Philippe Humeau, CrowdSec: “strength and efficiency are found in the numbers, in the collaborative approach”

Cyberattack attempts against companies and individuals alike happen almost every day, but this is not something that businesses talk about with a wider audience.

This essentially leaves every company and business owner to fend for themselves in the face of cybercrime. Meanwhile, if data about the attackers were shared among businesses, everyone would have a chance to better prepare for and fight against cyberattacks.

This is the approach of the open source and collaborative IPS (Intrusion Prevention System) provider CrowdSec. We sat down with Philippe Humeau, the CEO of CrowdSec, to talk about how joint efforts help in the evergoing battle against cybercriminals.

Let’s go back to the beginning of CrowdSec. What was the journey like since your launch?

Like most company creations, CrowdSec is an emotional roller coaster. But in the open-source world, your feelings are really put under pressure. When the community (people you’re literally giving to) is liking it puts you in heaven, when it’s criticizing or being “unfair”, it puts you down. It gets deeper under your skin because you have to prove yourself more because it’s free. But the counterpart is absolutely fantastic, adoption is faster than with any other business model. Seeing a network of professionals partaking in this adventure and using the product for other use cases, some of them not even intended for in the first place, is really a fantastic feeling.

The journey has been great overall. VCs understood that we are after a network effect, and are not on our butt every other day asking for MRR. The community is patient enough to let us roll new features and scenarios, and... Tens of thousands of machines are already partaking in the biggest ever CTI collection network ever. We finally fight back, altogether, as a team, against cybercriminals. We know why we wake up in the morning and nowadays, it’s priceless to have sense in your work.

Can you tell us a little bit about what you do? What are the main challenges you help navigate?

Cyber-criminals are benefiting from four major unfair advantages.

Firstly, they team up together as a wolf pack, and most of their targets behave like isolated prey. They defend themselves but, even though the demographic speaks in their favor, they do not band to face the danger. They very inefficiently spend truckloads of money to try to be “Captain America” facing the opponent army. Pro-tip, when you face an army alone, you lose, no matter the amount of equipment (i.e., budget) you have.

Secondly, the perimeter is bigger than ever. Basically, in two decades, we switched from a LAN vs WAN world to a messy one with SaaS, Cloud drive, containers, bare metal, VMs, IoT, VPNs, complex supply chains, and so on. There is obviously no way back here but this uneven surface, security-wise, is a blessing for cybercriminals.

Additionally, money doesn’t make a difference. You can spend $100 000 000 and be hacked by a cybercriminal who's investing not even $10 000. Would you ever play in a casino where your odds would be 1:10000? Well, this is what companies are doing day-in, day-out.

Lastly, there's the time. Hyaluronic acid and botox won’t help you here. They chose the "when", they get to the vulnerabilities before you get the patch. Time is on their side, and we all know this is the most powerful ally of all.

CrowdSec is here to rebalance the online war. We bring a tool to help everyone defend himself for free, and also share the information about aggression with all the users.

We are a Waze of Firewalls if you want. We team people together, without them having to do anything else than defend themselves for free. Because, yes, it’s open-source and free. Now if you are a business and just want the real-time map of what IP cybercriminals are using, without partaking in the network, or if you want some corporate-grade features, we also have a premium SaaS model. This is where we make money.

You mention the importance of collaborative cybersecurity efforts quite often. Would you like to share more about this vision?

CrowdSec leverages our own forces and attacks their own weaknesses. We, Internet citizens, are outnumbering them 1:100000. We are just so many more, we just need to leverage this force. We can do so by attacking their weak point, which is anonymity. CrowdSec network is lifting the masks they use to not be tracked and sued for their crimes by burning the IP addresses they shelter behind. Whether they rent them, steal them, compromise them or buy them, it’s time and money. And neither time, money, nor IPs are in infinite supply, contrary to what most think. (And no, IPV6 isn’t the next heaven for them, we can discuss it to an extent).

Strength and efficiency are found in the numbers, in the collaborative approach. Waze achieved what satellites, governments, and local authorities couldn’t. We’ll achieve the same, and by teaming up, we’ll outnumber cybercriminals, altogether.

How did the pandemic change the nature of cyberattacks? Did you add any new features as a result?

Well, intensity rose a lot, many reports by a factor of 30% or more, but I cannot really say the methods employed were new per se. What changed though, is that people were less protected because they worked from home and not from the office, and a lot of security tools aren’t just available in this context. So we saw a lot more phishing and spear-phishing attacks, supply chain attacks, VPN attacks, and such. The methods and tools were mostly known but their use varied during the pandemic.

We decided to develop a few axes to better defend and get more reactive on those, like having a Windows version of our agent. So, we launched an initiative to have a BGP community (soon) to block some attacks at the borders, and we work on scenarios that are targeting services more used during remote work periods, like VOIP or eCommerce.

What are threat actors usually trying to gain by taking advantage of IP addresses?

They use several IPs for several reasons. If I had to name a few, anonymizing their actions, being faster at what they do by distributing their workload on a larger surface, and evading counter-measures. Funny enough, you can use the number of an IP under the control of a cybercriminal body as a KPI to measure their might or efficiency somehow.

Are there any lesser-known features that make an organization an attractive target for cybercriminals?

Cybercriminal activity is very specialized nowadays. It all depends on the interest and know-how of the various actors. Some spy and steal intellectual property, some others are ransoming, some create exploits for others, some steal individual records or credit card numbers, etc. There are so many facets that it’s complicated to answer this question precisely. If we “zoom-out” a bit, all groups have comfort zones. The harder the target, the bigger the loot usually is. So little birds are targeting individuals or SMBs, where mighty eagles are aiming for states or tier 1 corporations.

The ratio is always a time-benefit one. If your benefit is money, and, say, you’re in the ransoming business, you look for mid-size, “auto-intrudable”, company and access with brute force to drop your malware. Automation became the backbone of cybercrime way before it was a DevOps thing for regular corporations.

In your opinion, what type of cyberattacks should website owners be prepared to tackle in the near future?

API drives most web-based interactions nowadays. Close to 80% of GET/POST requests are made between machines. Obviously, this is a very interesting target. I’d be on the lookout for all uncertified package sources like NPM and others. It’s very easy to plant malware in these very popular tools. In a general manner, be aware of the web supply chain, what you depend on, what your server, services, and code are intertwined with, and you'll have a good mental approach to the problem.

What tools do you think will become crucial to combat such threats?

On the web-layer I take it? Well, having a WAF / RASP sounds like a logical step. Add CrowdSec and run static code analysis + pentest on your exposed resources.

And finally, what’s next for CrowdSec?

Well, we intend to reinforce ourselves on VOIP, broadcast our signals through a BGP community, launch our Windows agent, be included in OpnSense and Synology (among 22 other environments on the 2022 roadmap), kick our first premium offers in Q1, and probably raise funds somewhere in 2022.

A million machines protected by our network in 2024 sounds like a good target to reach.