Exciting early 2025 news!
This week we released the Threat Forecast Blocklist as a new feature in our SaaS Enterprise plan.
In this article, we take a deep dive into how the Threat Forecast Blocklist leverages the attackers detected by your Security Engines to build a personalized blocklist. This further improves the preventive remediation provided by the CrowdSec stack.
Overview
As part of CrowdSec Network, you use the Security Engine to detect attacks and protect yourself. The signals you share with us let us know who the attackers are, which we use to aggregate the most aggressive attackers and feed them back to the Security Engines as a blocklist to prevent attacks before they happen. The security impact of this blocklist is massive. For most users, the Community Blocklist will block around 25 attacks for each attack prevented by the Security Engine ruleset.
As good as it is, the Community Blocklist does have blind spots. These blind spots emerge because the Community Blocklist has to operate on the network level and under a “one size fits all” approach. This means that attackers who restrict their targets in a significant way can sometimes fall through the cracks. To cover these blind spots, we aim to create specialized blocklists to cover as many use cases, industries, and behaviors as possible.
The Threat Forecast Blocklist is part of this ongoing effort, and we are proud to say, one of the most sophisticated blocklists we have released to this day and an excellent compliment to the Community Blocklist.
This AI-powered blocklist allows you to preemptively block around 50% more attackers before they even reach their servers.
To put this number into context, let me share some background information. With the release of CrowdSec Security Engine 1.6.3, we introduced Remediation Component metrics. This addition allows us to monitor and compare the number of attacks blocked by the Security Engine with those blocked by our blocklists.
During public beta testing, we saw a ratio of 1 to 40 between these two metrics, meaning, for every attack that is visible at the Security Engine level, there are around 40 attacks being blocked at the blocklist level without raising an alert. This represents a significant improvement over the Community Blocklist, which only achieves a ratio of 1 to 25.
Community Blocklist — The global view
The Community Blocklist works on a rather simple system. In our backend, we aggregate all the signals we receive for each attacker and run those aggregates through a set of rules. Attackers that are particularly aggressive across a particularly broad number of defenders are added to the Community Blocklist to provide preemptive security to everyone within the CrowdSec Network.
Our ruleset ensures that this important mechanism cannot be gamed by antagonists and that the malicious IPs that make it into the blocklist are relevant to most defenders. The results speak for themselves! For most of our users, the Community Blocklist is 25 times more effective than the behavior rules of the Security Engine.
While the Community Blocklist rules are very good at identifying opportunistic attackers and bots that target the whole internet, it doesn’t work quite as well for attackers that only target specific countries, devices or Autonomous Systems (AS). This creates blind spots of protection for our users.
To fill these blind spots, we created a set of bespoke blocklists to protect against attackers that target specific countries or industries. With the Threat Forecast Blocklist, we are taking a big step further in this direction, but instead of building blocklists based on categories defined by us, we are using novel artificial intelligence methods to generate a blocklist that is bespoke to every user.
Threat Forecast Blocklist — The local view
The Threat Forecast Blocklist is built on the idea that rather than guessing what kind of attackers will target an organization based on categories we define, such as industry vertical or the country the server resides in, we infer the potential attackers by looking at who is currently attacking the organization.
The algorithms used for such tasks are called recommendation systems, and they are ubiquitous in modern online life. Whether scrolling down an Instagram feed, connecting to people on LinkedIn, or simply shopping on Amazon, you can find these systems pretty much everywhere.
At the core, recommendation systems are based on a very intuitive principle. If we have a customer, say, Alice, buying a set of products A, B, and C, we can look at what other customers who also bought these products added to their cart. If we see a lot of customers buying A, B, C, and D together, it will be quite likely that Alice would also like to buy D.
If we are a social network, A, B, and C might be friends of Alice. If we are a news feed, they might be articles she reads and so on. However, as common as these algorithms are, we have not heard of an application of them in the area of cybersecurity. This might be because, so far, no one else has thought to try or simply because the size of our dataset is truly unmatched in the business!
To build the Threat Forecast Blocklist, we translated the idea of recommendation systems to our CTI dataset. In the first step, we aggregate the attackers that target a given user. We can then look at what other users are targeted by these attackers. This group of other users can be seen as the local neighborhood of a specific user. The blocklist is then generated by looking at the attackers that are popular in this local neighborhood of watchers.
Of course, similar to our other blocklist, there are various filtering methods employed between these steps to ensure our blocklist is kept free of false positives.
In the end, we are left with a customized blocklist for each user that can act as a dynamic firewall for their stack.
Accessing the Threat Forecast Blocklist
Starting today, the Threat Forecast Blocklist is available as part of the SaaS Enterprise plan. New customers are automatically subscribed upon upgrade.
Those who wish to have more fine-grained control over which of their Security Engines should be protected can manage the blocklist like any other blocklist from the Blocklist tab in the CrowdSec Console.
For more details and instructions on blocklist subscription, you can take a look at our public documentation.
