Background Noise Filter is Now Available in CrowdSec Console

Introduction

For larger infrastructures, reviewing blocked alerts through most cybersecurity software can be time-consuming especially when it is part of the day-to-day job. One can easily miss a critical alert, just because it is lost among all the others. This effect is usually referred to as “Alert Fatigue”. 

We’ve recently released a new UX feature aimed at saving you a lot of time reviewing the numerous alerts you may receive in the Console, by enabling a Background Noise (BN) filter that allows it to focus on specific attacks and increase productivity.

This feature is now available in the Console for all the premium users and will improve their time efficiency at reviewing all their alerts. If you are a free user you can still find, in the top left corner, a glimpse of the number of signals you would exclude with this feature.

Description

We define Background Noise (BN), sometimes also referred to as “Internet Background Radiation” as automatic and mild attacks that are perpetrated at a large scale, without a specific target, at a constant pace over time. It includes, for example, mass scanning, or brute-force attempts on popular services. This is the kind of automatic attack that typically targets a honeypot in mass scanning events, and is not specific to one domain or infrastructure in particular. 

To build the Background Noise filter relevant to this definition, we continuously analyze all our community data (yeah, that’s a lot!) and we evaluate 3 major criteria:

• Scale: the number of watcher reports, as we assume BN emitters perform attacks on a large scale.
• Diversity: the diversity of the watcher reporting in terms of IP ranges, Autonomous System Numbers (ASN), and countries. Background Noise emitters are likely to attack many countries and organizations while sticking to a particular attack type. We see IP ranges specialized in brute-forcing and others in spamming. Being reported should not be considered as BN. 
• Timeline: the age and activity of a BN emitter in terms of lifetime and intensity. Large-scale scanners are usually well-established and perform mass scanning regularly for an extended period.

These criteria are turned into scores of 10 by continuously taking into account the distribution of the statistics in our database. The final BNS is just the average of the 3 intermediate scores and also ranges from 0 to 10, 10 meaning that this IP is performing non-targeted random attacks (noise). No black magic AI here: we can always track back to the source.

Next Steps

Currently, the filter available in the Console is only an on/off switch, but we plan to let the users tweak it at their own convenience in the future. Do you find it useful? Is there any other approach you would recommend? Please let us know using the feedback tool available directly on the Console.