Tune in to this episode of Ask A CISO to hear:
- How Philippe got into cybersecurity
- Philippe’s first hack
- Breaching a Chinese subsidiary with poker chips
- How to phish a CISO?
- How to protect against social engineering and phishing scams
- Phishing characteristics to be aware of
- The founding of CrowdSec
- How does CrowdSec work?
- CrowdSec’s revenue model
- Tackling risks of manipulation
About The Guest: Philippe Humeau
Philippe Humeau is the Founder of CrowdSec, an open-source multiplayer firewall that is able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It leverages crowd power to generate a global IP reputation database to protect the user network.
As of today, users come from 110+ countries, approximately block 700,000+ malevolent IPs by quarter and in December 2020, the company also raised $5M in funding!
Phillipe has also received an MBA in Computer Sciences from EPITA, as well as created 5 start-ups and seeded 10 of them.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Transcript
Raphaël
Hi, everyone. Welcome to another episode of the Ask A CISO podcast powered by Horangi.
I'm Raphaël Peyret, the VP of Product here at Horangi, and I'll be sitting in for Paul, our CEO, this week. Before I introduce the guest, please don't forget to like, and subscribe or follow us on YouTube, Spotify and Apple podcasts and help us grow. With me today is Philippe Humeau, the founder of CrowdSec, an Open Source multiplayer firewall that is able to analyze visitor behavior and provide an adapted response to all kinds of attacks.
CrowdSec leverages crowd power to generate a global IP reputation database to protect the user network. As of today, users come from 110-plus countries, block approximately 700,000 malevolent IPS per quarter, and in December, 2020 raised $5 million in funding.
Philippe has also received an MBA in Computer Science from EPITA, as well as created five startups and seated 10 of them.
Hello, Philippe, a big welcome. Thanks for joining us today.
Philippe
Hi Raphaël, it's it's probably the first time ever that my name is pronounced properly in a podcast, so thank you for being French and respecting it.
Raphaël
Yeah, my pleasure.
We have quite a short bio here. I'd love to hear a little bit more about yourself, who you are, how you got into cybersecurity. Tell us a little bit more about your background there.
Philippe
Sure.
We, we touch facing on all those figures you gave because it progressed a lot, but let me just tell you about the, the very inception of my cybersecurity career.
Back then it was wild wild West. Like, literally there were no rules, no laws, no framework. People were just vaguely bumping from one wall to the other. Firewalls were used to be configured the other way around, like leaving everybody from the outside in, and letting no one from the inside out. So it was really, really funny time.
And in this school I met very early on a guy, a legend, actually in the field. Uh, Frank, and Frank was like, he went by the name of Jedi - Sector One by then. And I was like, okay, what... Jedi? Jedi - Sector One.
I mean, that rings a bell. And, indeed. actually, he was the guy that cracked the games when I was very young, when I was 10, when I was a kid. I was playing ATARI ST and we could see his name here and there popping. I was like, wow, this guy has to be a genius. And as a matter of fact, when I met him in the school, he was my age.
So I was like, so you Jedi - Sector One, you are basically 20. I am 20. I used to play with your cracked game. I was 10. Meaning you were 10 if I got the math right.
And he was like, yeah.
Okay. What have you done in between? You know, because, oh, I, I, I create some BBS on the HP 28 calculator from my father. And then I went into this and that, and that I'm like, whoa, whoa, whoa, whoa, slow down, man. How, what were, you know, it was Alice stumbling down the rabbit hole and it never left me. I mean then I, my crush for cybersecurity was it was too late. I had to, to go for it. That was so, so crazy. So funny. So new for me.
Raphaël
Yeah. I find it interesting that there's this gaming component, right, of like, because in many times hackers are doing this for the game, for the thrill of like, of like, beating the system.
Is that, what is that what this is for you? And particularly like pen-testing, where basically like, this is what you're paid for, right? It's like the, it's like professional gamers, but in the hacking world.
Philippe
Well, it used to be this for a very long time,
I mean, and the first "hack" I did was breaching into a university to get the, the name and coordinate of a girl I found cute in a, in a party one day and didn't have her coordinates at the end of, of the party.
So, you know, she was, she was a student in a university. It was super easy to get in, check the records, say, Okay, hello, what are you doing tonight? And she was like, how on earth did you have my coordinates? Happy to meet you though, but, so, yeah. It's a game and I'm still a gamer by then, by now, I mean, and a lot of people I know in the industry are indeed very playful people because the main difference in between a sysadmin that is very strict, you know, because these things have to work every day, constantly system meticulously.
So those guys are machines somewhat, you know, and I'm not saying this in a bad, to shed a bad light on them. Absolutely not. I'm very respectful.
Same for coders. I mean, when they do something, it has to work.
Pen-testers were like artists, you know, you had to work one time. If possible, be brilliant. If the whole thing would burn after, we didn't give a shit. It was not important. We, we only need to breach one. We only get to be brilliant once. And that was kind of my pursuit by then somewhat.
So yeah, I did this for a while, and then I concentrated a bit more on, on defensive side of things, but I have to admit that pen-testing and social engineering ... in pen-testing was really a, a kick.
Raphaël
Can you tell us a little bit more about the social engineering aspect?
That seems to have been like a particular trait or skill of yours.
Philippe
Yeah.
I was, I mean, if we look at it with all honesty in the world, I was average plus in the technical side. So I could do a few exploits, a few smart stuff, but I was not the best, but in terms of cyber, in terms of social engineering, I was very creative.
And that is a part where you, you could win most of your initial access as we call them. And we still call them like this nowadays. So for example, if you had to breach sometime we had to breach in unlikely places, like, extremely unlikely.
And I remember one pentest we did for very large company, which had a subsidiary in China. And the guy was highly suspicious that the Chinese would snatch parts of the revenue for themselves and not declare the exact production, you know, and they told us, okay, can you breach into ... it's, it's a subsidiary of our own company. So I'm entitled as a CISO to ask you to pen-test it, except you can remove the, the test part. We just want you to penetrate it.
And I like, okay, okay, but we don't know nothing about the target, right? And they are Chinese, right?
Yeah.
And, and we found that initial access point, but they were not privileged enough. So we had to escalate somewhat internally and find better access. And the way we did it is to actually craft some specifically designed social engineering.
So by then we were phishing them with emails, and trying to drive by download them some kind of, executable that was, you know, in our favor, and this time it would just not work. We, we were sending stuff like, I dunno, lingerie, underwear, you know, shooting of Aubade, you know what is Aubade because you're French, right? So very high-end lingerie like Victoria's Secret for Americans.
And they didn't click on it. Actually, Chinese are not into b**bs and butts. You know, that was a conclusion we came to and we were like, okay, so how do we fish Chinese? Because the mindset is really different. And one girl told us, okay, you know what? You're doing it a hundred percent wrong. Just send poker chips.
Poker chips?
Yeah. Like free poker chips. They are all gamblers. They're all players. It's in our gene, our DNA. We cannot do any different. They will all click. Say you are offering like $50 in a poker chips, whatever. We tried that. My God, within an hour, we phished 50 different admins, you know?
So it's all about crafting the right message in the right culture at the right moment for the right age group. And you will likely breach.
Raphaël
That's crazy.
So it's extremely culturally dependent, and I guess like even now, I guess like, Gen Z must be very different to social engineer versus, you know, a 50-year-old IT admin that's used to working on traditional things.
Philippe
Oh my God. A hundred percent.
And you can see this geographical difference, cultural difference, age difference. You're right. The group changes everything. The method with which you will potentially pull your heist is very different.
But there's one that is really funny, I find, it's like, do you know how to phish a CISO?
Raphaël
An email from the board? Maybe, I dunno.
So, but, but, but then like, huh? Yeah.
Philippe
I, I've got one for you because you know, your podcast is aimed at, targeted at CISOs.
So if you want to phish a CISO, it's super simple. You send the brand new last solution about like catching every bad attacks and whatever. And you put the unsubscribe link at the beginning of the email and the guy will click on the unsubscribe link. That's what it is.
Raphaël
That's brilliant. Yeah.
Yeah, I guess sometimes you really need to use your, you need to know your targets really well.
Philippe
Yeah.
They're flooded with emails. They are flooded with new products and everybody got used to click the unsubscribe button, the unsubscribe link and so on, and nobody is so much digging into whether it's a legitimate page or not. You can host any kind of Javascript, any kind of zero-day exploit on that page where the browser will land on or eventually phish for other information.
Or, or eventually will not kill this tab fast enough for you to, you know, switch to another type of this and have action on another software or, or internet website or...
Raphaël
Or email, which he was probably at before he clicked, et cetera.
Philippe
So, yeah, you can try that. It's really funny.
Phishing CISOs is a, is a real game if you want.
Raphaël
So, so that's very much on the kind of the attacker mindset.
Philippe
Yeah.
Raphaël
So now that you've moved a little bit more on the defensive mindset, and before we go into talk a little bit more about your current venture, what would you say, like how do you protect against phishing and social engineering? And, and I mean, my, my personal opinion is let's not kid ourselves. This is never going away. Right.
Like, like, so yeah. What do you think about that? How, how do you...
Philippe
Yeah.
Raphaël
How about we defend against you?
Philippe
Have you seen this meme uh, of 2020 with a dustbin in fire being drained away by a flood, you know, it's been very famous, this garbage can and it's written 2020 on it. And I find the attacker mindset is a bit this.
You know, I don't care. I, I opened the, the garbage can. That, that was my goal. Now it's on fire. It's being drained away by a flood, whatever. Not my problem, not my circus, not my monkeys, right?
But in the defense game, you have to be right a hundred percent time. You have to be consistent. You have to find an angle where you will help the people. So you're right. There are two main initial compromise vectors.
The first one would be human and mainly related to phishing. And there are now solutions that are, I highly respect and I rarely drop names of solutions, but I find that Proofpoint and, and the likes are Vade Secure are doing really good work here because what they do basically is like, they don't wanna break the business.
So they let you browse on the email that you are supposed to read, but they, in the meantime, they, they do a deep analysis of whatever was attached or whatever, and was in the email to be sure nothing is dangerous, but you're still opening your email right away. Like there's no delay.
Raphaël
Yeah.
Philippe
The thing is, if something then afterward was deemed dangerous, then your workstation is isolated and an admin will come to you and say, okay, I will clean up the stuff because actually that was dangerous. We knew it after, but that's not a problem.
And by doing this now, they, they're using a lot of different clients altogether and now saying, okay, there will be one sacrifice person, right? It may be you, Raphaël, for example. Okay?
So this is the first time we see this email. Raphaël is opening it. It, it's a sacrifice one, but not for the company, for all the users we have. And if we see the same signature of the same email and we saw Raphaël being compromised, then we will block this email everywhere else in the world at all our client places.
And I think, okay, we will always be one step behind on this front, but it's a really, really good answer to the phishing problem I find so far. And the other initial vector of compromise would be basically everything that touches on vulnerability in one way or another.
So it's, it's a wide range of stuff.
Raphaël
Yeah. So on that, I mean, on the, on the phishing and social engineering, what do you think is the contribution that needs to be brought in from technology such as the ones that you were, explaining here with Proofpoint and others that do similar things versus training? Because, you know, we hear a lot of people saying like, oh, I have a phishing problem. Let's train.
Does that really work?
Philippe
Yeah. Yeah.
In my experience, it works super well. I mean, we did this intrusion and then training of teams sometimes, in, at some places with some customers. And honestly, the next year when we tried the same tricks, they spotted us like from a long mile away. And it was like, when I say same tricks, it was the same kind of architecture, but obviously the content would be different, but no, no, it does work and people play the game.
The highlight I would give you and your listeners is put in perspective that what they learn at work will work for them at home. They will protect themselves at home in the same way they are dodging the bullets at work.
So basically when you train them in your company, you can explain that what applies here, applies there. And when they will be back home, they will have the safety guidance in mind and train on a constant basis. And that is super efficient.
And there are very, very few things, actually, you can say, that makes a difference. This is one of them.
The second thing that I really found make a difference is that you can tell them, you know, in every kind of those shenanigans, there is always a sense of urgency. So if you take back my poker chip, for example, it would expire in three hours. Sense of urgency.
If I send you something like, please unlock my access to whatever application we have, as a CEO. It's urgent. I'm in Singapore. I need to meet a client. There's a sense of urgency, you know, so it's a common trick to pretty much all, maybe not all, but the vast majorities of social engineering attack you can see. So sense of urgency is really, really something you could, you should be alerted on.
And another thing that could trigger the alert is if the way the person is interacting with you is different from usual. So basically in our company, we always interact through slack, right? So if I have something to ask, I would ask through Slack, except if the person is disconnected and I will leave him or her an email. But if the person is receiving a phone call or a text message or an email where she was logged, or he was logged in Slack, he would say, okay, it's not like Philippe. It's not his tone, his tone. It's not his method. It's not his preferred communication channel. And all of this speaks for something fishy, right?
Literally. So, what I should do as a person is directly contact Philippe. I will never be reproached that I've been double checking the things. I will be reproached that I did not. So meaning in case of doubt, any doubt, you double check with another communication channel, and with those two or three rules, you know, of course there are longer trainings that are going in, in extent in all those places, but it's already something, a quick takeaway that will help you on a daily basis.
Raphaël
Great. Thanks for that.
Moving on to kind of a different area now. So, you were in kind of the offensive side of things. Can you tell us a little bit more about how you came to found CrowdSec, and a little bit more about what you do there?
Philippe
Yeah. Sure.
So we thought about with my CTO because he's half of the brain of the project really in terms of orientation and vision, shared vision. So what we thought is like, okay, look, the hashes of a malware, they can change constantly. You know, you change one byte, you have a different malware, a different hash, actually. So scanning for hash is basically useless.
Scanning for domain names. Well, you can reserve and book as many domain names as you want. You know, just add another digit at the end of it and you have a new domain name. It's super easy to phish, change, you know, mix and match with whatever need you have in, in your penetration testing.
So what is in limited quantity? What hurts the most the cyber criminals and on the other end, what are our strengths? What are our strong, strength when we're fighting against them?
Look at it in this way. IP addresses. Public IP addresses 3.2 billion in IPv4. There are a lot of IPv6. I can go into extent as to why it's not the solution either for them, but let's just focus for now on IPv4. Once you start burning their precious resources, then they use to scale their operations and keep anonymous, you start to dig into their finances. You start to dig into what hurts the most, into the most precious resource they have.
And we saw it, you know, during this conflicts. I'm pretty sure you looked into them because it was such a delight for us all. So we looked into the conflicts and what we saw is like the guys were constantly whining to get new IP addresses. Virgin one that would not be known from EDRs and other tools in the market and that crippled their operation. That slowed down the shit out of their operations.
So indeed it is where we wanted to focus. And now we had to leverage our own strength. What could be our strength? What is their strength already?
So their strength is like they can strike only once. Just have to be right once. They have the time on their side because they can attack any time they want. They don't have, they are not on the schedule or whatever. And when you find out, it's usually too late and the people are poorly trained, are not yet aware of things.
Uh, there is always a, a delay in between the new vulnerability on the market, on the black market, and when it's known on the public market, you know. And for, I mean, just to round it up on the macro scale, we made a mistake for the last 40 years. We've mistaken a complicated problem, a complex problem, sorry, for a complicated one.
So a complicated problem is that gravity, you know, relativity of Einstein, it, it takes a genius to solve sometimes, but one person can crack it. This is the definition of a complicated problem, right? So if you're a mathematician, if you're a physician or whatever, you can solve a super deep, complex, complicated problem by yourself.
A complex problem, on the other hand, is one that require collaboration, like sending people to the moon. No matter how smart you are, you cannot send people to the moon on your own, okay? You will need people to do the propellant, to do the rocket, to do the navigation instruments, to fly the rocket, to land on the moon and so on and forth. You need 3,000 or 30,000 people actually to, to pull this one.
So in cybersecurity, we said, okay, it's a complicated problem. Let's solve it like we solve complicated problem with more means where one entity, like, I dunno, JP Morgan, let's, you know, pull money on the problem and extinguish the fire with money. Well, the point is not every problem can be solved or dissolved in money, you know, contrary to what American usually thinks. And, and one soldier cannot defeat an army contrary to what Hollywood is thinking, right? So when you're alone against an army, you lose. Period. Right?
And then we thought to ourselves, okay, it's not a problem. Okay, let's do let's try something else.
Let's have AI. They will be able to spell their own names. Yeah. Mm. Who will, who will be able to fight against that? And we'll rename all the antivirus EDR. Yep. Mm-hm. And we'll have deception strategy.
Well, this miserably failed as well, you know. And we thought to ourselves then, okay, let's not use the one obvious stuff, our one strength. The fact that we're outnumbering them 10,000 to one, that would be too obvious. No, let's not do this.
Well at CrowdSec, we thought to ourselves, okay, let's use this. Just give it a try. You know, we never know. 10,000 to one is quite a, quite an interesting strength to pull.
So using our number, using these strengths of ours, we are fighting against their weakness, the number of IP address.
This is how CrowdSec was born.
Raphaël
Yeah. That's really interesting. Thanks for that kind of genesis story.
So how does it work and, and how does, you know, even your name is like CrowdSec. It's like, crowd-sourcing security is not a typical model, right? And also then there are plenty of questions that come up around can you trust this?
How do you get people on board? So, you know, does it work?
Philippe
Yeah, it does. I will tell you a bit more on how we organize this, but so far we have around 70,000 installs in the world, and more or less each one of them is protecting two to three machines according to our KPIs. So it's probably 200,000 machines that are reporting the aggression they're facing. So how they report this?
First of and foremost, we have an agent that is coded in Go and run on BSD, Linux, Windows environments, whatever you have. Can run in containers, can run on the cloud, on premises in VMs, whatever. Okay. It swallows logs, it acquires your logs. Those can be local logs, like JournalD, SystemD, the like. They can be concentrated logs, like stuff like Elasticsearch, Splunk, you know, or they can be online logs like cloud logs, like AWS cloud trail, Microsoft defender, Azure Defender and so on and forth. In those logs, the agent will be looking for bad behavior.
We have a bank of 50 different behaviors so far. A bit more, I think now, and you can look for everything you want. You know, it could be like credit card fraud. It could be post scan, web scan. It could be DDoS Layer Seven. We obviously don't deal with DDoS Layer Three, network DDoS. It can be ransomware lateral move. It could be scalping from the bots or harvesting of your catalog or whatever.
Once the agent found a bad behavior and you could call this agent an IDS, even though it's not very trendy, it's kind of what it is. It's an IDS for public resources. Like, now you can instruct a second component to block it, to remedy the problem.
Basically, we separated those two components because it's extremely unlikely in modern architecture that you have your log pit in the same place as you have your protection devices. Likely your protection devices, for example, can be a firewall. Then this firewall, we send these logs into a log facility somewhere else in the system. So since they are not in the same place, we found out that it would be stupid to make the agent run in the same place as the protection would run.
So, the second component is the IPS prevention system, and we have a bank of 20. You can choose whichever you want that suits your need the best you can send a CAPTCHA for example, if you're an eCommerce platform and you don't want to lose any business on an eventual false positive. You can feed those IP addresses into your firewall directly, you know, with an IP set.
You can feed them in a reverse proxy, a load balancer. You can alert yourself with a script on an HTTP notification. You can send a multifactor certification, whatever you want, it's your problem. We just offer the component and they are free of charge.
All of this is free of charges, MIT Open Source.
And then, the twist is, since your machine has been aggressed, maybe the same IP address has been aggressing other machine in the same way throughout the world, right? So maybe IP A, B, C, D knocked at your door, knocked at Isaiah's door, knocked at my door, and so on forth, and we have a threshold. If this IP address has been knocking on too many doors too many times, and we have enough diversity in the reports, we will say, okay, this IP address is not having a behavior here.
It's having a reputation because the behavior that is repetitive is a reputation or becomes a reputation. And the point of it is to be extremely real-time, because the mistake that other did before us is that they, they snatch an IP address doing crap, they stored it in a database and forgot about it. And then, you know, 10 years later, you come and this address is still banned and you have no clue why, because you change hands like 10 times.
So, the point of being efficient here, is to create a real-time network that will respond to this in a real-time fashion. So, if an IP address start to be aggressive, it's included in a block list. And as soon as they stopped doing this, it's removed from the block list. That way you would not put business in disarray for, you know, with false positives.
Raphaël
So it sounds like there are kind of two different levels to this.
There's kind of like the, I don't know, solo level, which is, hey, I have this tool that checks when I'm being attacked and then blocks it for me. And then there's the kind of like the, the value of the crowdsourcing, which is if enough, if it's happening to enough people, well, you can also block based on other people's signals, kind of like, as you, you know, you've got the intelligence of the, of the hive or, or however you want to call it.
So, a few things there, it obviously it's dependent on the number of people that you have on board. How do you convince them and how do you start? Right? Like, obviously once you've got a critical mass, that's great. But like, how do you get people on board at the beginning?
Philippe
Yeah, that's a whole point of network effect, so-called, you know, it's the promise to take off. Once you've taken off, you are unstoppable, but obviously you have to, to reach this critical mass you're talking about.
So the way we did it, so first of all, it's free and Open Source. The first friction to any adoption is the money. If we want to be the Waze of firewalls, you know, we have to, to act a bit like Waze, meaning the software has to be free. As simple as this. If you, if you had to pay like 10 bucks for Waze, Waze wouldn't have never been what it became. That, that's as simple as it is. So free.
Second thing is Open Source because it's taking over the world obviously, but you can dig into the source code and there's no Solar Winds in the making here. You can check that it's clean. It's, you know, audited it several times and anybody can check that the source code is clean and you can adapt it to your own environment. Because there is just so many places to visit here. We have 800 different packages for Windows, Linux, BSD, all kind of processors, all kind of distros. It's a mess out there. So, you know, we could not possibly carry the whole weight on our shoulder alone.
And same here. There are so many type of behavior you could be looking for. Like, say for example, let's take something very exotic, but that could still be relevant. Someone doing crap in AS/400 logs from an IBM computer. Right? So it's someone playing in a bank and it wants to do stuff like we saw in France. Like there was this trader that modified his records and stuff. Well, okay. I mean, we don't have AS/400 obviously, but if there's someone smart enough, willing to use the software in this context and create the scenarios to detect this kind of bad behavior, the software allows for it. It's not a problem.
So the way we kickstarted, to answer your question, is to be compatible with the most different environments we can, as many environments as we can cover, as many different behaviors as we can cover. And this way we trigger a large adoption and, you know, Open Source is a lot of, uh, uh, last year... So, people are just spreading the word around hem and say, okay, you should try this one. It's replacing Fail2ban nicely, or he's doing this, that this other software is not doing or covering this angle that is usually super costly like, I don't know, for example, bot scalping, you would use another software for that that would cost a lot.
So, usually it's really the way we do it. We use a lot of podcasts. We use a lot of forums, and Reddit, and you know, things like this, and that's pretty much what we did so far to, to get a bit of recognition and adoption.
Raphaël
So adoption, great.
Free is great.
You get the adoption, but at the end of the day, it's a commercial enterprise. What's the model for getting paid?
Philippe
Yeah.
And we never hid it. And I, I was told a hundred times not to say this, but I don't believe in the monk model. Right?
This, this school of Open Source that says that you have to be a monk and wear a robe and live from edible moss and little animals in the forest and never ever, you know, monetize whatever you're doing. That's bullshit. That, that's just bullshit. Sorry about this, Toman and, and others.
That's just bullshit because you know what? We have talented people. Those people can be paid like 150,000 bucks anywhere in the world right now. And they stay with us for a very simple reason is because they're properly paid as well, you know? And if we want this software to last for a long time, it has to be maintained over a long time and companies have to trust us in this.
So if they see that we are feeding on edible moss, they know it's not gonna last for long, right? Here, the team is committed. They all have shares in the company first and foremost, you know? And they're well paid. So that's why we need to have an enterprise and commercial enterprise venture here.
So we are backed by FOUNT, and we will be announcing very soon new fundraiser. And this, FOUNT are, yeah, thank you. They're following us for a very simple reason because they believe in this network effect that, that they are seeing under their eyes. Now they are asking, okay, but it's not just about the network effect. Alright?
How do you make money? And we make money because the people that are partaking into the network are getting the signals for free. And they are even getting an online console to see whatever is happening for free. That's cool. Right?
But this online console is limited to seven days. If you want a month, you will have to pay a hundred bucks per month. If you want more signals, if you want signals from the whole network and not just what you partaking in.
So say for example, you're scanning for credit card fraud. You will get all the IPS that are doing credit card fraud for free. Now, if you want to have all the IPS we know about that are super dangerous at any given moment in time, you will have to pay. That's kind of normal. And if you won't partake into the network, and if you don't share any signals with the network, you will have to pay to access the data and those block lists, but we don't only have block lists.
We have 4.4 million IP addresses in one of the data lake that is called Smoke. It's any violation done in the last 15 days by any IP in the world. It's uncurated so it's just a massive data lake that is just storing any context on what happened. And we have an extremely distillated refined data lake, which is called Fire. And Fire is a block list. The one that is actively, proactively protecting you. Right?
So what happens is you can use Smoke, the, the huge database to connect with your CTI because, you know, the threshold we put because of we are in a Zero Trust environment. We don't trust our users. We don't, we have to have a certain level of confidence in the signals we receive to integrate them into Fire.
It doesn't mean that an IP in Smoke is not bad. Usually they are bad, but maybe they are just below the threshold. And maybe you, Raphael, want to set the threshold at a different level. That's your point, you know? Or maybe you want to confront something you saw in your own logs with what we saw at CrowdSec as a crowd.
And this is where Smoke, the huge database become very handy and same here, it's the paying access. It's a paid access. Sorry.
Raphaël
So it sounds like the first thing is, well, Hey, you know, you scratch my back. I scratch yours. You can participate without contributing, but then you need to contribute financially. Right?
Philippe
Exactly.
Raphaël
Or as long as you're, you know, it's give and take, sure, you can, you know, that works.
And if you, and it's a give and take on a kind of per type of, I don't know, module or, or detection or et cetera that you're doing so that you can't kind of abuse it.
And then the second one is more around, Hey, you can get quality of curation configurability. And this is typically, I imagine, gonna be more advanced enterprises that can afford, that are happy to pay in a way to change the threshold, to customize it for them, to take more of the granularity of the information that you get.
Philippe
Absolutely, and to add other sources as well.
So we have two other sources in the community block list, as we call it, Fire, the, the, the ones we are sourcing ourselves, like, for example, residential proxies that are kind of a pest lately for a lot of companies.
So basically to explain your audience, if they're not familiar with what, what it is, it's basically people renting their IP addresses, you know, at home so that others can use them to scan, to interact with website, or they would be probably banned already from it. We can add this kind of IP listvinto your IPS mix, into the list you're receiving, the block list you're receiving. We can add geographical data like you don't sell to Pakistan and you don't want Pakistani's IPs to come to your website. No problem.
Maybe you don't want any Tor exit notes, or maybe you don't want any VPN exit notes. It's, it's up to you. It's entirely up to you. So this is the first category. This is the stuff we're sourcing ourselves, right? Now, there's a second category there.
These are the one we are reselling. So anyone that has meaningful curated list can integrate with CrowdSec and sell it to the users of CrowdSec and say, okay, if you like my flock of IP addresses my group of IP addresses, you can rent them and you can subscribe to them.
And the last one we have, and it's probably the most interesting one, is people coming to us saying, you know what? I have extremely curated IP address list concerning X, Y, Z.
For example, let's say Ledger. Ledger is this French company doing this cryptocurrency wallets, right? They are building the wrong company, and they are seeing serious things in the blockchain space. Like IP addresses are extremely aggressive toward the blockchain space. What we do here, they say, okay, we are not IP brokers. We cannot sell them. We don't know how to resell them. We don't know how to diffuse them or to curate them, but we're willing to help the community. If we give them to you, those IP addresses we've identified, will you give them back to the community?
Like, yeah, of course. Sure. Send us the IP address and the guy can subscribe to your own feed, you know, so that way, CrowdSec will evolve over time into being not only a kind of "meshed security", a global multiplayer firewall, but also integrate all sources from other horizon, and people will be able to select the one they find correct or comment on it, or if they can accept like 0.1% false positive or 1% false positive for a harsher list.
It's up to them.
Raphaël
That sounds great. Other question around Open Source is what's the, how do you tackle the risk of manipulation because it is open to everyone, right? Like poisoning, if you like, and things like that. How do you tackle that so that it isn't a problem?
Philippe
Okay.
So just to illustrate the two problems we can face here. So, poisoning, as you, as you said, is like, if someone would say IP ABCD is bad where there's nothing, it's just like a competitive approach to kill your competitor and say, okay, yes, these IP addresses are very bad and we should ban them. So this is a false report, actually. It's a false flag attack somewhat. All right?
And the other thing is false positive. So, meaning someone fine-tune these scenarios in this behavior scenarios and say, okay, oh my God, that's an attack where just someone fail this password twice, and that's not an attack. It's just someone that is drunk or whatever. It's not big deal. Right?
So we want to eliminate both because the principle of Fire, this extremely curated list is it's just 0.5% of Smoke. So basically Smoke is 4.4 million IP addresses and Fire is around 20,000. But what we guarantee the people using Fire is there's zero force positive, there's zero poisoning attempt. And, it's, yes, it's a bit "loose". We don't intend to be the perfect silver bullet, whatever. We just intend to never be in the way of business and still, and yet provide an extremely high level of security.
So the 0.5% of IP addresses account for 92% of the attacks on any given server over the internet. So it's already extremely efficient.
Now, how do we get rid of the two poisoning and false positive problems?
Well, we have everybody in the network is potentially an entity. Microsoft is an entity. Akamai is an entity. You are an entity. I am an entity. What we define by entity is not the number of IP addresses, because if you have 1 million IP address, all of a sudden you could push the consensus, this algorithm that is deciding whether an IP should make it to the blocker list or not.
So, it's not about the number of IP address you have. It's about how different you are from the others. Coming from a different autonomous system, coming from a different IP range, using a different kind of footprint on your machine if having installed CrowdSec at different moments, reporting different signals, right?
So this is what we consider the diversity of the person that is reporting, the entities that is reporting. And now also you have a period of six months where we will just not listen to you. At all, right? Because we don't trust you yet, and we will only trust you after six months. So, meaning if you want to pull an attack right away, you will have to wait for six months and reinforce us with true signals for six months before eventually losing all your hardly acquired reputation all of the sudden.
And then we have three other mechanism that are here to counterweight on those reportings of the community.
The first one would be a white list. You're not allowed to block Microsoft update. You're not allowed to block Akamai core IPs. You're not allowed to block Google bot or 1, 1, 1, 1 8, 8, 8, 8, 9, 9, 9, 9, and so on. There are certain IPs you're not allowed to block. Period. They are whitelisted.
Second thing is, we have a botnet of our own, a honeypot, sorry, network of our own, just for the sake of checking, you know, here and there samples and see if they're accurate or if they deviate from what we see ourselves. Right?
And the last one would be AI. So, we are not an AI provider doing identification of NFT with machine learning, whatever crap. We're just basic users, you know. Like if a signal as an extremely low noise to, signal to noise ratio, sorry, like one IP address can 10,000 machine is extremely loud, right? 10,000 machine scanning only one port of every other IP addresses are very, very stealth because they are just knocking on one port, each of them, and you would not bend them for that, right?
Or maybe IP A B, C, D are working as a cohort. The first one is scanning. The second one is compromising. The third one is extracting the data, or the first one is doing whatever command and control system. So, the goal of the AI are to see if a group of IP address are working in a cohort fashion.
Raphaël
So, trying to obfuscate behavior because they're like using different signals So you can't correlate them easily, and that's why you need the, the, the, yeah ...
Philippe
But it's extremely costly. Here again, we add a balance in between how technically feasible it is and how costly it is. So if you want to do this, you will eventually reach your goal.
But as soon as we detect the, this, we will make you lose all your preciously acquired reputation as a, as a user of CrowdSec. We will remove all your decision or everything you've weighted in to say that those IP addresses are bad and we'll integrate those IP addresses directly in the consensus saying those IP are super dangerous.
So I'm not sure you would benefit from that.
And during six months, you would have reinforced us. So, basically it's a bit like a blockchain concept where it would be more costly to attack, you know, than the loot you would get out of it.
Raphaël
Yeah, yeah.
And cost and the financial aspects of that, the return is the way to, the way to cripple attackers. Right? Hit them where it hurts, in the money.
We're nearly out of time so just to kind of wrap up, what's one thing that you would like to leave our listeners with?
Philippe
I think we are on the good path of being some kind of global firewall, you know, some kind of global first defense line, first line of defense.
So, join the army. Every time someone enroll in CrowdSec, we are all stronger altogether. It costs nothing. It's done by professional that have been tested and, and know their drill forever. It's been deployed in very large companies, banks, medias outlet. You know, the DoD is looking into, into us and, and using it in the Pentagon and stuff. So it's super safe, super secure. You can use it, it costs nothing.
So basically if you don't do it for yourself and to protect yourself better, do it for the others. Right? Look at this hospital that has been compromised lately in France or in, in the UK. Those guys can benefit from the crowd finding. By the way, we give them access for free, if they want, as well for the army forces and the police, all the people of the good, right?
So we need you guys to enroll if it's not for you, then for the others and probably for both actually, because it's for the greater benefit of everyone.
Raphaël
Thanks so much, Philippe. CrowdSec, if you wanna look it up. Thank you for coming onto the podcast. I thoroughly enjoyed our conversation and really hope that you did too.
To those listening to the podcast, thank you for tuning in. Once again, this is the Ask A CISO podcast, and this is Raphael signing off.
