3 min

Crowd security: successfully fighting cyber attacks together

Collaborative security for computers, servers, containers, and even cloud services on the Internet should enable a modern version of the fight against intruders. Is crowd security just a myth, or can the technology be a suitable tool for the challenges of the coming years? The answer to this question is not simple, but it is clear that these systems will play a more important role in the future.

Cybercrime - Thomas Joos - 26 April 2022
Thomas Joos

Thomas Joos is the author of more than 100 reference books and of thousands newspaper and online articles. He writes books for Microsoft Press, Addison Wesley and creates video trainings at LinkedIn Learning. He is one of the most successful authors of IT books in Germany. Thomas Joos is also a freelance journalist for the German Press Agency (dpa) and for Techtarget. His articles also frequently appear directly in Microsoft-Documentation.

View all posts

Crowd Security takes an approach in which a community fights cybercriminals together. The technology is modeled on Fail2Ban. Tools such as CrowdSec (https://crowdsec.net/) and other solutions collect signals from the community’s computers and evaluate them. Such intrusion prevention systems (IPS) usually collect data from numerous sources via agents. Using the example of open source IPS based on Crowd Security, the solutions can evaluate the collected data from all participants and protect the members of the community based on the collected data. The sources are for example syslog, cloudtrails, SIEM and other information. The members of the community receive information of the evaluated data and can build their own intrusion detection system (IDS). The sending and receiving of information can also be completely automated by the crowd security system.

In such a system, all participants can use the data collected by the community for their own protection and fight cybercriminals together by benefiting from the power of the said community. Important basis of protection through crowd security is not only the IP addresses of attackers. By collecting and evaluating data, the community can identify and verify the IP addresses of the attackers and thereby block access from these IP addresses.

Crowd security works locally and acts globally

The software used in a crowd security network works locally, but can access community data from the Internet. This allows IP addresses of attackers in the community to be detected by the agent of the crowd security software using this data from the community in the local data center. If the agent detects new IP addresses, it can in turn upload them to the cloud, and after verification, these new IP addresses are also made available to the community. This results in a system of collaboration that benefits all participants.

Crowd security works with scenarios

To work with crowd security, not all security areas need to be covered with the solution. The individual areas and attack possibilities can be divided into “scenarios”. One such scenario can be the exploitation of the Log4j vulnerability. It is also possible to add your own scenarios. This allows organizations to determine which potential attacks should be defended against by the crowd security system and which of an organization’s own information it wants to contribute to the community’s common fight. The scenarios are often defined as YAML files and can be easily integrated into an organization’s own environment.

Crowd security systems still work in parallel with honeypots to attract attackers. The data collected here is also available to the general public. This allows very reliable reputation databases to be created and made available to the community. The flexibility of crowd security is therefore an argument in favor of using the technology. Companies do not have to replace their entire security, but can implement individual areas of the solution, evaluate them, and expand the solution based on their experiences.

Non-validated information is a disadvantage in crowd security

Of course, in a community, each participant can publish security information that the other members are supposed to trust. However, there is no guarantee whether the information is correct or incorrect. Therefore, a crowd security system is only useful if the posted and analyzed information is verified. Good systems are able to do this and also provide qualified data to the participants. False-positive IP addresses can be prevented by using a consensus algorithm.

Data protection and crowd security

The elementary basis of crowd security is the exchange of data in the community. The crowd security system collects data on its members’ devices and processes this data. Of course, data protection plays an important role in this, in Europe for example the GDPR. For this reason, organizations need to pay more attention to data protection when Crowd Security is used.


Cybercriminals also often act as a community. Here, an opportunity to successfully combat attackers may be to also act as a community. It is important to note that the data collected is verified and goes through a consensus algorithm. This ensures that the data collected is also reliable.

Open source systems are a great advantage for many areas of application because a community can often solve problems more effectively than individual organizations. Crowd security can also become an important tool in the security sector, which can be used in parallel with established systems. Modern systems now support most Linux distributions, but also macOS and Windows. As additional protection, crowd security can bring similar positive experiences to those already integrated into spam protection solutions today.

Send this to a friend