Marvel has been entertaining us for the last 20 years. We have seen gods, super-soldiers, magicians, and other irradiated heroes fight baddies at galactic scales. The eternal fight of good versus evil. A little bit like in cybersecurity, goods guys fighting cybercriminals.
If we choose to go with this fun analogy, is there anything useful we can learn from those movies?
World-ending baddies always come with an army
When we watch the different Avenger movies, the first thing we realize is that big baddies never fight alone. Think Ultron and his bot army, Thanos or Loki with the Chitauri. They all come with large, generic clone proxy armies that heroes must fight before getting to the final boss.
In the same way, serious cyberattacks are planned and delivered by organized and structured groups of cybercriminals such as APT groups with sometimes hundreds of members. In real-life scenarios, attacks are coming from IPs (one or many) that have been stolen, hacked, or bought by the criminals. IPs are their faceless proxy army and if you want to get to the attackers, you need first to burn that IP army down.
So how to do that? You can fight them alone and most probably fail, or you can team up with other superheroes as the Avengers do, and you might have a fighting-back chance. The keyword here is teaming up and leveraging collaboration or crowd intelligence.
More concretely, this means sharing information on attacks, for example. Most attacks leave traces in different systems, service or application logs that can give indications on the attacker's IPs and attack types. Sharing those with other users can help remediation preventively if those IPs show up on other people's logs.
Imagine this: Ultron's minion IPs attack your server. Your IDS will detect their activity in your logs, and if you have an efficient IPS, you might block those IPs from doing further damage. But how about you share those Ultron IPs with your neighbor? Or all other people on Earth? How about all people on Earth will preventively block those IPs? Ultron's army can not do any more harm. All it can do now is stop conquering Earth (or build a new army). But in any case, you won. All this is because of the power of the crowd.
Iron Man did not defeat Thanos alone
Let's get a closer look at the Avenger's team roster. You all know their names and respective powers. But did you think about how complementary they are? Hulk is the tank, Thor the heavy hitter. Cap is the strategist, and he can deliver some close damage if needed. Iron Man is the range attack expert. Hawkeye is the never missing sniper. And Widow the perfect spy. They all bring different skills and powers to the table, making the team so efficient (and cool).
But back to cybersecurity. There are many tools out there that can help prevent attacks. Some might be efficient in specific situations, but there is no one ring to rule them all (ooops, wrong universe 😉). An EDR solution can protect your endpoints but will not be useful to counter a DDoS. A SIEM tool will help you centralize intelligence but will not help actively countering malicious activity. An IDS will detect funky stuff ongoing in the logs but will not act upon them.
So like the Avengers, you need a team of solutions that play well together and cover as many scenarios as possible. First, you need to detect and act. Choose an IDS and an IPS. Combine it with a CTI to get third-party data to enrich your threat database. Add some cybersecurity skills to operate efficiently. You get the most efficient combo to counter threats.
Is it easy to put in motion? Well, it definitely requires work. Interfacing those tools, making sure the data is flowing efficiently between all those components can be challenging but, at the end, most rewarding.
From the Avengers to real-life heroes
Crowd intelligence and integrated solution. This was the idea behind the creation of CrowdSec.
Cybersecurity is an asymmetric game with attackers always having the initiative, making the problem hard to solve for most companies and people. You can throw money or technology at the problem, but nothing will guarantee its effectiveness.
CrowdSec is proposing something new, something that has never been tried before at this scale. A collaborative IPS and IDS that uses crowd intelligence to block attacks. Collaboration between users to create a reputational and curated IP database to make sure users are protected in real-time against Ultrons and Thanoses of this world. Basically put, users contribute with signals - IP activity flagged as suspicious: it can be anything from brute force to credit card stuffing or scalping through DDoS - and regularly receive an updated blocklist of IPs that are to be "shot-at-sight" if they show up in logs. Think, Waze of cybersecurity.
Attackers hide behind IPs. If we, as a community, can burn those IPs, attackers will have no ammos left and will back down.
If you want to join the CrowdSec community, check out the official website. Oh, and it's free and open-source!