Swarmed Cyber Defence

i'm philipp co-founder and ceo of crowdtech i'm delighted to be here at newcastle uh besides and i wanted to talk with you about this swarm defense uh cyber defense and how to make it a reality so before we we jump into the subject let's speak about what cyber security is and is not actually so cyber cyber security is not a complicated problem and it's always mistaken for one so a complicated problem is theory of gravity right this one is a complicated one but one person can nail it this is a definition of a complicated problem someone extremely intelligence yet yes but one person can nail it a complex one though is to send people to the moon

you cannot make it a one man mission right you need collaboration on a large scale you need many people involved many field of engineering involved you cannot do it on your own as compared to real activity so this is a complex problem and for 40 years we've addressed a complicated problem instead of a complex one we thought that cyber security issue is a complicated problem it's not proof is we tried out powering hackers we try you know building stacks that are infinitely complicated with a lot of products a lot of teams a lot of money and uh it failed i mean for we know it failed if you look at the number of companies that have been

defaced or degraded or that has been uh hit by ransomware it failed outsmarting didn't work either i mean having this ai able to spell its own name renaming antivirus edr or having deception strategies it failed right so why not doing what we do to solve usually a complex problem meaning teaming together bending together outnumbering them the demographic is speaking for us why not have a participative approach instead and you know cyber security is a very specific field because it's one of the only fields in the world where money doesn't solve problems right we have a tremendous pandemic on our head right now for years and with billions we could develop a vaccine right and this vaccination

is a proof that money could solve the problem somehow at least in cyber security this company that has um invested zillions of dollars you know jpmorgan alone invest hundreds of millions of dollars in cyber security just them i mean more than most government in the world and if you take all those companies they had tremendous budget but nevertheless they got hacked how come well they are not stupid fundamentally they are just running on this complicated problem again but they are fighting against time everyone is fighting against time it's a time between the vulnerability and the patch the time before you can apply the patch and the time between the intrusion and the detection so time is never on your side second

thing that is playing asymmetrically against you as a defenser is the perimeter the perimeter exploded literally i mean before we had a garden wall called the dmz where we would store all the machines that were sensitive and all the services and all the data now you have cloud drive you have sas you have containers you have vms you have vermill you have all your machines are sharing that are all across the place and they are not even in the same place and you cannot use this dmz anymore and on top of that we had to create tons of vpns right just to make things easier so the pyramid exploded tremendously so the surface of fat tech exploded

and the last thing is money i mean according to deloitte it doesn't cost even one percent for the attacker to attack you and if you look at the figures like jp morgan was hacked right they spent hundreds of millions of dollars but the people that hacked them didn't spend tens of thousands of dollars so would you enter in a casino where the ratio of the odds are against you uh one to a hundred thousand time you would not go there right i do not so since the castle strategy is over let's try to do things differently we have that uh we need to share them fine they are scattered across fine and instead of fighting against the wind

let's embrace this paradox and say what we need really to do in the end is to establish the trustworthiness of someone connecting to you you know how secure it is to peer with abcd and you need to know it in the millisecond right and only reputation can do this and only reputation on a very large scale can do this a crowd system and this is exactly what we're building here a ways of ip reputation a local ips sitting on your machines like that would easily replace your fail to ban or something like this that generates all together a global cti that benefits to each and every one of us so how does this like multiplayer or

massively participative ips works actually it's pretty simple um it's about looking into your logs right and see what's in there that could be interesting of some sort like is there uh if you use planck if you journal the cloud trades or sim it's not a problem all of this can be acquired and then you you apply scenarios could be your scenarios could be our scenarios that we design could be the community scenarios or maybe you design your scenarios and wanted to give them to the community and this is the agent job he's looking if there's a behavior that could should be blocked i don't know maybe a credential brute force or credit card staffing attack or layer 7 ddos or phpr

megadon of whatever sort or post can or web scan or ransomware letter or move whatever when your scenario hits uh you found someone and you found an ip that is dangerous then you can block it at any level you want and this is a job of a bouncer the bouncer can be i don't know a nature proxy one a load ban and so on so firewall one a reverse proxy one it could just send you a kick a script of yours and send you an alert in a slack channel on a cyclops desk whatever you can trigger multi-factor authentication or if you're working on a web layer for example you can eventually send captchas works as well

and then you found a bad ip and we're interested so this ip if you want to you don't have to it's optional you can share it with us us being the community but here before sending into the whole community we will first be sure make sure that this ip is a real one a genuine dangerous one and not someone trying to send false positive or poisoning attempts into a data lake once we're sure about the fact that the ip is dangerous well all the ips in the world are being made aware that this ip is dangerous you found an ip it's shared with everyone and everyone else is sharing the iep with you meaning your

bouncers are actually instructed by both your logs and the scenario that are deployed on your logs but also about all the ips that are found throughout the world worldwide by all the ips partaking into this network making it extremely strong on the world scale and the behavior engine we can start already with basic cyber sec hygiene i mean we can do complicated stuff complicated and convoluted scenarios and all but let's start with the basics most of the high-end hacks that happened over the last years or two were not leveraging any zero day or whatever right it was just bad password sorry to say it was just unfiltered access it was just your ftp being exposed where it shouldn't have been

exposed it was just an employee being compromised with vip and network at home so already let's cover the basics and then we'll think about the complicated uh later on so we can deal with layer 7 ddos it's pretty simple somehow we see it in the logs we detect all those streams of attacks that are going to your server and we instruct a cloudflare bouncer to block ranges of ids or countries on the fly and your machine would recover in just under a minute even with three gigabytes of bandwidths and 600 000 packets per second so we can deal with this we can do with somewhere lateral move you know a lateral move starts always with current dns locally querying

the active directory locally occurring the bonjour service so that you know what other machines are around you or if you really are very violent you can still kick an end map we can create a very basic can area here with cryotech and listen to all those queries and block them you know and report them as being a ransomware letter move attempt to the siso for example or to a secops desk or to a sock whatever and then there are resource abuse resource reviews are interesting uh i'll skip on this one because later sivan ddos is kind of already a resource abuse so let's talk about credential brute force for example it's pretty easy and yet

it's so much widely used like we're pretty sure nowadays that you know the solar wind attack was a credential brute force started with a credential but for us php armageddons you know everything that is sql injection php crashing the machine whatever you usually use trades in the logs port scan does web scan does credential and credit card stuffing does we actually blocked a large credit credit card staffing attack for a customer what is it interesting here for and credit card stuffing is that it's extremely difficult on your own to detect that you're being a credit uh credentials for example because you would have to know that this same ip use several identities over several different servers to be sure

that this ip is implied into a credential staffing attack and if you're just defending yourself alone you wouldn't know about it it's because we all together work as a common ips that we can do this both scalping both scrapping all of this can be dealt with as soon as something is spitting logs we can analyze it and we can block it and pretty much all the attack not all of them but pretty much all of them leave trays in the locks so what we're up to as you probably have understand understood by now is a resource war the hackers use stolen ips to cover their uh their names and their position and so that no one can dox them and so

that the fbi doesn't come at six a.m in the morning to ring at the door because they are not from the morning as we all know so stolen ips provide anonymity what we are here to do with crowdsec with this community is to peel the onion burning this ip ips one by one day in day out we actually already have half a million of them in our data lake it's a community effect doing this and the point is we'll slow down tremendously the capacity of new zealand so this is some sort of crowd source cyber and threat threat intelligence right because what's the cti in the end it's several servers running on a couple of

clouds right and listening to attacks like i'm a vulnerable web service i'm a vulnerable sshd i'm a vulnerable vpn whatever i am i'm simulating that you know you can attack me and listening to what you're throwing at me well if you look at this approach we're developing all together with our community it's better because we are not running fake services which can sometimes be pinpointed we're running on real services and not on twos or on two clouds or three we're all across the globe on amazon on akamai on google or just individuals at home running the product in iceland in togo in thailand in us in russia we don't have any name any place we are everywhere and nowhere actually

it's it's nearly impossible to pinpoint us on a map where too many we're actually already seventeen thousand in the world in 110 countries and counting one percent per day and resources real servers all across the place makes it the biggest ever interferometer for hacker you know the biggest ever collective cti effort and yes it's easy to grow because we don't sell anything there's no catch it's for free forever period it's a mighty license you can adapt it you can embed it you can put it wherever you want we won't have any work to say it's free forever we don't have any need for monetizing the agent it's not where we make money we make money toward people

that are not sharing with us but still want to use a product they want to be accessing to the cti but they don't feel like they can share their logs and we don't actually export logs their signals their meta signals because maybe they have strong legal constraints for example so it's been addicted it's transparent and most of all it's open to contribution and we have a community that is contributing you know sending new patch new scenarios new bouncers so that you know the system grows bigger and bigger and can cover more use case by the day so better than the thousand word and i probably use the thousand word i'm sorry about that uh a little demo

so here um we'll see how to install the product so you can use the deviant directly we are in deviant upstream uh in the new dbn in the bullseye but otherwise you just install our repository right and it would be easy for you uh to just install the latest packages because as we know dbm is very nice but sometimes packages are not all up to date so you can install the product just one command line up to get installed right and it will detect that you have a linux machine with an nginx server and you're running sshd so out of the box it will provide you protection collections to protect those services later on we'll teach more things to our

system but all right let's start with this so we can initiate a nicto for example and then we see right away in the logs that crowd security blocked the ip for http probing on non-static crawling sensitive inclusions and stuff like that so let's kill the attack and see what happened with the little command line we can list the alerts that the crowdsack agent saw what decision it took it decided to ban this ip for four hours right

but if we try to connect to the machine we still can how come it's because as i told you crowdsec is a two-part system we want to be adapted to all kinds of environments including the very large ones so you block at one place you detect at one place and remediate another so here we'll install the firewall bouncer which basically just say if there's an ip that has been blocked the firewall has an ip set and it will refuse any connection further connection from the machine it's a very simple bouncer and as we can see it works since our ip is in the list it's been blocked and we're not going to get any further connection from this ip

so for the sake of the demo we remove our ip address now we can connect again so let's try another thing let's kick the dashboard so the dashboard is a local container that is made with metabase and you will be able to see whatever happened to your machines uh in a local way you can forward all the alerts into a mysql or just use a nosql local system but basically this container will show you visually what happened in the meantime we can see that there are many bounces already for caddy for aws gcp you can kick script of your own you can use an nginx balancer a wordpress one whatever so our bound sorry our dashboard is now ready we can

check whatever uh we've seen so far meaning a few things actually because uh we just did uh a um http scan so there won't be many things in the in the dashboard but nevertheless we start to see a few things uh and we'll populate this dashboard don't worry so we see the number of scenarios that have been triggered by which iep where did it come from you know so now let's check our logs again and we see that this machine is actually logging the packet drops you know when someone is connecting to the machine but is not allowed to the firewall drops it and logs it so we can teach our dog a new trick

we can touch it to actually deal with iptables log ip tables or indeftables by the way and as we see now if we look at the logs and we initiate an nmap scan we'll see that the nmap is blocked right away and sorry yep that the end map is blocked right away from multi-scan port and that our ip has been included into the ip set and the firewall will be blocking us which is a decision that has been taken for multiscan port we did a brute force just before as such before and yeah we can't connect anymore now fun thing is you can replay all logs if you want you know in the context of a forensic for example

or maybe you just want to see if your scenarios are fine-tuned and are catching whatever you want to catch so here we are replaying logs that are a year old and we see you know everything that it's detected like http probing file inclusion and so on so forth since it's a web service and if we update our container our metabase we see a lot more information right so this is it for the demo it's a very simplistic one because of course you can do way more things with the product oops sorry now let's talk about poisoning and false positive it's a really big problem when you're running a large network and you're not sure that everyone is willing

to collaborate positively into this network if someone is trying to uh send us false information we have to deal with this and not carry this information into the whole network so we have a trust rank system this transferring system is based on how long you've been in the network how reliable the information you sent to us where and how consistent consistently they have been correlated and integrated into the consensus so once you've spent six months is sending proper informations we consider you a strategy and you can become a network validator so you reach a higher consensus level or a higher transaction level so if other people in network that are not yet at that level

you will be validating their signals eventually right and they will rise in interest rank as well and we can do as well we can trust uh other peers if they are sending truthful information because we have a honeypot our own honeypot that can serve as a bootleg or bootstart uh kickstart sorry our visibility on some technologies that we don't know yet or that are new or we don't have enough watchers yet in the consensus maybe we have not enough pressure for example then we will start many prestashop system to check you know if we have a good visibility over it long story short our honeypot is here to double check other signals we have a white list as well very

important because we don't want to ban i don't know googlebot google boot has a very aggressive compartment big behavior because it's uh in a rush there isn't much time for your website it's got a lot to do so it's it's crawling very very fast and it can be considered as aggressive and wrongfully uh banned we don't want that to happen right so in the white lines are ips that you cannot block or ban like google both like gmail like my core like cloudflare ips like microsoft updates and things like this and they are outgoing them we had to write predictive algorithm because we triggered one or two investors earlier they were like oh ai and security and

sas and ips and stuff and crowd it's a bingo i'm living so i don't know ai is around for i don't know 20 years it's used day in day out but they still are you know triggered by stupid stuff no matter we use algorithm to be sure that if an ip is distributing or rather an actor is distributing his attack around several ips a lot of ips just to go under the level the threshold of noise that we can you know detect we would see it like if ip a b c and d are working together to achieve something but are not noisy enough to be caught by our scenarios we will still see it through this algorithm and once

it's done we integrate it into the ip reputation system and distribute it around the globe or actually it's a little bit more complicated but a little bit more interesting as well all the ieps that are collected by the agents are going into the smoke data lake right whatever happens whether they are confirmed or not into the smoke data lake we can distribute those ips to reinforce your cti your sim your sock team your secops operations so that you know you have a good view on what's happening with this ip you confirm what you found yourself but it's just smoke but there's no smoke without fire if the ip has been confirmed by the network by the

consensus i just explained before it enters the fire data lake and the fire data lake is banned right it instruct all over the world all the ips that csip should not be trust under any circumstances and you should deal with it whatever the way you deal with it could be blocking could be you know reporting could be whatever the bouncer has to do something so instruct all the bouncer worldwide to do something against it this is a fire data i'm sorry and as a matter of fact we are gdpr compliant so it's less important than it used to be for uk because it's a new regulation but jokes apart uh it's important for us all to

have a private life right and we're very serious about that at crowdsex so we do not export your logs ever they stay local you treat it locally with the the agent and we just get back the time stamp the offending ip and the behavior it had and this is enough for us to protect everyone else and have this ip dealt with the consensus or the smoke database and we you don't have any online dependency and by the way if you don't want to share anything you can the way we make money is through fleet features for very large corporations we have tier one hosting company working with us and they want to have instrumentation on a

large scale you know to pilot and deploy and have an overview of what's happening about the network those are our customers or we can also sell api access to our cti to people that are not partaking into the effort if you're sharing with us it's free for you including the cti if you're not sharing with us you're not you know reinforcing the system so you pay your access as simple as it is to date we already have 17 000 plus installations across 110 countries in under a year right so it's growing by the day we already have blocked or detected say 500 thousand malicious ips and the fire database is around 20 000 ips i think to date and it's growing

also we have use cases scenarios for many kind of industries hosting universities whatever i mean we block ddos botnets credit card suffers we protect pretty much whatever can be protected it doesn't have any typology by the way we're also preparing a microsoft windows port of the software it's written in go so it's very easy to carry around because those machines need some help as well and in 2024 we hope we will be a million machine in our network making it the biggest ever move uh to the cyber criminal industry uh by having the biggest cti on earth and a common uh product to us all to help each other um and that's it that's pretty much it i'm

delighted i could speak with you all uh in newcastle i would have loved to be physically here but you know this uh problem we have with the kobe didn't allow me to but i'd be delighted to answer any question if you have some