Clouded vision CTI systems face major issues such as the size and diversity of their collection networks, which have a direct impact on the accuracy of their signals. This is a major problem, as data is only a decision helper, while actionable information can be weaponized against attackers. To illustrate the size and variety of collection networks, let’s consider a large CDN provider. Their role is to deliver content over HTTP(s), but they only receive indiscriminate scanners or direct attacks over the HTTP layer. If a company uses a large EDR/XDR system, they might only detect threats targeted at sophisticated actors, since not all non-profit organizations can afford these tools. The same goes for honeypots, which attract a lot of attention, but no decent cybercriminal group will use any meaningful resources to target a dummy.
Establishing a counter-offensive against cybercrime is essential, and the famous Conti-Leaks showed the actual pain points of a large cybercrime group. Money laundering, recruitment, and payrolls are all expected, but IP changing, borrowing, renting, cleaning, installing tools, and migrating operations and C2 is time-consuming and costly. Aiming at domain names is also fighting against an infinite space in size, so it can be useful to track and index malevolent binaries, C2, and IPs trying to exploit known CVE. However, this is a reactive stance, and IPV4 is in scarcity, making it more effective to be proactive and burn IPs as soon as they are known to be used by the enemy.
VPN providers, Tor, and residential proxy apps can be used by cybercriminals to borrow IPs, and cloud providers are no NGOs, meaning the network size is limited by money. To address this, CrowdSec was designed to protect all sizes of businesses across different places, geographies, clouds, homes, private corps DMZ, and all types of protocols, except UDP-based ones. It is a crowdsourcing tool with a network of 190k+ machines spread over 180+ countries, offering behavioral detection and automated remediation, as well as highly actionable cyber threat intelligence.
Finally, IPV6 is here and 5G deployment will only accelerate its usage exponentially. With 2^128 IP addressable pool, it is still limited, as all V6 IP ranges are not fully used yet, and everyone gets many IPV6 addresses at once. To make the most of the data flowing from a large crowdsourced network, AI is a logical solution, as it can help to distinguish between credential bruteforce, credential reuse, and credential stuffing. Coupling AI and crowdsourcing with CrowdSec is the best way to ensure effective protection against malicious IPs.