Map sale

The World Economic Forum wants a global online crime map • The Register

RSA Conference An ambitious project led by the World Economic Forum (WEF) is working to map the cybercrime ecosystem using open source information.

The Atlas Initiative, whose contributors include Fortinet and Microsoft and other private sector companies, involves cartography relationships between criminal groups and their infrastructure with the ultimate goal of helping both industry and the public sector – law enforcement and government agencies – disrupt these harmful ecosystems.

This kind of visibility into connections between gang members can help security researchers identify vulnerabilities in the criminals’ supply chain so they can develop better mitigation strategies and security controls for their clients.

“It’s not a threat stream,” Derek Manky, chief security strategist at FortiGuard Labs, told an RSA conference panel on the project. “We’re looking at non-traditional artifacts. Think: crypto addresses and bank accounts, phone numbers, emails, things that ultimately help with the attribution challenge, which we always say is the Holy Grail.”

Attribution, in turn, helps cops and the government issue warrants, make arrests and prosecute cybercriminals, he added.

“We deliberately chose the word Atlas,” Cyber ​​Threat Alliance CEO Michael Daniel noted during the roundtable.

An Atlas is a collection of maps and charts that help users visualize the topography or features of the physical world, he said. “And we want to be able to do the same for the cybercriminal ecosystem.”

This is becoming increasingly important as malware types are no longer synonymous with criminal groups, and the gangs themselves outsource different parts of an attack, such as initial access and development of the malicious code, Daniel added.

Be careful who you are friends with on Facebook

The group’s use of open source is also noteworthy, the panelists noted. Instead of looking only at highly technical indicators of compromise, researchers also rely on publicly available sources of information: social media accounts, which can reveal who in the criminal underworld is “friends” with which, as well as public information including indictments and other court documents as well as published blogs and analysis from various criminal networks.

“One of the issues we frequently run into when talking about information sharing is: Is it the property of the private sector? Is it a work product such that they don’t necessarily want to share? there is classified information from governments? But that doesn’t mean there isn’t information available,” said Amy Hogan-Burney, associate attorney and managing director of the Digital Crimes Unit at Microsoft.

Microsoft, along with Fortinet and CTA, is a founding member of the WEF Cyber ​​Security Centerwhich started in 2019. The Atlas project grew out of this group.

An online search can reveal “an enormous amount” of information, Hogan-Burney continued, noting that once this “entire mountain” of data is uncovered, “you have to figure out what’s useful from it? And then how can we use it appropriately?”

13 criminal gangs to start with

Project Atlas will select 13 cybercriminal gangs to start with, but the organizations involved have yet to reveal the names of the lucky 13.

Hogan-Burney did, however, mention TrickBot and Cosmic Lynx during the RSA conference panel. And it’s a safe bet that Conti, Evil Corp, Lazarus Group, DarkSide, LockBit, Ragnar and Clop will be there.

After choosing which miscreants to study, the group will collect whatever publicly available information about each they can dig up. Then, we’re told, they’ll dig deeper into more technical metrics like email addresses and IP addresses associated with the various gangs.

The third step is to bond, Hogan-Burney said, adding “this is where things get exciting.” And then she named the notorious Trojan horse.

“They were looking at TrickBot,” during Atlas’ proof of concept, “which we at Microsoft’s digital crimes unit have been looking at forever, and governments are looking at,” Hogan-Burney said. . One of the IP addresses commonly used by TrickBot was also used by Russian commercial email compromise gang Cosmic Lynx, she added.

“That kind of thing is helpful because we’re starting to think about how we might disrupt that infrastructure,” Hogan-Burney continued. And, of course, disrupting criminal network infrastructure is a favorite pastime of the Microsoft Digital Crimes Unit.

Finally, the Atlas project aims to make these maps usable for both private and private sector organizations by the WEF annual meeting in Davos in January 2023.

“We need to take action against cybercrime,” said Tal Goldstein, head of strategy at the WEF Center for Cybersecurity, adding that it was an “action-oriented group” as opposed to an academic exercise. “It’s all about impact.” ®