Crédit Mutuel Arkéa Relies on CrowdSec and Crowd-Powered Intelligence to Block Malicious IPs

Crédit Mutuel Arkéa is the second largest federal branch of the Crédit Mutuel group. It comprises the regional banks in Brittany and the South-West of France, as well as more than 30 specialized subsidiaries. The group employs more than 11,000 people and uses tens of thousands of servers, providing services to over five million customers. 

The challenge

With a vast digital infrastructure like the one operated by Crédit Mutuel Arkéa comes a significant increase in attack surface. Wishing to lighten the load on their incident response team, the Computer Emergency Response Team (CERT) of Crédit Mutuel Arkéa was looking for a solution to automatically block IPs associated with abnormal behavior, especially on authentication services, which experienced the most frequent attacks.

The search for the ideal IDPS system started in 2021 with the CERT auditing and exploring a number of different solutions and tools. The team identified the CrowdSec Security Stack as the simplest solution to deploy and maintain as it required very little human bandwidth, even though it was a large-scale deployment. 

While the Crédit Mutuel Arkéa and CrowdSec teams were in the Proof-of-Concept (PoC) process, the infamous vulnerability in Apache Log4J was identified, sending the cybersecurity world into a tizzy. "We set up a crisis unit," recalls Guillaume Roussel, the Head of CERT at Crédit Mutuel.

At this point, CrowdSec offered the Crédit Mutuel Arkéa team an anti-Log4J scenario, which they quickly deployed. Within 48 hours, it was implemented on the entire information system, allowing the team to swiftly and effectively contain the vulnerability.

Since 2022, Crédit Mutuel Arkéa has been relying on the CrowdSec Security Stack to protect its systems and improve its overall security posture, deploying CrowdSec’s Intrusion Detections and Prevention System (IDPS) in more than 400 servers containing the most sensitive data and operations. 

Improving security on all levels with the CrowdSec IDPS

Following the Log4j incident, Crédit Mutuel Arkéa’s CERT team made the decision to industrialize the solution. The CrowdSec IDPS was installed both on the group's internal bare metal platform and on its private cloud, with scripts to automatically embed the tool in each new web service deployed on the private cloud, with conclusive results. 

“We have eliminated between 40% and 50% of the background noise."

For the incident response team, which employs ten people, he estimates the time saved to be at about two Full-Time Equivalents (FTEs). The tool has also significantly reduced the load on the servers in terms of CPU and RAM bandwidth used.

"The default scenarios already work very well, but we have also made some adjustments, for example, to allowlist some IP addresses or to temporarily unblock a few misconfigured applications that were making repeated calls," explains Guillaume. “The anomalies that were found were passed on to the development teams. This enabled us to improve the code in the spirit of DevSecOps. Another anecdote: pen testers were also blocked by the tool." This pushed the team to look for more advanced attacks, contributing to further strengthening cybersecurity in a global manner.

“The tool is simple to deploy and maintain that it doesn't need to involve the business teams," Guillaume Roussel points out. Another advantage, as Guillaume mentioned, is that the blocking time is managed automatically. "This avoids ending up with IPs blocked for years while also serving as a warning to attackers, who will be blocked again if they try to attack again."

On top of deploying CrowdSec’s IDPS to secure hundreds of servers, Crédit Mutuel Arkéa’s CERT team also takes advantage of the CrowdSec Console’s advanced monitoring and reporting capabilities. The team uses the CrowdSec Console to create easily digestible reports on the status of their Security Engines and to access the CrowdSec CTI when performing investigations.

Enriching SIEM data with the CrowdSec CTI  

The Crédit Mutuel Arkéa team particularly appreciates the collaborative and crowd-powered dimension of CrowdSec. Using the CrowdSec CTI portal, the Crédit Mutuel Arkéa team accesses real-time information on attackers, such as malicious IPs and attack trends shared by the vast CrowdSec Network of 70,000+ active users. 

"The great strength of CrowdSec’s solutions is this intelligence on the typology of attackers. The portal allows us to anticipate and forecast certain events. We can even go further by establishing typologies of attacks for our sector with the other financial players."

The Security Information and Event Management System (SIEM) interfaces with the CrowdSec CTI to query CTI data. The team also extended their usage of CrowdSec, by retrieving logs enriched by CrowdSec to make various correlations within the SIEM.

Since its deployment, the CrowdSec solution has had other opportunities to prove itself, notably by blocking waves of brute force attacks on the group's subsidiaries. Today, the team continues to write new scenarios, particularly to build more business-oriented models with detection approaches specific to different applications. “We are also planning to use the solution to detect cross-functional attacks within our information system.”

‍