KnowBe4 Sponsor (13:40)

And now a word from our sponsor, Know before it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBefor's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbe4.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Bittner (15:14)

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Philippe Humeaud is CEO and founder of CrowdSec. I recently caught up with him to discuss some of the biggest issues facing cybersecurity and how open source cybersecurity platforms can help combat them.

Philippe Humeaud (16:12)

Right now our biggest concern, I would say, is the fact that we expect AI to be weaponized. Not on the classical social layer when you try to hook people with crafted messages and spear phishing and crafted audio and video bits and so on, but rather on a purely technical standpoint. And we call this moai, Massively Multimodal Offensive AI. Sorry. And we think it's the next big.

Dave Bittner (16:44)

Thing for folks who aren't familiar with that. Can you describe to us what that entails?

Philippe Humeaud (16:50)

Yeah, sure. So mostly if you think about LLMs, it's somewhat similar. So take you're probably familiar with CTF, which is capture the flag. So in our world when cyber professionals are training, they often do what's called a ctf. So they try to compromise machines and they do this as fast as they can to get the most point. But all those attempts are logged, right? So they end up in a text file which can be easily parsed by an AI to learn how the best are doing and what are they doing. And then add to this the CVE databases that are pretty much freely available all around the globe. Some exploit databases, some metasploit, some academic paper research and stuff like that. Add all that together and you get a comprehensive guide on how to hack into any system. This is what the moais are learning from. They learn from actually humans doing research and they become extremely good at that after quite some training. But once it's ready, it can totally become a service like a ransomware as a service. You will rent an offensive AI as a service as well.

Dave Bittner (18:11)

Well, you are of course the founder of CrowdSec and you describe yourselves as an open source multiplayer firewall provider. Can we go through those one at a time with the advantages? I think most people are familiar with open source, but let's start there. Why open source when talking about provisioning your firewall?

Philippe Humeaud (18:34)

Yeah, so first I have to say that I'm not an open source zealot, right? I'm not an open source monk, someone that by default would go open source. I'm a businessman and I decided with my colleagues and co founders that open source would be the best way, the best route for us, which is fairly different. So we did open source this program, which is basically an ids, IPS and waf. So something that detect attacks, that remediate the attacks, and that also detect attacks on the web layer. So those are all the three acronyms I just gave you. So we decided to give it for free because we wanted the largest number to use it. And why that? It's because it's a bit like Waze. Every time Your server using CrowdStack is defending itself against an attack, it's sharing the IP address that has been aggressive towards itself. And we get signals from all around the world constantly, day in, day out, something like 10 million signals per day. And it gives us a map of IP addresses used by cybercriminals. And obviously we broadcast back this map to our clients.

Dave Bittner (19:36)

And so that's the multiplayer element.

Philippe Humeaud (19:39)

That's the multiplayer element, yeah. Actually it came from a joke. So people were always like, hey, how do you describe crowdsec? And I had a hard time at some point to describe because it's pretty disruptive. It's not something that's been seen so many times in the industry yet. So I was sometimes at the very beginning, first I had a hard time to define it really properly and one of my friends at Google said, hey, you know what, you're a multiplayer firewall. I'm like, hey, I like the sound of that. It's quite true. We also describe often enough as a ways of firewall. So basically why is it like this? Because since we share with each other the dangers of the digital highways and we tell where are the dangers and who you should not be pairing with, there's something awfully similar with Waze as well.

Dave Bittner (20:23)

It's a great analogy. It reminds me, I was on a road trip with my father recently, who's quite a bit older than me, and he was looking at the Waze display up on my dashboard. And he said what are all those little dots on the road? And I said those are other people using the same system that we're using. So that's how it knows how fast the road's moving ahead of us and if there's an accident or something like that. So it's, I think that's really an effective metaphor for you.

Philippe Humeaud (20:51)

Yeah. And in the sense we have like, I don't know, probably 300,000 servers nowadays in the system that are sharing the attacks they receive in real time. And you know, ways they are using your position, your heading and your speed basically and your unique phone identifier obviously to assess whether there is a problem or not ahead of you. And we do pretty much the same. We just use the IP address, the type of behavior it tried to play against your servers and the timestamp. And this is all we need to actually compute this real time map of IP addresses used by cybercriminals.

Dave Bittner (21:28)

I think it's fair to say that these IP attacks are heading in one direction, that we continue to see more and more of them that's growing in size. What are your recommendations for folks to best protect themselves these days?

Philippe Humeaud (21:43)

Yeah, so regarding servers, because obviously it's totally different when you speak about like workstations. Workstation is all about having a proper EDR AXDR or whatever, you know, glorified antivirus, proper MFA everywhere. We all know that. The thing is regarding servers, you don't have human interaction happening on the servers or very few actually. Sometimes admins comes and they check the logs or to check if something is broken and they fix it. But basically the servers are exposed to a ton of traffic, a lot of attention, something like probably along the lines of 2000 times per day they are pulled if they are not even known and a known server is pulled up to 4,000, 5,000 times a day. And if you are a bank or something like that, you're north of 200,000 times a day. So you want to automate that as best as possible and you want to get rid of, of the noise in the first place and say okay, I don't care about that. Those are very loud IP addresses. Those are the Gatling guns of the Internet. They're just like the humming of the microwave background, cosmic microwave background. They are the background humming of the Internet. It's just noise, it's not interesting. I don't need to do a lot of things to defend against this. It's really low hanging fruits attack. Now on the other end of the spectrum. There are people that are here to skin you alive and they know how to do it. So let's pretend for a second that we are a healthcare institution. Some IPs will be just a noise. Some IPs will try to reuse credential that they stole somewhere else. Some IPs will try to break into your website or your VPN or things like this. And some IPs we know for a fact they are specifically attacking healthcare industry.

Dave Bittner (23:21)

Why?

Philippe Humeaud (23:21)

Because they're not the protocols they know they use the habits or people are using the software, which software? And so on. So those one, even though there may be like a thousand or two thousand of them, only are far more dangerous than a million one just scanning stupidly your website, you know. So I think to avoid alert fatigue, what you need to do is automate and you know, leave this background noise in the garbage can. It's. It's really useless to deal with this, not even to store it, but pay extra attention to what is extremely qualified. Like the one that are trying to go after you specifically because you're a bank or a media or whatever. All the one that have attack patterns that you know can strike you in the back, like I don't know, credential Reviews or Expectations, 0 Days, CVS as things like this.

Dave Bittner (24:08)

All right, well, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?

Philippe Humeaud (24:17)

Yeah, I think sharing is the key here. I mean we can try to diffuse endlessly payloads, right? The one that are like the rockets. When you think about the missile, you think about the rocket itself and you think about the payload. And the payload is obviously dangerous, but if you neutralize all the rockets, the payload is never going to reach you. And this is what we should all do. We should partake all together to defuse all the rockets. And that way we receive far more, far less, sorry, payloads. That's why, I mean join the army. It's free, it's open source, it's available to everyone. It's called Cross Ex. So please join the club.

Dave Bittner (24:53)

That's Philippe Humeaux, CEO and founder of CrowdSec. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security. But when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And finally, humans are experts at messing up. From losing our keys to occasionally misplacing a decimal, mistakes are just part of the human experience. To keep these slip ups in check, we've invented all sorts of clever checklists, double entry bookkeeping, and even writing not this leg on patients before surgery. But now we're integrating a whole new kind of AI. Unlike us, AI doesn't get tired or distracted, but its errors? They're a breed apart. While a human might flub a math problem, AI might suggest that cabbages eat goats or forget what money is mid task. A piece by Bruce Schneier and Nathan Sanders for IEEE Spectrum suggests the weirdness of AI errors lies in their unpredictability. They don't follow human patterns, making them both fascinating and unnerving. However, AI isn't entirely alien. It shares some human quirks, like repeating familiar terms or falling for social engineering tricks. It's also distractible. Get it to process long documents and it might zone out halfway through. Dealing with AI mistakes requires creativity. Asking the same question multiple ways or cross checking its output can help, since machines are endlessly patient with our nitpicking. And while we can train AI to make more human like errors, it's clear we need systems tailored to its peculiarities. The key is balance. Use AI where it excels, like processing vast amounts of data, but don't expect it to replace human judgment. After all, whether it's a person or an algorithm, everyone benefits from a second opinion, especially if goats and cabbages are involved. And that's the cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week, you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Penny. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Carp, Simone Petrella is our president, Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomor.