Mapping the Cybercriminal Ecosystem

Posted on in Presentations

Although cybercrime is now a national security threat, our understanding of the cybercriminal ecosystem remains limited. The industry needs a holistic map to conduct effective disruption, allocate resources efficiently, and impose meaningful costs on criminal actors. The WEF has initiated a project to develop this map. This panel will discuss the mapping project’s results to date and where it is going.

Video Transcript

>> ANNOUNCER:  Please welcome panel moderator, Michael Daniel.


   >> MICHAEL DANIEL:  Great, well, thanks, and welcome, everyone. Thanks for joining us here at the – towards the end of the RSA Conference for us to talk about the Cybercrime Atlas Project. And I'm going to let each of the panelists introduce themselves as we start to get into questions.


   One of the things that we know, of course, is that cybercrime has become a pervasive and pernicious threat to our societies, but not just an economic threat. Ransomware, for example, poses a public health and safety threat when it disrupts things like hospitals. Cybercrime can even pose a national security threat. So, it's no longer just an economic nuisance.


   We know that fighting the threat is going to require consistent collaboration between the public, the private, and the nonprofit sectors. And to assist in combating this threat, multiple organizations have come together under the auspices of the World Economic Forum and its Partnership Against Cybercrime to support the Cybercrime Atlas Project.


   So, during today's panel, we will discuss why this project is needed, how it will operate, and we're going to highlight some of the insights we've already gained from the work that we've done. And we're going to finish out by talking where this project will head next.


   So, first, let me turn to Tal Goldstein. When talking about cybercrime or those kinds of things, the WEF is not the first organization that just leaps to mind, so why has the World Economic Forum gotten involved in this issue and what's the WEF's role and interest in this topic?


   >> TAL GOLDSTEIN:  Thank you. And first of all, it's an honor and pleasure to be here. And we are all very excited to share – share with you what we've done. And actually, we've been working very closely for two years so we think this is the first time that we've had the opportunity to be speak, to be together.


   Michael, I'm very happy for the question because most people know the World Economic Forum but not really what it's doing. So, to be short on this, the Forum is an organization for public/private collaboration that is working on a global level trying to address the most pressing issues. And for more than fifty years, is working in a multistakeholder approach to address issues.


  Back in the 70’s, it was mostly economic issues, but now it's anything from climate issues, education, society, equality, and so on. And I think that for the people in this room, it's quite clear that cybersecurity is a topic that requires public/private collaboration.


   So, what we have done in the last two years, we've launched a Partnership Against Cybercrime which is trying to convey experts and leaders from private companies like Fortinet and Microsoft, together with law enforcement, with FBI, Interpol, and many other agencies as well as not for profit organizations like Cyber Threat Alliance, NCFTA, CVA, and others that are already working to promote collaboration and see what we need to enhance collaboration between government and private sector and all the relevant stakeholders.


   So, this is what we have been trying to do in the last two years and I think that the Cybercrime Atlas that we will discuss today is probably the most promising direction in promoting such collaboration.


   >> MICHAEL DANIEL:  Thanks, Tal. So, next I'm going to turn to Derek Manky. You were one of the people that helped get the Atlas Project started. In fact, you and I had probably discussions over it in various bars and things for, you know, several – several times, about this project. So, what was the genesis of this project? What prompted you to support it and help get it started?


   >> DEREK MANKY:  Yeah, so, first of all, I've been in cybersecurity for over twenty years and I lead our global threat intelligence efforts at Fortinet. But a big part of my job is industry, as you know. Working with industries is what excites me. I believe in it firmly. And there's a lot of good efforts out there, of course, private to private sector, private to public sector.


   But when this opportunity, quite frankly, came up and the idea for founding the World Economic Forum Centre for Cybersecurity, the journey started in 2019. So, Fortinet was a founding partner back in 2019 when the Centre was formed, with the belief that the threat to the global digital economy requires a coordinated global response, not just in the private sector, not just siloed in the public sector, but true global response between both public and private sector.


   And that's a very high level concept, of course. And so, therein lies the challenge and the whole process of the journey that we started with.


   So, after the Centre was formed which was the platform, there's various projects underneath the Centre. Because of course, there’s no silver bullet to this, right? So, one of the projects where I got involved, Michael, was the PAC as we call it, the Partnership Against Cybercrime. And so, this was in 2020, launched with over forty members initially between the private and public sector. It's a truly diverse ecosystem if you look at the makeup of members within the Partnership Against Cybercrime.


   And of course, that's when the global – the other global pandemic started, and so we weren't going to let that stop us. And we actually managed to, for the full year in 2020, have a whole series of workshops between – virtual workshops, of course, between the members, between the forty-plus PAC members. And there’s a lot of brainstorming, a lot of bright minds, pooled resources, you know, brought to the table.


   And the results of that, all these strategic discussions in 2020, was a report that we issued at the end of 2020. It was a recommendation from the Partnership Against Cybercrime. Five key recommendations were outlined in that report talking about mutual trust building, platform, secure communications, respecting challenges and barriers, and all of these things are outlined in the report.


   So, that brought us to the end of 2020. From there, last year in 2021, it was, how do we put the rubber to the road? How do we actually start to work towards those recommendations? So, more workshops and that led us to – to talking about, hey, let's start a project to try to tackle this, right? And that project we named Project Atlas and it really started with a proof of concept back in – around August/September 2021.


   >> MICHAEL DANIEL:  Yeah, thanks, Derek. So, I think as part of that, you know, I can say that there are many people that are involved in this project that I actually met in person for the first time this week as we've had several workshops that were actually in person.


   It's actually amazing what we've been able to accomplish virtually, but the in-person workshop also shows the value of that, of that in-person collaboration.


   But, let me turn to Amy Hogan Burney and just pose this question. So, what problem is it that the Atlas Project is trying to solve? Because we're not actually in fact trying to solve all the world's problems with this project. And I mean, frankly, isn't there already a lot of data out there about cybercrime?


   >> AMY HOGAN BURNEY:  Absolutely. So, first, I'll start off by saying, I'm at Microsoft and located on the west coast, and so they're all talking about these great virtual meetings that we had across the world. And they were always at 5:00 AM or 6:00 AM.


   >> DEREK MANKY:  Also, on the west coast.


   >> AMY HOGAN BURNEY:  Yes, so Derek and I are up and you can see maybe the sunrise just a little bit above us as we did this over the course of the last two years. So, we've been really dedicated, from our digital crimes unit, and really across Microsoft as a company, to thinking about, what is it that we're trying to solve?


   And I will tell you that over the course of the two years, we came up with recommendations, but it always became clear that in order to become operational, we had to do two things. The first was, we needed to make clear that there was a business priority for the private sector. So, how do we create that business priority so that we have the right people that are willing to participate? They are willing to give both capital resources and human resources to this. And how do we also work with the public sector and help them understand how we can prioritize together?


   The government is constantly kind of responding to the latest fire that they have and that's absolutely what they need to be doing, but we also need to start looking in cybercrime in a strategic way and we can't do that unless we're able to prioritize together.


   So, the only way to be able to do that is to really come up with a clear, concrete Atlas. And that's really what the goals of this project were.


   >> MICHAEL DANIEL:  Yeah, and I would say that we chose the word Atlas very deliberately. An Atlas in the physical world is a book of maps which you can actually think of as visualizations of the underlying data, right, about the physical earth. And we want to be able to do the same thing for the cybercriminal ecosystem. How do we actually understand the ecosystem as a whole and enable different views of that ecosystem depending on what specific question you were trying to answer?


   And I think this is also particularly important in a world where you can no longer, for example, use malware names to be synonymous with a criminal group, because all of the criminal groups, right, Amy, they all use – they interchange the malware, they move around, they use different tools and techniques. So, that's no longer sufficient even as a shorthand.


   So, I think part of the Atlas Project is responding to that complexity so that we can actually help drive some of the complexity out so we can do a better job understanding that ecosystem.


  But Tal, let me turn back to you and ask you about the current state of the project and sort of who is participating in it at this point and what does it involve right now?


   >> TAL GOLDSTEIN:  And I will build on what you just said, which, we are trying to improve the understanding, but also as an Atlas, it's also a guide. We also want to see how we can use that to drive action. So, when we started, and Derek mentioned that last summer, we wanted to do a proof of concept to make sure that we can actually achieve that and that we can achieve that for a collective effort. So, we had volunteers coming from companies like Microsoft, Fortinet, Bank of America, and this time we had more and more companies and experts joining, so, also, experts that are leading in the field of investigation.

And we had a working group that was tasked and was truly talented and with dedicated analysts that were tasked in building this mapping step by step, and doing that to prove that this is possible.


   But first of all, there is a gap, and this was very clearly – we could understand. But also, that through open source intelligence, which is a main source of information that was put into this, we can learn so much on the criminal landscape simply by bringing together, analyzing information that is available out there, and then easy to use because it's open source.


   And lastly, the fact that we can do that through a collective effort. So, we had a group of analysts coming from various companies that are working in a very coordinated way, in a clear methodology that was developed through their work, and all of that was proven through the last several months of the work.


   And now we are at a stage, I think they are roughly halfway through the first sample of twelve groups that we are trying to analyze, moving from one group to another, but also deeper into the analysis, and we are at a stage that we can already think about, how do we systematize this? How do we scale it up and move it from only learning and understanding into identifying opportunities to do something about that, to disrupt the state of cybercriminal activities.


   >> MICHAEL DANIEL:  That's great. I want to pull on one of the threads that you mentioned there, which is the open source part of this. And I think that’s – I want to particularly emphasize that. And sort of anybody can jump in on this but, when you say open source, what do we mean? Like, and why is the fact that we're talking about open source data important, so?


   >> AMY HOGAN BURNEY:  So, I think one of the problems we frequently bump up against when we're talking about sharing information is, is it proprietary from the private sector? Is it work product such that they don't necessarily want to share? Is it classified from governments? But that doesn't mean there isn't information that's available.


   And so, in, you know, an online search reveals a tremendous amount of work that's frequently done by researchers and cybersecurity companies and publicly available and likely done by the people here in this room that's incredibly valuable and that is such a resource, but there's a lot of it. And so, kind of what information we have out there, you know, you can take that entire mountain. What you need to do is figure out what from that is useful and then how can we use it in an appropriate way. And that was really, I think, that process was a large part of what Atlas did as well in addition to just using open source information.


   >> DEREK MANKY:  And it was an answer to one of the challenges, and quite frankly, something we laid out in the recommendation report as to all the issues that Amy just pointed out as well too. It’s a starting point, publicly available information that we could take. And again, the project, we’re not – we started with the proof of concept, so we’re not boiling the ocean with this. There is a lot – if you think of open source and search engines, there’s a lot of information out there, so it’s not like we’re collecting all of that into a deep funnel.


   >> MICHAEL DANIEL:  Some of it's even true.


   >> DEREK MANKY:  Yes. But, you know, we've taken seed information from that, right, that we can actually take as a starting point. Against, OSINT from a starting point that we can drill down into, which has actually been the whole process and exercise for the proof of concept.


   >> MICHAEL DANIEL:  Yeah, and I would say the other piece to keep in mind is that when we're talking about open source information, we're not just talking about indicators. like what the Cyber Threat Alliance, for example, shares, highly technical indicators and their contexts. But it's also things like publicly available social media connections. It's things that are from indictments. Stuff you can look up on LexisNexis, for example, anything that is related out there, not necessarily just technical cyberinformation.


   And that's the other key part of this is that we're trying to, when we talk about this ecosystem map, it's not just a technical map but a much broader set of maps. Again, going back to why we use the term, Atlas.


   I think another question that you might have is, so, what are the people who are actually working on this project, the analysts or the investigators that are working on this project, what are they actually doing?


   >> AMY HOGAN BURNEY:  It's a great question. And some of them are in this room so you can find them after and you can ask them what they're really doing. But I will tell you that they've spent a lot of time first organizing amongst themselves and creating a very clear kind of four step process.


   The first thing they did was, is they chose thirteen well-known threat actors to look into. They were spread across all different types of cybercriminal activities, so malware actors, ransomware actors, business email compromise, you name it. And then they divided those thirteen amongst themselves. And then they each went through these four steps. And the first step was really just to look out into the world and see what information was available.


   So, what was available online, and as Michael said, from – from research, from reports, from indictments, from publicly available information, from social media, from other things, and really just collect that information at a base level.


   The second step was to look for all of the indicators that were and really drill down into the information. So, what type of email addresses, what IPs, what other things could they find.


   And then the third step was to create links between these things. And so, I think the third step is where at least the analyst in me and the analysts in this room, that's where things get exciting, right? Like, that's where you start saying to yourself, looking across IPs that were used in different areas.


   And like, I think the first example they came up with is that they were looking into TrickBot, which is something we in the Digital Crimes Unit at Microsoft have been looking into forever. Governments have been looking into. And while they were looking into TrickBot, one of the IPs that was used in TrickBot was then very closely used with Cosmic Lynx, which is a Russian-based business email compromise actor. So, that kind of thing is useful as we’re starting to think about how would we disrupt this infrastructure.


   And then the fourth step is to really create and package this information in a way that's usable to the private sector so that they can make a business case for what they should be doing in the disruption area and so that they can package it for governments so they can look across what they're doing and they can also prioritize and help identify partners.


   So, I think everybody at this conference has heard about a million times that we need to have public/private partnerships, but sometimes it seems like public/private partnerships rely on personal relationships. That is not a good way to scale. But a good way to scale is to understand the threat landscape using this Atlas and then see who also has information and can be working on it and come together in a way where we can scale and not just be based on friends.


   And I know you guys did work over beers and that's great for small, but for big impact, we need to kind of go beyond the work over beers and start being more systematic about it.


   >> DEREK MANKY:  And just to add to that, too, this is – if you look at the analysts, again, a pool of analysts, and within that pool, we’re not talking about, you know, hey, let’s catch up for beers every two weeks and let’s see what else we can find. I mean, you know, there are committed resources here weekly, daily, quite frankly, put in, between – everybody had to roll up their sleeves with the analysts and actually put the work in, of course.


   I like to use analogies, and if you look at that whole phased process that Amy was talking about, it really is – it’s a full circle process, right? Because yes, they’re doing the drill down, then the link analysis. But it’s just like threat hunting, right, but as you're doing more of that link analysis and finding new – new information, then from that drill down you can actually raise that up from that information, right? So, going down to things like addresses to email addresses, to, you know, phone numbers, as an example, email addresses. Once you find that, then you can raise that up and start looking at what else do we know associated with that, going back to that other level.


   So, it's that whole process going through. And if you can imagine, you know, rinse and repeat. Do that for thirteen groups, as Amy was saying. That's really what the proof of concept is about. And then think about that at scale, right. That's where ultimately the vision is ahead.


   >> MICHAEL DANIEL:  Yeah, so, I think the – one other question that you could legitimately sort of ask about this project as we're up here on stage talking about it is, so what's different about this project versus the seventeen other or thirty-four other cybercrime efforts that we all know that we've all been involved in in various ways, whether in our government time or in various private sector roles?

   >> AMY HOGAN BURNEY:  Yeah. Tal, do you want to go ahead?


   >> TAL GOLDSTEIN:  Go head. I'll go after you.


   >> AMY HOGAN BURNEY:  Okay. You know, the first thing I think that's different is, we spent two years kind of getting a commitment at the strategic level, leveraging the World Economic Forum. And that's a good thing, right? Because that has both public sector and private sector participation and has identified the problem.


   I think the timing is very good for this project, given the fact that we are finally recognizing that cybercrime in general is a threat to national security and we have government investment in collaborating.


   But what we don't have and what kind of makes, I think, this different, is we recognize the resource constraints. And so, the idea behind this is to really create a product that is available to be used so that it can augment and help prioritize the work.


   And it also allows, you know – I and the Digital Crimes Unit, we've been kind of doing disruptions in some form since 2010. I pick my own target and I do that in a vacuum, meaning that I pick based on what's best for our business and our customers, and we do try to look across the broad internet to have the most impact. But, and I do get input from other companies in some cases, but I'm not looking across the big ecosystem.


   So, this is going to help me to kind of take information and then use it with information that I have that's not publicly available and that will maximize impact that I haven't been able to have.


   And I think the other thing that comes up frequently is, aren't governments doing this? I think the answer is, yes. I think governments are trying to do it. But they can't do it in this manner because they have to respond to the issue of the day. And that's what we want them to be doing right now because we have so many fires.


  But we need to get to a place where we're not just putting out fires. We need to kind of get to the place where we're stopping them from starting in the first place. And in order to do that, we need to be more strategic. And the only way to do that is to have this Atlas-type picture.


   >> TAL GOLDSTEIN:  And I completely agree. And I'll just add to that, that the fact that this effort is very action oriented. So, everything that we’ve done was in the aim that we need to drive action against cybercrime. And the research, the learning process that we are doing now, as Amy said, is aimed to support that, in order to allow that.


   I think it's also, it’s relatively unique in the way that it's being done as a community effort. This is not any of the companies here is leading it. It's truly a group work that each company is providing something, mostly time and resources and experience, and it's all done in a way that we will allow, we're doing that in collaboration with law enforcement, in discussion, getting their inputs, but we really want to mobilize the private sector. We want to get the companies to take responsibility and ownership over this process so they can really bring everything that they have into this, and this is the way that it's being designed.


   >> DEREK MANKY:  To me, so I heard a key word here, ecosystem. And that's, to me, one of the biggest values of this. Of course, there's a lot of ecosystems out there but it’s that holistic ecosystem that we're talking about. It’s not just security researchers, not just law enforcement, right. It's a much wider, more diverse set of stakeholders.


   And if you think about each one of those stakeholders, they have different roles and they have different action points on – on Atlas. Atlas is going to guide them to different paths to have different action points. Law enforcement of course is looking at attribution, warrants, arrest, prosecution. Where you have the private sector like us looking at mitigation controls and so forth. And we're continuing to build those use cases and rules and it's really about also not just having the actional –action on that, but operationalizing that as well.


   And so, that is a big thing to me. The data types as well. You know, Amy already talked about that. We’re not just looking – this isn't a threat feed, right? We're looking at, again, the nontraditional, I would say, you know, artifacts that we're putting in there for data types.


  Again, think crypto addresses and bank accounts, phone numbers, emails, things that ultimately help to actually build the challenge of attribution which we always say is the holy grail, right?


   And you can't do that with an IP address or a URL solely, right. So, all of that combined holistically is really a big part of this.


   And then finally, I would just say, all of that together is built to actually go to global scale which is one of the missions for the partnership.


   >> MICHAEL DANIEL:  Yeah, I think the – you know, another bit for me that's been very important is this has not been solely a US-based project. We were talking earlier about how we were having these workshops from, you know, time zones, basically wrapping around the planet – sorry to our colleagues from the Asia Pacific region.


   But the – you know, I think that that's actually a really important factor in what we're – in what we’re doing.


   I think another piece of this is that of course we also know that with long experience in this, that there are many countries that provide safe havens for these cybercriminals to operate out of. And so, while it is great to, when we actually have the opportunity to see law enforcement do arrest and prosecution, that’s not always possible. So, what are some of the other ways though that something like the Cybercrime Atlas can help governments impose costs or do disruption against cybercriminals?


   >> AMY HOGAN BURNEY:  Yeah, and I mean, I think Microsoft Digital Crimes Unit is always thinking about that. So, you know, one of our sole purposes is to identify malicious infrastructure used by cybercriminals and look for ways to be able to seize it either civilly or through the cooperation of a third party vendor or actor. So, we're always working in that regard.


   Getting the government has, especially in the United States just recently, are all in on that as well. But they don't have necessarily the time to do this type of research, to get the background needed to prioritize those disruptions, so I do think that will be helpful.


   And in fact, for us, one of the results actually from the proof of concept is, is that as the stage, you know, three or four was happening – I don't know if anyone has heard of Hushpuppi who is an Instagram influencer who is actually a business email compromise scamster, but he poses all over the internet with his cars and other things, but was arrested and is in the United States.


   And basically, as that research was happening, we identified a tie between him and the Lazarus Group which is a North Korean nation state actor.


   If we had known that earlier, that may have changed the way the case was perceived. And so, information like this can reprioritize and shift governments as something that we've already seen in this proof of concept.


   >> MICHAEL DANIEL:  And just to pull on that, Amy, what's interesting to me is like, again, remember, all of this is open source data, which means that connection was sitting out there. Like, this was not some hidden thing that required specialized intelligence to gather. That connection was there in the data, waiting to be discovered.


   And so, that, to me, shows the real power of what we can put together from just even the open source data. To use that to drive further work that might, in fact, require, you know, specialized law enforcement or intelligence capabilities.


   >> DEREK MANKY:  And if we look at the power of the disruption, again, which is the mission of this, right, to disrupt cybercrime within the partnership and the Atlas Project, there's – it's not just one point, right? And that's the whole point of, like I said, ecosystem that we're building on our team, on our side.


   Then of course, you have the ecosystem of the cybercriminals. And in that ecosystem, it's like supply chain, right? They have their own way to move money and funds. They have their own way to setup infrastructure, communication platforms, all of those things. And that's what we're looking at, right? And each stakeholder will have a part of that for disruption, but it's not just about arrest and prosecution. As the classic saying goes, we can’t arrest our way out of this. It is part of it.


   But of course, we're also looking at – for disruption points, right, in that ecosystem where we can hit cybercriminals where it hurts, right, including everything, right, from the tools that they're creating and providing, to the communications that they're using, to, you know, bank accounts. So, freezing bank accounts is an example, crypto seizures, right, to infrastructure takedowns, of course, which I know DCU has been heavily involved in as well. And you know, like, everything from bulletproof hosting to sort of command and control servers and so forth.


   So, it’s really, again, all of those combined is very powerful for disruption, or can be.


   >> MICHAEL DANIEL:  So, I think one of, so we're talking about a lot of information here, potentially. And so, then there's a logical next question that comes out of this. So, who is going to get access to this data? And how do you balance the need for it to be shared widely, but at the same time, not just be an intelligence tool for the bad guys. Like, let me go check and see what the Atlas says about me, yeah.


   >> TAL GOLDSTEIN:  Yes, definitely we – anything that could be used for disruption, at the same time, in the wrong hands, used to avoid disruption. So, we are working at this point in a relatively close group and a vetted group that we want to make sure that anyone that is joining this group is at least relatively trustworthy.


   We also want to make sure that there is – to encourage contribution. So, we want to make sure there are certain privileges coming forward to actually contribute, invest resources and time into this work.


   But, as we said from the beginning, this is all about impact. In order to drive impact, we need to make sure that information is getting to the right hands, and this is why we are also setting the processes and policies to be able to share when we identify something that could be used to drive stakeholder law enforcement or others, but also to invite them when we identify something that we want to do to invite relevant stakeholders around the table to discuss the plan, the best course of action to disrupt this certain group or threat vector, and to see what would be the best course of action, and then also getting maybe into even deeper information sharing in a very focused group and focus.


   And in some cases, the approach can be sharing in a more broad way, the information, which could be tactical, operational, but it could also be strategic. It could also be insight that could be shared to influence decision makers and policy makers in order to act accordingly and basically make the life of criminals a bit harder.


   So, this will all be part of the discussion that we are planning to do based on the information that will be collected and analyzed in the Atlas.


   >> MICHAEL DANIEL:  Yeah, so I think if we just look down the road, you know, projected forward, you know, a year or two years down the road, I'd like to hear from each of you, like, what would success look like? If the Atlas Project was successful, what would that – what would that look like?


   >> DEREK MANKY:  So, to me, success is – so, we have to look at the goals, what we're trying to achieve, right? One of them is to really get a better, a firm understanding of just how many cybercrime organizations are there out there? Nobody knows that number. Yes, there's a lot of estimates as it's a multitrillion dollar industry. But what's a good gauge of that number from our research, right? Being able to put metrics on that and truly understand that, that's one measure of success.


   Having KPIs, being able to measure the success of our impact as well, because we're talking about operations and disruption. I call it moving the needle to the left, right, because we're looking at the – all of the profits and revenue that cybercrime continues to make and get deeper pockets, and have the ability – more capability on their side, being able to see that, after we're able to measure it, of course. You know, that's something I'd really like to see out of this, and that would be a success to me because it indicates we are truly having an impact and moving in the right direction.


   >> AMY HOGAN BURNEY:  For me, I think success is maybe a little more personal than that.


   And I would say, success for us, for Microsoft, for the Digital Crimes Unit would be to change the way we're thinking about how we choose our disruptions.


   So, you know, we're committed and have been committed to trying to do disruptions, but if this information can change the way I do them, the way I look at them, make more broadly and scale that and increase the number of partners that we have, and bring along more governments around the world, then that would be an incredible success. And I look forward to trying to do that.


   And I think based on the proof of concept, it's already changed the way I'm thinking about how we personally do our work, so I think the more people that are involved in the Atlas and received the information from it, it will influence them as well.


   >> TAL GOLDSTEIN:  And building on that, I think being able to create this community of companies that – enhance this community that understand that they have a responsibility and an ability to influence, to influence the way that we are addressing cybercrime, and we need security companies and tech companies, we need financial companies that – all of the different actors that can actually make a difference, successfully bringing more of them to the table.


   We need to be a bigger club of companies that are devoted for this. And then eventually, of course, the impact and being systematized in the way that we are driving disruption and action against cybercrime.


   >> MICHAEL DANIEL:  Yeah. And I think from my perspective, what I also want to see is the cadence pick up so that, you know, we're actually doing disruption operations on a much more sustained, regular basis so that it’s not – frankly, so that it almost doesn't get reported in the media, right, that it's happening so frequently that it's not even all that newsworthy.


   And so, I think that’s to me, where I would like to see the project go.


   In just a couple of minutes, we'll actually open the floor for a few questions from the audience. But I think, you know, Tal, maybe we could start with you and then, so, what's next? What's the next step in this – in this process?


   >> TAL GOLDSTEIN:  Yeah, so, we started with the role of the Forum actually and we talked about the unique position that the Forum allowed us to bring together the different stakeholders into this discussion, eventually leading to the Atlas.


   But at this point, where we want to scale up, enhance the community, and also take it to much more operational directions, the Forum is not the best location for this.


   So, we are now working to take the Atlas from the Forum, into a dedicated entity that we are working to promote that will focus on this Atlas initiative, both the research and looking into coordinated efforts against cybercrime.


   And this week, Michael mentioned, we had several meetings that we are working to design what would be the best way to do that, the most effective way to work together and bring more companies into this.


   So, in coming months, we will continue to design this new entity, and I hope that by the end of the year, we'll be in the position to launch this and move forward with this effort.


   >> MICHAEL DANIEL:  So, Amy, any sort of thoughts about what’s next in your view from –


   >> AMY HOGAN BURNEY:  Yeah, we've been committed to this from the beginning. We have some dedicated analysts. And so, in my mind, what's next is getting more human resources involved, because the connections that we talked about, the successes that we had, as you mentioned, the data is there and available but we need the people and the talent to be able to go through and look at this data.


   And I think the folks that have done this work are incredible and they've been incredibly diligent and I'm pretty certain they've sacrificed some Saturdays and Sundays for this. And so, they absolutely need help.


   So, what's next is, after we kind of create the foundation that Tal talked about, is then we need to get the talent in order to help support this because it's a worthwhile endeavor.


   >> MICHAEL DANIEL:  More work.


   Your reward for – your reward for success is more work. That sounds typical.


   >> DEREK MANKY:  Yes, so, yeah, I mean, look, it was fantastic, of course, to be here in person, finally, you know, with the wonderful analysts and everyone from the project. And you know, that’s – that has a lot of value on it. So, definitely more of that, right? Having more of the workshops. Obviously, continue the analyst stream and all of that great work which is critical for the project through the proof of concept.


   But then moving it beyond that as well too, right. Starting to look at the proof of concept once we have the dedicated entity and getting the other stakeholders involved.


   Because up until now, it's been primarily the analysts doing the core of this. As I mentioned, within the partnership and the project, there's more stakeholders that have a lot of interest in this, and so that's the next natural stage is to start slowly.


   Again, crawl, walk, run.


   This is an ever in motion project. It's – it’s a long – a long roadmap, right, just like any project at a global scale. But certainly, a lot of next steps in the next six months.


   >> MICHAEL DANIEL:  Great. So, at this point, we can open it up for questions from the audience. I think there are two microphones where you see the spotlights out there. So, if there are any – anybody that wants to ask a question, we will happily take a question or two in the last few minutes that we have left.


   So, I see somebody going to the microphone, maybe. Oh, there we go.


   >> AUDIENCE:  Hi – oops. My name is [00:40:19]. I'm a recent law grad. I'm very interested in cybersecurity but I'm also interested in what are we going to do about China and Huawei and I mean, I have family that comes to visit and they've got all these other devices and they just want to stick a SIM chip into it and how do we do this?


   >> MICHAEL DANIEL:  Amy, I'll throw that one to you, but if you want to me to speak on that too, I can.


   >> AMY HOGAN BURNEY:  No, yeah, I'll start and then you can go, Michael.


   So, I think, you know, your point is well taken. I just got back a week ago from South Africa and Mozambique and I was struck by how much Chinese infrastructure is there in use cases. You get kind of – the last two years of the pandemic where you haven’t been able to travel. You don’t see it as much. And that was one of the things I did notice during my travels.


   I think the first thing that maybe Tal mentioned in the beginning for the Atlas group is – is that we are, it’s a relatively – we’re a small, vetted group that we plan to keep working in this regard. We have not limited ourselves to nation state actors or cybercriminals. We've kind of kept it a reasonably broad look for at least our thirteen original groups that we did in the proof of concept.


   And to the extent that the information that we package up and is available is useful to governments as they seek to do additional intelligence work, then they would be able to use it in that fashion.


   I mean, we're, I think, not planning to put constraints, necessarily, in how the information is used. We are planning to constrain the group that it's shared with, if that makes sense.


   >> MICHAEL DANIEL:  And I think the other piece is that to the extent that we actually start to illuminate the links between cybercriminals and governments, plural, whatever they are around the world, that's actually a useful thing. And it's useful for our diplomacy, it's useful for our long-term relationships, it's useful for our long-term development of norms in this space. What do we actually want?


   What is responsible state behavior? It certainly is not harboring and sponsoring cybercriminals, but what is the responsibility of a government to deal with cybercrime activity within its borders?


   And by the way, that will reflect on the United States because where is there a lot of cybercriminal activity on the infrastructure? It's in the United States. Same reason that Willy Sutton robs banks, because that's where the money is, right.


   So, you know, there are – it's not just about, you know, China or Russia or any of the other governments, so.


   >> AUDIENCE:  Hi, so, among other things, I'm an expert in cyber supply chain and particular – particularly data and tooling. And as I'm listening to you describe trying to scrape the open source for information and look for connections, that's a lot about supply chain analysis.


   And so, I was hoping to hear some discussion of tooling and how are you – you’re talking about needing more human resources. You need more machine learning resources. And I have some tooling that could help and I was wondering if you were looking at some of the supply chain tools that are out there to examine foreign ownership, control, and investment, and make those connections for what are exceedingly complex supply chains distributed globally.


   I think there's a lot of leverage points there. So, could you talk a little bit about tooling?


   >> AMY HOGAN BURNEY:  Yeah, so it's like you were at our meeting yesterday.


   We had a steering committee Atlas meeting yesterday where we were talking about next steps and we were talking about, how do we scale? Basically, we divided that into human resources and then system based resources and then there was an entire conversation about tooling.


   Because you're right. The only way to scale this is to think about what type of – first, you know, what type of platform that we're using, and then what type of tools are available in order to assist the data that we have as well.


   So, that is absolutely a part of this. And I know there are two of our analysts in the room and they can tell you every tool that they have ever – they have used already. Because, as you can imagine, they have access to some tooling at this point but I was told yesterday it's not nearly enough and they need far more if we're going to be able to scale.


   >> DEREK MANKY:  Yeah, and keep in mind, we're at the proof of concept stage right now as well too. So, much of that – the second stage that we talked about, the link analysis, that is driven by the human intelligence, right. So, it's been manual, using tools, but still, not machine learning, of course, right, because we don't have a massive data pool right now. So, it's really building the model, doing that link analysis which effectively is building that map, and showing the early beginnings of those chains as we discover them.


   But then as, you know, Amy said, and that was the discussion yesterday, how do we take that to scale? How do we get more data to start applying, because we're not going to be able to have 5,000 analysts, you know, working.


   >> MICHAEL DANIEL:  Using a shared Excel spreadsheet.


   >> DEREK MANKY:  Right.


  >> TAL GOLDSTEIN:  And also, to add to that, it’s a project right now and the group is working. We talked about contribution and the fact that all of the partners are contributing.


   In some of the cases, we already have companies that are contributing the tools and the licenses are being used by the analysts.


   So, there are different ways in which companies can contribute. Analysis is one way, resources, but also with tools is something that we are very happy we have some of the partners helping the process with their own tools that they are providing to the group.




   >> AUDIENCE:  I'm Gary Warner from UAB in Birmingham, Alabama. And one of the things that I wonder about, we talk about the thirteen largest targets, and we frequently see this thing – I've spent a lot of time looking at Hushpuppi and his legal case and things. But if we look at the FBI’s numbers from the Internet Crime and Complaint Center, our number one fraud category is business email compromise. And there is no big guy.


   There are somewhere between 1.2 and 2 million West African organized crime contributors. Most of them are never going to steal more than a thousand dollars. But collectively, they stole $2.3 billion just in what was reported to the IC3 last year.


   Second category according to the IC3 numbers, was cryptocurrency investment scams. There are somewhere around 19,000 live cryptocurrency investment scam websites right now.

Each one of them is going to steal $5,000, a hundred dollars. Many of them won't steal anything. But again, there's no 800-pound gorilla.


   If we look at the biggest criminal actors, we tend to go back to ransomware and a lot of businesses believe ransomware is the biggest threat. But from a consumer perspective, the elderly, the people who are desperate for funds, they're getting killed economically, but it's an army of ants. And so, focusing on the thirteen big guys doesn't really address that side of it. I wonder how we can bring that into the mix.


   >> AMY HOGAN BURNEY:  Yeah. Hi, Gary. I haven't seen you in ages. How are you?


   So, first, I would say you're absolutely right. But I don't think it means that there's nothing we can do from this project. I think the first thing is, is that no, we can't focus on the billion of small actors, but what we can understand is the mechanism by which they're committing their crime and then go after that. And that's really the key to disruption.


   So, for your business email compromise, we all know that business email compromise starts with malicious domains. So, if we can get to the point by kind of identifying the big groups in the business email compromise space where – that we see among those thirteen actors and then identifying the malicious domains in that space and taking away some of their currency and friction so they're not making the couple hundred dollars here or there, then we can kind of have a dent in it that way because we can't, you're right, go after individual actors in that way.


   I don’t know if, Derek, you want to add to that too?


   >> DEREK MANKY:  Yeah, just to build on that. Prioritized response as well. So, shared infrastructure. The links, again, getting down to the link analysis we’re doing.


   Yes, we don't have the resources to do. There's a thousand of these groups – or not groups, but say teams of people to do drill downs or deep dives into those, right. But by understanding link analysis on that first phase and identifying, you know, here's – here’s the big red spot, right, that heat map, if you will, and the shared infrastructure that’s caught in between them. Because ultimately, that's already what we're discovering there is. Again, that's going to actually help prioritize the response for disruption.


   >> AMY HOGAN BURNEY:  Yeah. And I'll just add like two more things to that because I think in the business email compromise space, we've been pretty successful in sharing with law enforcement some of the high level referrals that we've had that have led to sweeps type action. So, they have done three or four different global sweeps of the higher level business email compromise criminals, which hopefully sets the precedent that it is —there is a deterrence factor to when those people are arrested.


   And, you know, then the other piece is also kind of the information sharing that we'll have available here as well.


   So, I do think that yes, there is the death by a thousand cuts piece of this, and the individual consumer will continue to go after those people, but also the education for those folks as well, I think is really important.


   >> MICHAEL DANIEL:  Well, thank you, everyone, and thank you for coming. We are out of time for today. But thank you for coming and listening to us talk about this really important project.


   And I think there's one keynote left over in Moscone West with Hugh Thompson which is always very entertaining, and so thank you for coming and have a great rest of the conference.

Michael Daniel


President and Chief Executive Officer, Cyber Threat Alliance

Tal Goldstein


Head of Strategy, Centre for Cybersecurity, World Economic Forum Centre for Cybersecurity

Amy Hogan-Burney


Associate Counsel and General Manager, Cybersecurity Policy & Protection, Microsoft

Derek Manky


Chief Security Strategist & VP Global Threat Intelligence, Fortinet

Share With Your Community