can track that stuff down.
And so like there's companies that are really good at that kind of thing.
And there's always like a little tiny foreign accent on the communication
once it gets to you to a degree. But yeah, that's really tricky. It's really like even beyond that,
like just the ability to just like, I don't know, spin up cloud computing, just route through that
thing. Like it always just depends on like what it is that you're trying to do. Like I always tell
people like, what is the crime you're trying to get away with? Who are you trying to get away with
it from? That's always what dictates like the amount of OPSEC that's going to be required. And so again,
like the, the OPSEC profile of someone who's trying to do like a 9-11 versus somebody who's
trying to call in like a bomb threat to a school is going to be completely different. And so that's
where, you know, it's, um, I don't know. It's, I, it's always just fascinating to see how it sort
of, um, how it sort of progresses. Yeah. I mean, one of the reasons these Russian, you know it's um i don't know it's i it's always just fascinating to see how it sort of um
how it sort of progresses yeah i mean one of the reasons these russian you know uh ransomware
people aren't that obsessed with uh opsec is because they don't need to really worry about
getting arrested right they have whatever that that word is in russian for like a ceiling they
have top cover like that no one is gonna no one is gonna come and get them because like the kremlin's fine with it yeah yeah exactly just don't go to disney disneyland guys yeah don't
go to abiza yeah you're gonna get arrested um no that is interesting so i mean i've obviously read
the same reports about those sort of mobile app sdks that you know result in proxied network
traffic and you know people can sell it um you know by the hour proxy network traffic and, you know, people can sell it, um, you know,
by the hour or by the number or, or whatever, but you're actually seeing them. Yeah, we see them.
And we wouldn't know that we were seeing them, um, unless we have Spurs, our partner, they're
really good at this. And so like, we wouldn't know that we were seeing it unless we had feeds of all
that data from Spur to figure it out. And then we look at it in gray noise. We're like, sorry,
tell me, tell me who's seeing it. Tell me who Spur is. Spur to figure it out. And then we look at it in gray noise. We're like, yep, we're definitely seeing it.
Tell me who Spur is.
Spur is a company that does like VPN egress detection and like they do it for fraud.
And so the whole thing is like,
you want to know if somebody is coming to you
from an anonymous proxy of some kind
or from a VPN egress.
And they figure out all of the places where that's running
and they're crazy good at it.
So I'm friends with their founders up there for a long time
and we've got it in great noise.
So this is like the Tor exit node problem,
but on steroids, I guess.
Literally by volume, yes.
Because there's like a amount of Tor exit nodes
in like the tens of thousands maybe.
And there are millions of these,
you know, sometimes VPN egresses,
sometimes just mobile devices
where some dude is moving all this traffic through your device.
But see, I can understand why an APT crew for OPSEC reasons wouldn't want to use one of them.
Because, you know, you might be worried about your adversary's SIGINT agency or CYBINT agency being all up in that service, right?
Yeah, that's right. And so, I mean, I guess a lot of it, you know, this is where in certain cases, like the kinds of things that legitimate companies think about when they start
to place their operations in the cloud. So they take it from my computer to someone else's computer.
They always ask themselves, like, who are you? Can I trust you? Like all my traffic and all my
computers going through you, like attackers do the same thing thing they just have to do it from a totally
different lens or whatever and so um yeah and then obviously like the smartest ones always just do
things the dumbest way right like they intentionally look as dumb as possible so nobody ever asks these
kinds of questions and so that's where again i would say like the the c team wants to look like
the b team or the a team and the a team wants to look like the D team. Yeah. Yeah. Yeah. I love that saying. Just going back to the Avanti thing there for a second,
you know, you're, you're suggesting that, you know, most of the activity around this Avanti
stuff is one crew. We saw CISA. So now for what everybody else is getting in. Yeah. Now we are
seeing it come from a bunch of different places. Now it's a mosh pit, but that actually relates
to this question, which is like, what are the odds?
Right. So we saw CISA telling US government agencies, you got to just like pull the plug on this stuff.
You have 24 hours.
I've never seen that before. I thought it was awesome.
Yeah. Yeah. But I mean, the sad bit is they're allowing these agencies to rebuild Ivanti equipment and then reconnect it, which I guess is the realistic thing that's going to happen.
But it still makes me cry a little tear but i guess the question is what are the odds that an avanti box was on the internet and survived this wave of exploitation
because i would think that everything would have got done right i would wager near zero rapidly
approaching zero so i would i would wager to guess that if you have like okay so there are like there's cool if you have an avanti box and the
uptime of that avanti box is anything more than like one week uh it is it is it is popped um like
a hundred percent um i don't know if like the patch requires a reboot or whatever but like
stated differently like if you have an avanti box that's on the internet like there's like i'm just
telling you with my own like you heard it here first folks yeah it's Avanti box, it's on the internet. Like there's, like, I'm just telling you with my own, like you heard it here first folks.
It's popped 100% chance.
And it's definitely multi-homed to your internal network
because that's the whole point.
Yeah.
Hooray.
Yeah.
Fantastic.
Now, look, we're going to move on
and talk about some other work you're doing.
That's really interesting actually,
which is you had a vendor come to you
and say a bunch of our products at customer sites
are getting owned, they're getting popped, but we don't know how, can you figure it out for us?
So more than one vendor. And yeah, and so it's like, we've been working with a few basically
kind of like hardware and software manufacturers who have stuff that's out on the internet. And like my theory behind this is just that for a multitude of different reasons,
attackers are just getting better at finding command injection and like other kinds of
software vulnerabilities and like sort of like embedded systems and then like network gear and
stuff like that. And so, yeah, like a new use case that I wouldn't have thought of, you know,
like six years ago at Gray Noise, like at the time I would have just been like, ah, the SOC's too
busy. Let's try to get fewer alerts. And so then now like the new use case
that we've got with our new sensors is like, no, we've got, like we're hearing grumblings of,
of, of vulnerabilities. These things are happening. We have no idea how it's happening.
We need you to help us figure out how it's happening. And, um, and this is the case with
more than one vendor right now. And so we're basically... I mean, the truly ironic thing
here though, is if they were instrumenting their products the way they should be, they wouldn't need you to do
this for them. So for a host of different reasons, you're just not always able to do that. Sometimes
it's privacy. Sometimes there's versions of this stuff that's deployed that's too old. And so they
just don't have that out there. And I think if we were to nuke all of the technology
off the face of the planet and only put new things in now, then I think we'd be in a much
better place. But like a lot of these things get like end of life and then some company like
zombies them into staying alive, like forever. Someone's paying the vendor a quintillion dollars
a year to like put that thing on life support. And so like the, the issue,
like as much as I want to, you know, on the, the, the manufacturers or the hardware and software
providers on this, like you got to look in the mirror on this a little bit. Like sometimes
there's just going to be a giant bank. That's like, I literally can't stop using this product
and it's worth a bunch of money to me. So I'm going to throw money at this.
And, um, and you know, and then sometimes that, I guess what hen comes home to roost. And so the long and the short here on this is that like, you know, um, I'll just put it this way, right?
Like 20 years ago, if you were to said like, Hey, you know, publicly traded companies, you're going
to have to tell everybody when you get popped and you're going to have to tell them fast, they would
have, you would have laughed me out of the room. And so then now you're starting to see like, okay, so now we're
there. And, um, and I'd say like the, the part that I think where we're going, I think the writing's
on the wall a little bit is if your product is used in a breach, like if you don't match this
criteria, if an attacker exploits your, your uh your product in order to do bad things
then you're going to be held a degree of liable and i don't know this for sure but i can see that's
the sort of writing on the wall in the future for me that's so funny because like literally
literally this was the conversation i was having uh as i was having my morning coffee before this
call i was talking with um um who is is now and he'd listened to my interview with Eric Goldstein at CISR and we wound up having this conversation about, well, how do you shift liability onto vendors? protect themselves with insane end user license agreements that give them the right to throw users through log chippers uh you know it gets complicated very fast and like mechanical
regulation is not so effective either but you're right there is movement in this direction whether
that's going to come through procurement rules or what i'm increasingly feeling in my waters, Andrew, is that we're going to see more action from the SEC a la like
SolarWinds right now.
So I think that's where I'm seeing the pressure come from right now is like, that's where
I can most see it coming from is like US procurement rules and SEC enforcement actions.
Yeah, I mean, I think that's right.
It's going to take the shape of something financial because nobody's going to listen
otherwise.
Well, I don't know if you read Matt Levine,
but he's got that whole joke that he says,
which is everything is securities fraud.
You know, don't secure your products correctly.
That's securities fraud.
You know what I mean?
It's like every crime ever.
Yeah, exactly.
Everything bad is securities fraud.
And I think that's the SEC's view increasingly is that failing to do a good job with this stuff is securities fraud. And I think that's the SEC's view increasingly
is that failing to do a good job with this stuff
is securities fraud.
Because you didn't tell investors that you suck, you know?
Yeah, or every crime ever done
was done in the Southern District of New York.
And so it's the same kind of thing.
But yeah, I mean, honestly,
I have no idea like the shape and size
of what it's going to look like.
But I do know that like until and unless, because like the manufacturers are, again,
depending on where they are in their life, they're either like really optimizing for
growth or market share or profitability.
And like, it's really hard to do that at the same time as caring about like the long
tail of the software vulnerabilities that happen to you all the time, like the price
of support of having all your products and like keeping them out and, you know, whatever. And so I don't know like how it's going
to go, but I do know that these companies aren't going, a lot of them are not going to take things
as seriously as they need to until there's a threat of them being held like financially
or legally liable, you know, in order to continue to operate.
In this case, like... I mean, it's great for you.
It's great for you.
Phenomenal for us.
Yeah, you can answer that question, you know.
Yeah.
You can be an early warning system for major vendors.
I mean, you know, there's some of these vendors out there, they've got so many different products.
And if you can spin up instrumentation for them and put that out there on the internet
and be able to tell them, hey, someone has clearly found some sort of bug, uh, you know, in this line of products. You don't want to hear it from the FBI
first. You probably don't want to read it in a blog post first. You probably don't want to read
it on Mandian's website first. Right. You want to, you would, you would like to hear it from
somebody that you've like essentially deputized to get the answers to at first so that you can sort of get in front of it um and i'd imagine i'd imagine too andrew there's there's real money in
that too right yes because i mean like the like again it really depends like the cost of how you
would actually quantify the undesired outcome that we're causing to not happen is expensive
and then the other side of this is that like we can find this out for you as fast or as
not fast as you want, depending on how many of these bad boys we spit out into the world. And
depending on how many countries, how many providers, how many ISPs, like all that kind of stuff. And so
for what it's worth, like, yeah, I mean, the finances of it from our perspective are fantastic. Yeah, now let's talk about your new Uno reverse card
because this really dovetails nicely with this conversation
because you've built your,
what's your LLM based thing called?
SIFT.
SIFT, yeah, yeah.
So you've built SIFT,
which can basically do a lot of automated processing
of mass scanning, mass exploitation
and surface stuff to your human analysts
so that their workload is greatly reduced.
SIFT finds stuff that human analysts don't.
It's turned out to be way more effective
than I think you thought it was going to be
when you first kicked off that project.
But you've got another use for this now,
which I just think is glorious,
which is you can you can take an
exploitation attempt against the technology and then use sift to give you the exploit
like to actually give you the exploit so you you you you're capturing it and then turning it around
and turning it into basically like a pock right yeah pretty much so i mean long and the short is
like i sort of did this as a joke
initially because i was just like there's no way this is going to work and i just i grabbed like
the last 10 uh command injections that sifted surfaced and then i just like you know slammed
it against an lm and i said can you write metasploit modules for these and it came back
with metasploit modules for them i was like was like, oh my God. Well, that's because HD wrote great documentation that the, you know.
That's right, that the LLM was trained on.
Exactly, right?
And so like, you know.
So nice one, nice one HD.
Yeah.
So four out of five of the Metasploit, or four out of 10 of the Metasploit modules sucked
and they were moronic and they didn't work.
And then like, you know, five of them like needed a one line fix.
And then one of them like worked right out of the box and it was like,
Oh my God.
And so,
you know,
I just think that the long and the short on this is that I think that there's a lot of things that used to take like sort of like months and
years to,
to cycle.
And I think that they're just going to start happening like maybe really
fast soon.
Like being able to go from.
I just keep thinking of the galaxy brain meme.
You know what I mean?
Where there's like gradual steps into mind blown-ness.
And, you know, mind blown is like Metasploit
comes out 20 years ago
and sort of automates a lot of this exploitation.
And then, you know,
we're at the full galaxy brain stage now
where you're automatically creating Metasploit modules
with large language models, you know?
Or yeah, like why develop an exploit when you can just find one, like, like, like when you, you can just, I don't
know the, the, the part of it, that must, that must introduce a whole host of other dilemmas
for you there, Andrew, which is if you're sitting on a big old pile of exploits, it's like,
you know, do you tell the vendor to be an arms dealer? Like I've done that before. I didn't,
that's not what I, what I did this thing for, yeah i mean so this is this is that's the question what are
you doing with these exploits because i imagine if it's a customer right you you tell them about
it because that's what you're being paid to do but if they're not a customer i mean i'm sure
there's plenty of people who might want that you know yeah so like taking a big step back, like I think the cool use case for it
that I'm stoked about
is just making it really easy
for our customers
to test their resiliency
and to test their IDS signatures
and to like figure out
if they are actually vulnerable to stuff.
I'm like doing that really fast.
You know, and then there's a whole other...
Just to be clear,
are these, were these bugs that you surfaced,
like these exploits that you generated,
were they end day or did you have a couple ODA in there as well?
Because often with these command injection stuff, it's going to be ODA, right?
Because it's simple, low-hanging stuff.
Yeah.
So the whole thing is we don't know until we dig into it because it's all the same to us.
And so by the time something makes it over to us, we don't even know what the the thing is for like so um there's
still a long pole in the tent of essentially figuring out sometimes we don't know what they
thought they were slinging the traffic at so i don't know like it could be an end it could be
an o day i don't even know because i don't know what they they thought they were slinging something
at so there's a degree of like state management organization that like work that goes into it
and for you to verify it you need to actually do mass exploitation yourself and see
where you got shells yeah it depends on if you can't really do because it's very illegal but
yeah right there it uh it depends on like whether the sensor that we have was like a shallow clone
of a thing it depends on whether it was like a real version of something it depends on a lot of
stuff um and then there's still the you know there's there's other pieces of this as well.
Like, where does the like, where do the other targets for this live?
And how can you like, again, I'm stepping into the future of like what might end up being like, like the sort of the silly little World War II history references is like, you know, some people in World War II had bunkers, cement bunkers that had fake air vents
that if you put a grenade into it, it would roll in and then it would roll back down and drop in
your feet and blow up and kill you. So like the universe that I'd like to see this kind of thing
in is like, you know, hey, we're all safe. Everything's cool. But if somebody
starts lobbing exploits at us, we're just going to lob them back at you like really, really fast.
And so that's, you know, times a thousand maybe. That's the universe that I'd like to see. But
again, like the nature of this business is that like more things are dual use than you would ever
really expect. And you have way less control of some of the data and what people are going to do
with it and the code than what people are going to do with it.
And that's, you know, that's between me and God.
That's just going to be me sitting, you know, so it goes.
So you're still working through this
is what I got from all of that, Andrew.
Yeah, still working through it.
Yeah. All right, man.
Well, we're going to wrap it up there.
Fantastic to chat to you as always, my friend.
And I'll look forward to our next conversation. Thanks. Likewise, a great time good to see you dude that was andrew morris
from gray noise there big thanks to him for that and you can head to gray noise.io to check out
their data for free and that is it for this edition i will be back with more risky biz
in a couple of days but until then then, I've been Patrick Gray. Thanks for listening.