CrowdSec is a proud participant in the Microsoft Copilot for Security Partner Private Preview
Read more
improved threat hunting and analysis with the crowdsec cti page
Product news

Enabling Threat Hunting and Analysis with the Revamped CrowdSec CTI Page

In our continuous pursuit of enhancing cybersecurity, we've encountered challenges in effectively presenting the wealth of information provided by our Cyber Threat Intelligence (CTI) platform. Nonetheless, having a real treasure of information and our only problem being how to present it most effectively is, admittingly, a good problem to have!

While our CTI furnishes valuable insights, ensuring clarity in its display has proven to be a formidable task. Our initial iteration of the CTI web page, though comprehensive, struggled to deliver information in a user-friendly manner, leaving users searching for the most relevant details. Not to mention that our attempt to quantify IP scores on a scale of 5 or 10 inadvertently created more confusion than clarity. Questions surrounding the significance of a score like ⅗ versus ⅘ only compounded the issue —  Should I block it, or should I ignore it? 

Recognizing the need for a more intuitive approach, we embarked on a journey of transparency and refinement! By shifting from numerical scores to descriptive terms, such as Malicious, Suspicious, Known, and Safe, we've endeavored to simplify the assessment of IP addresses. This strategic pivot aims to empower users with clearer, more actionable insights, fostering a stronger defense against emerging threats.

Introducing the new CTI layout

Our first goal with the revamped CTI page was to make it clear at first glance if an IP address is malicious or benign. When you search for an IP address in the CrowdSec Console or on the IP Lookup page, the first thing to catch your attention is the IP's reputation.

Here is an example of an IP with a bad reputation:

Versus a legitimate IP address:

Looking at these representations, I’d assume that there is no doubt in your mind as to which address is the nefarious one! 

But let’s also take a look at the other sets of the information displayed on the page.

Give me the gist of it

In the first line, we gathered all the information essential to assess an IP address.

Crowd Confidence represents the confidence in the information we provide for a given IP address. In the past, this was represented as a score, and we decided to convert it to a string representation also, with these possible values: High, Medium, and Low.

One of the most important metrics displayed on the CTI page is the background noise. For those who already used the CTI before its revamp, the background noise was also a score on a scale of 10 (yes, yet another score…), which we transformed into a score with different levels: High, Low, Medium, and None.

Naturally, you can also see the location of a given IP and the first and last date this IP was seen in our network. 

Finally, we added the behavior — the type of attack performed by a given IP— and the associated Mitre techniques.

Ok, now I want to dive in

Getting high-level information on an IP is not always enough. To assist you with your threat hunting or analysis, you can take a look at the following information sets.

  • IP range and Autonomous System: Know to which organization the IP belongs or, for example, if this IP is hosted in a cloud environment.
  • Reverse DNS: This information can also help you identify the organization to which the IP belongs.
  • IP top classifications: This information helps you profile an IP address. The full list of all the classifications attributed to the IP is at the bottom of the page, but we consider this information important enough to be displayed at the top as well. The list of all the possible classifications is here.

Scrolled a bit further down to find the following collapsable sections.

  • Activity: Represents the IP address's daily activity over the last three months.
  • Blocklists: This new section displays any blocklists from the CrowdSec blocklist catalog that contain this IP address.
  • Classifications: Previously known as Categories, represent all the classifications attributed to the IP. 
  • Target countries: As in the previous version, this displays the top countries targeted by the IP address (in percentage).
  • Attack details: Contains all the CrowdSec Scenarios or AppSec rules that have been reported by the CrowdSec community for this IP address.

Ways to access the CrowdSec CTI

So far, we’ve seen the new design of the CTI web page, but did you know that there are other ways to consume the CrowdSec CTI?

Indeed, there are several ways to consume the CrowdSec CTI:

curl -H "x-api-key: [API_KEY]" "https://cti.api.crowdsec.net/v2/smoke/[IP_ADDRESS]"

What’s next?

With our revamped CTI page, we aim to empower users to swiftly locate vital information. With a fresh design in place, we're excited to tease an upcoming enhancement: the CTI search bar will evolve beyond just IP address queries. Get ready to explore the depths of our CTI database like never before. Stay tuned for the unveiling!

Access the Most Advanced Real-World CTI

The CrowdSec CTI distributes IP reputation intelligence to help you detect, investigate, and respond to cyber threats more effectively and efficiently.

Try it now
No items found.