Learn how to maximize protection and reduce security & operational costs.

Download guide

🎉 Join us for the CrowdSec July Community Office Hours with a focus on Acquisition & Parsing.

Register now

CrowdSec

CrowdSec Blog

When Hackers Go Back to School: Introducing CrowdSec Education and Public Sector Blocklists

Remember when the biggest security threat in schools was someone guessing that the WiFi password was “password123”? Those were simpler times. Fast forward to today, and educational institutions are facing the same sophisticated cyber threats that would make a Fortune 500 CISO break into a cold sweat.

Educational institutions and government agencies are prime targets for cybercriminals due to the sensitive data they hold. According to the U.S. Department of Education, schools face an average of five cyber incidents per week. Attackers exploit their broad attack surfaces, outdated systems, and the assumption that resources are limited. To stay protected, schools need real-time cybersecurity and the ability to respond to threats 24/7.

That’s why we’re thrilled to announce two new additions to our blocklist arsenal: the Education Blocklist and the Public Sector Blocklist. They deliver real-time and around-the-clock protection that these agencies need, all while being simple and easy to deploy. Backed by a powerful network, they block malicious activity before it gets a chance to reach their perimeter. 

Cybersecurity for Education & the Public Sector: How we built these blocklists

Unlike traditional security vendors who rely on their own honeypots and research teams, we’ve built something more powerful: a global network of real users and organizations, facing real attacks, every single day. This represents more than 20 million attack signals, targeting at least 110,000 machines (and possibly even more that we are unaware of), making it the largest CTI network in the world.

The friend-of-a-friend network effect

Think about how Netflix recommends your next binge-watch. It doesn’t just look at what you’ve watched; it analyzes patterns across millions of users with similar viewing habits. “People who watched Stranger Things also enjoyed The Umbrella Academy” becomes incredibly accurate when you have enough data points.

Our graph algorithm works similarly, but instead of recommending TV shows, we’re predicting cyber threats. It could be phrased simply this way: The enemies of organizations similar to mine are my enemies too. In fact, this approach appears to be very relevant, as similar organizations tend to operate a similar infrastructure stack. Hence, attackers can try their luck with the same exploit kit and the same techniques to target thousands of organizations, and they have virtually zero marginal cost.

This is where our network size kicks in as a powerful advantage. When an IP address tries to break into a school in California, and then the same IP (or one from the same network) attempts something similar at a university in Texas, our algorithm connects these dots. By aggregating all these signals between universities and educational institutions, we can provide proactive protection, blocking threats before they even reach your network. Just like Netflix knows you’ll probably love that sci-fi series before you even know it exists.

AI-powered IP similarity: The digital fingerprint

We use AI and embeddings to create what we call “IP similarity representations.” For each IP, we aim to create a kind of digital fingerprint that represents everything we know about an IP: 

  • The last activity
  • The kind of attacks triggered
  • The amount and the diversity of reports
  • The summary of the URIs that were targeted (thanks to the Alert Context in Crowdsec)

And many more..!  LLMs allow us to turn all of these features originating from different sources and data forms into one single representation (the embedding). With this embedding, they are ready to be processed by any algorithm.

Let’s say we have three different IP addresses:

  • IP A tries to exploit a vulnerability in a university information system
  • IP B attempts to brute force login credentials on a government portal
  • IP C scans for open ports on a school district’s network

In this case, we can expect IP A and C to have a more similar representation (or embeddings) as they try to perpetrate the same type of action targeting the same type of user, unlike IP C.

We then use our MongoDB Atlas Vector Search database to compute a proximity measure and collect IPs that are similar to the most reported ones inside a given industry. 

Combined with the friend-of-friend algorithms, it creates a perfect mix between connected and unseen threats, inside the blocklist creation process.

The curation process: Quality over quantity

Not all threat intelligence is created equal. Our Education and Public Sector blocklists are generated from alerts reported by thoroughly vetted organizations that have proven their ability to accurately identify and report threats over a long period of time. Then, our AI models only select signals from organizations that are most relevant to the industry they are protecting. Thus, universities receive curated threat intelligence from other universities that are facing similar risks and vulnerabilities.

Plug-and-play cybersecurity: Seamless blocklist integration

The beauty of blocklists is their simplicity. Unlike complex security solutions that require dedicated teams and months of integration, our blocklists can be deployed to virtually any firewall, proxy, or security device you’re already using, within a matter of minutes.

Whether you’re running:

  • A pfSense firewall in your school’s server closet
  • An enterprise-grade Fortinet setup in your government agency
  • A cloud-based security service like Cloudflare
  • Or pretty much any other security infrastructure

Our blocklists integrate seamlessly. They are directly pluggable into your security solution using one of our numerous integrations

Part of our growing industry collection

These new blocklists join our existing industry-specific collection, which already includes targeted protection for E-commerce, Banking, Hosting Services, and three other specialized sectors. Each blocklist is fine-tuned for the unique threat landscape of its respective industry.

Whether you’re protecting student information, online transactions, financial data, or cloud infrastructure, our industry-specific approach ensures you’re getting the most relevant threat intelligence for your particular environment.

Want to see what other threats we’re tracking? Browse our complete Catalog of Platinum and Premium Blocklists to find the perfect security solution for your organization.

Ready to level up your security for Education and the Public Sector?

Our purpose-built blocklists for schools, universities, and government organizations are now available as part of the Platinum Blocklists plan.

Explore the blocklists

WRITTEN BY

You may also like

crowdsec notification center: slack
Announcement

Introducing CrowdSec’s New Notification Center: Seamless Integrations and Custom Alerts

CrowdSec now allows you to configure notifications directly from the Console and integrate with Slack. Stay alert and secure with ease.

crowdsec ipdex
Announcement

Introducing the CrowdSec IPDEX: Your Ultimate IP Index

Introducing IPDEX, a simple CLI tool to gather insight about a single IP or a list of IPs using the CrowdSec CTI API.

protecting foss from ai crawlers with free crowdsec blocklist
Announcement

Protecting FOSS Communities from AI Crawlers with Free CrowdSec Blocklist

Announcing free access to the CrowdSec AI Crawlers Blocklist for all open source projects, to help FOSS communities reduce unwanted traffic from AI bots.