World Economic Forum wants a global map of online crime

Will cyber crimes shrug off Atlas Initiative? Objectively, yes


RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

"This isn't a threat feed," said Derek Manky, chief security strategist at FortiGuard Labs, during an RSA Conference panel about the project. "We're looking at the non-traditional artifacts. Think: crypto addresses and bank accounts, phone numbers, emails, things that ultimately help to build the challenge of attribution, which we always say is the holy grail."

Attribution, in turn, helps cops and government issue warrants, make arrests and prosecute cybercriminals, he added.

"We chose the word Atlas very deliberately," Cyber Threat Alliance CEO Michael Daniel noted during the panel discussion. 

An Atlas is a collection of maps and charts that help users visualize the topography or characteristics of the physical world, he said. "And we want to be able to do the same thing for the cybercriminal ecosystem."

This becomes increasingly important as malware types are no longer synonymous with criminal groups, and the gangs themselves outsource different pieces of an attack, such as the initial access and malware code development, Daniel added. 

Watch out who you friend on FaceBook

The group's use of open source is notable, too, panelists noted. Instead of only looking at highly technical indicators of compromise, the researchers are also relying on publicly available sources of information: social media accounts, which can reveal who in the criminal world is "friends" with whom, as well as public information including indictments and other court documents as well as published blogs and analysis of various crime rings.

"One of the problems we frequently bump up against when we're talking about sharing information is: Is it proprietary from the private sector? Is it a work product such that they don't necessarily want to share? Is it classified information from governments? But that doesn't mean there isn't information that's available," said Amy Hogan-Burney, associate counsel and GM of Microsoft's Digital Crimes Unit.

Microsoft, along with Fortinet and CTA, is a founding member of the WEF's Centre for Cybersecurity, which began in 2019. The Atlas project spun out of that group.

An online search can reveal "a tremendous amount" of information, Hogan-Burney continued, noting that once this "entire mountain" of data is unearthed, "you need to figure out what from that is useful? And then how can we use it in an appropriate way?"

13 crime gangs to start

The Atlas project will select 13 cybercrime gangs to start with, but the organizations involved haven't yet revealed the names of the lucky 13. 

Hogan-Burney did, however, mention TrickBot and Cosmic Lynx during the RSA Conference panel. And it's probably a safe bet that Conti, Evil Corp, Lazarus Group, DarkSide, LockBit, Ragnar and Clop will make the cut.

After choosing which miscreants to study, the group will collect all of the publicly available information on each that they can dig up. Then, we're told, they'll drill down into more technical indicators such as email addresses and IPs associated with the various gangs.

The third step involves creating links, Hogan-Burney said, adding that "this is where things get exciting." And then she name-dropped the notorious trojan. 

"They were looking into TrickBot," during the proof-of-concept for Atlas, "which is something that we at the Digital Crimes Unit at Microsoft, have been looking into forever, and governments have been looking into," Hogan-Burney said. One of TrickBot's commonly used IPs was also used by Russian business email compromise gang Cosmic Lynx, she added.

"That kind of thing is useful as we're starting to think about how would we disrupt this infrastructure," Hogan-Burney continued. And, of course, crime ring infrastructure disruption is one of the Microsoft Digital Crimes Unit's favorite pastimes.

Finally, the Atlas project aims to make these maps usable for both the private and private sector organizations by the WEF's annual meeting in Davos in January 2023.

"We need to drive action against cybercrime," said Tal Goldstein, head of strategy at the WEF's Centre for Cybersecurity, adding that it's an "action-oriented group," as opposed to an academic exercise. "This is all about impact." ®


Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading
  • Microsoft postpones shift to New Commerce Experience subscriptions
    The whiff of rebellion among Cloud Solution Providers is getting stronger

    Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

    Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

    Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022