Leveraging the “Power of the Crowd” to Fight Cybercrime with a Unique, Collaborative Intrusion Prevention System

Exclusive Interview with CrowdSec CEO Philippe Humeau

With the widespread adoption of cloud and container infrastructure, protecting servers, services, containers and virtual machines exposed on the Internet with a reliable, intelligent intrusion prevention system is more important than ever. Cloud-native environments foster rapid growth and innovation, but also introduce an element of added complexity, along with new security challenges. 

Recently, LinuxSecurity researchers had the opportunity to speak with CrowdSec CEO Philippe Humeau about modern cyber risk, CrowdSec’s unique and advantageous community-powered approach to intrusion prevention with an extremely accurate IP reputation system, what users can expect from the latest CrowdSec release, what the future holds for CrowdSec, and more! We’re excited to share key insights and highlights from this exclusive interview with our readers to help them better understand the modern cyber threat landscape and how they can bolster their intrusion prevention strategy to prevent attacks.

Introducing CrowdSec: A Collaborative Open-Source Intrusion Prevention Solution

CrowdSec is a cybersecurity solution designed to protect servers, services, containers and VMs with a server-side agent. It was inspired by Fail2Ban and aims to provide a modernized, collaborative version of the popular intrusion-prevention tool.

CrowdSec leverages the power of the community to create an extremely accurate real-time IP reputation system that benefits all of its users. It uses a behavior analysis system to determine whether someone is trying to hack your system based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner that you feel appropriate. 

Interview with CrowdSec CEO Philippe Humeau 

LinuxSecurity: What are the main cyber threats Linux users face today that CrowdSec protects against?

Philippe Humeau: CrowdSec is essentially a metasploit of defense. Everything creates logs nowadays - planes, cars, phones, TVs, and obviously servers and services. If an attack leaves traces in the logs - which over 95% of attacks do - then it’s simply a matter of writing the proper scenario to catch it. To date, we have tens of scenarios, ranging from L7 DDoS, to credential bruteforce, credit card stuffing, port or web scans, PHP attacks, and more. 

Lately we are active on the front of ransomware, using CrowdSec as a canary to avoid lateral moves. Possibilities are limitless! The only limit of CrowdSec’s protection capabilities is when an attack leaves no trace, either due to poor log configuration or because it's “silent”, like a stack overflow. That being said, those exploits are very rare and only demonstrate true stealth if the demon crashes aren’t logged or if the said attack doesn’t crash the process at all. 

The Power of Crowdsourcing

LS: Can you explain the power of crowdsourcing? How are you leveraging it to benefit your users, or the people who participate in your “crowd”? How does open-source development facilitate this approach?

PH: Crowdsourcing can be seen as a digital version of the famous neighborhood watch. If everyone is watching over everyone else’s servers and services, everyone is safer from attacks. By detecting and sharing IPs of bad actors, we are removing their most precious asset: anonymity. Since cybercriminals want to remain under the radar, they are either forced to stop when their IPs are shared, or at the very least slow down their operations tremendously.

Members of our “crowd” benefit directly by constantly receiving IPs that target similar technological signatures as theirs. For instance, if you run a LAMP with Wordpress, you receive all IPs that are agressing SSH, Apache, MySQL, Wordpress, and the like.

Crowdsourcing is the cornerstone of the CrowdSec project. Our point of view is that, through this collaboration, we are more numerous than the aggressors. Hence, instead of the out-powering approach, where a super soldier tries (and fails, except in Hollywood movies) to resist 1000 bad guys, we adopt the outnumbering approach. No one fights a bee hive!

Open Source facilitates this approach by enabling us to create a product that is adapted to the largest base, where anyone can contribute and adapt it to meet their specific needs. It’s also free, meaning we do not have any friction in adoption - money typically being the first break. Since we are after a network effect, we need to have as many users as possible and Open Source is a great engine with the flexibility and trust it fosters.

The Open Source Advantage

LS: Expanding on our discussion of Open Source, what are the main advantages of the open-source development model? Do you feel that Open Source provides a superior vehicle for engineering exceptionally secure, resilient software and technology?

PH: Well, there are pros and cons, honestly. It’s surprisingly complex to offer something for free! First, people look for the catch and think you might be a trickster, until they realize the business model is not based on their data or a belated monetization strategy. Second, each line of code written requires three times more checking prior to publication, especially given the responsibility you have toward your users and other contributors. 

On the bright side, many people get to test open-source code, report bugs or inconsistencies and collaborate to improve upon software. It is no secret that the concept of security through obscurity has failed big time, and it’s true that being audited constantly by the community is also a great strength. Thus, nowadays proprietary products are typically considered less trustworthy. 

LS: How did you make the decision to open source part of your technology while leaving some of it proprietary?

PH: To be transparent, this is a question of pace. On the IPS part, we are 100% open sourced, with an MIT license, while the “Consensus” engine is not (yet) open. The reason behind this choice is that we are extremely agile and constantly fine tuning the Consensus engine, which is used to avoid false positives and poisoning. It’s taking a lot of extra time to make a piece of code “Open Source compliant”, and making it open as of day one would have only slowed us down. Also, at first, we thought it could be a weakness to reveal how we defeat aggressions toward this set of algorithms. Now time has passed and we have grown more confident that this piece will also be opened to scrutiny and contribution soon. We just need to sprint for half a year before adopting a steadier pace and letting the community review and contribute to the Consensus engine.

LS: CrowdSec is a community-powered, open-source version of the popular Fail2Ban intrusion prevention tool designed to run on complex modern architectures including clouds, containers and lambdas. Can you explain the similarities between CrowdSec and Fail2Ban, and the key differences between the two. What are the main advantages that CrowdSec offers over Fail2Ban? Can these advantages be attributed to (or partially attributed to) CrowdSec’s collaborative, open-source approach?

PH: Fail2ban created the 1st “anti bruteforce system”. Simple in essence, it nevertheless dealt with a lot of credential bruteforce attempts, over a large spectrum of services, on millions of machines, for sixteen years. Quite a legacy for code initially written as Python training for its author!

CrowdSec borrows the philosophy of Fail2Ban in the sense that it’s working out of the box to protect the services running on your machine, based on what it finds in your log. And that’s where the parallel between the two ends, because the software design, scope, architecture, orientation, goals and performance are entirely different. 

CrowdSec is written in Golang, to deliver 60x faster treatments, but also to be able to run in all environments - from VM to Docker, from Linux to Windows. It is designed to support a large surface of attacks with L7 DDoS, credential or credit card stuffing, port scans, web scans, and any attack that leaves trails in your logs. It’s modern in the sense that it’s not monolithic and detection is separated from remediation. Furthermore, remediation can be anything you would like it to be - not just banning in your firewall (like Captcha, MFA, messaging, etc.). CrowdSec is also made to meet the needs of individuals and enterprises alike, running successfully on personal firewalls as well as on hundreds of thousands of machines for large hosting companies. Last but not least, CrowdSec shares the IP it bans with other instances (after a curation on our end), to help further protect all members of the network against known offenders.

Monumental Changes in CrowdSec v1.1 & v1.2

LS: As part of the CrowdSec v1.1.x release, CrowdSec services were moved to PackageCloud, a fast, reliable and secure cloud-hosted package distribution. Can you explain how this transition is benefiting your customers?

PH: Yes, we love PackageCloud! This is a huge step forward for us. We often joke internally that some Debian packages are old enough to buy alcohol! But it’s not only Debian - the majority of platforms are somewhat slow to move. When you release features every other week for more SoC, more OS, more packaging systems than ever before, you need the proper tooling. This packaging is an effort to make CrowdSec available to the largest number of Linux, BSD and even Windows systems running on ARM or Intel. Now customers constantly receive the freshest packages, regardless of their environment, which is key for any security product.

LS: CrowdSec v1.1 and v1.2 feature a brand-new Console. What are the main changes and improvements that have been made to the CrowdSec Console? 

PH: We are extremely excited about this new Console! First, because it helps people see what is happening on their machines in a consolidated, centralized view. When you run many CrowdSec agents in your network, the standalone metabase running in Docker isn’t enough to provide this level of observability.

Beyond the observability aspect, we have two important goals with this Console: gamification and monetization. Gamification is part of what we want the community to experience. A bit like the SETI at home project, except that instead of hunting aliens, we hunt cybercriminals. You’ll get badges, ranks, and maybe swag or other forms of recognition for helping other users. 

The second part is monetization - and the console will be its headquarters! We are absolutely fine with making money while being an open-source editor. Some would love to see talented authors only feed on edible moss and little animals, wear monk robes and walk in bare feet because “it’s the way Open Source should be”. Well, I strongly disagree. If you want talented people committed overtime and dedicating 100% of their time and effort to a project, you need to pay them well, hence to monetize. With CrowdSec, the “crowd” that makes us stronger benefits for free, while large corporations with more complex and extensive requirements have the option of paying for additional services.

BlackHat USA 2021 Reflections

LS: You recently received a Black Unicorn Award at BlackHat USA 2021 for the Top 10 cybersecurity startups of the year. Congratulations on this accomplishment! Can you briefly reflect on what this award means to you and your team. What are some of the biggest challenges you have faced and what are some of the most notable accomplishments you’ve experienced as a startup? What was the “mission” behind starting CrowdSec? Do you feel this mission is being fulfilled?

PH: I was a rookie red team pentester when I first attended a Blackhat. This conference is both legendary and very insightful! Now, having a Black Unicorn Award sitting on my desk has a special taste indeed. 

What it precisely represents is that we DO have a different approach. What the BlackHat jury saw in CrowdSec is a new approach to cyber - the collaboration age, the very concept that sharing is not giving away and getting poorer, but instead it’s making everyone stronger. We have a good IPS, that I’m sure of, but the fact that it’s coupled with a CTI approach and that tens of thousands of machines enrolled in our “crowd” in under a year proves without a doubt that this path needs to be explored. In four years from now, we should have millions of machines sharing the rogue IP addresses they identify, making CrowdSec the biggest collaborative effort to date to influence the war against cybercrime. This will become the real-time world map of criminals over the Internet, like Waze became the de-facto standard for road hazards worldwide.

Have we delivered yet? Yes, sort of. We took off, some trust we are up to something and adoption is accelerating. Have we achieved something? Not yet, it’s still day one, so please don’t hesitate to help us by contributing, adopting the product, commenting on the roadmap and connecting with us on Gitter!

 

A Bright Future for Crowdsec

LS: What does the future hold for CrowdSec? Upcoming releases? New features and capabilities in the works? 

PH: This is a make or make (I don’t like the break part!) year for CrowdSec. The Console, the new premium features, the growing network, all is uncharted territory to us. We’ll probably have another fundraiser around early 2023, and plan to work on a blockchain approach, which could also be a game changer. 

We need to expand our team and reach probably 35 people while building a rock solid relationship with our community. The future is bright, our team is under constant shots of serotonin and the market offers us great feedback.

As CEO, I also have to prepare the team and company for the hangover, when we’ll discover the world isn’t just about bull adoption, unicorn pictures on the walls and encouragement messages on our Gitter. At some point, there will be harder times - missed deadlines, concerns on our KPIs, meaningful bugs, trials to try to slow us down or people leaving the company. I know it for a fact, and this will be the moment where we’ll see if we are experienced enough to persevere, giving us the opportunity to  build the team and company to be resilient to those challenges.

But for now, I wouldn’t wish to be anywhere but here in our journey!

Closing Remarks

LS: Thank you so much for your time and shared insights! Is there anything else you think the LinuxSecurity community should know about CrowdSec? Any closing remarks?

PH: It’s up to you to defend yourselves, while helping everyone else around you. It doesn’t require you to be a bodybuilder or an expert in a martial art - all it takes is an apt-get install… Will you be involved in this cyberwar alongside CrowdSec’s community?

Next Steps

Download CrowdSec v1.2.0 from the project’s GitHub page to join the fight on cybercrime!

Have a thought to share or another open-source security tool you’d like us to cover? Connect with us on Twitter and let us know!