RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals’ supply chain to develop better mitigation strategies and security controls for their customers. 

“This isn’t a threat feed,” said Derek Manky, chief security strategist at FortiGuard Labs, during an RSA Conference panel about the project. “We’re looking at the non-traditional artifacts. Think: crypto addresses and bank accounts, phone numbers, emails, things that ultimately help to build the challenge of attribution, which we always say is the holy grail.”

Attribution, in turn, helps cops and government issue warrants, make arrests and prosecute cybercriminals, he added.

“We chose the word Atlas very deliberately,” Cyber Threat Alliance CEO Michael Daniel noted during the panel discussion. 

An Atlas is a collection of maps and charts that help users visualize the topography or characteristics of the physical world, he said. “And we want to be able to do the same thing for the cybercriminal ecosystem.”

This becomes increasingly important as malware types are no longer synonymous with criminal groups, and the gangs themselves outsource different pieces of an attack, such as the initial access and malware code development, Daniel added. 

Watch out who you friend on FaceBook

The group’s use of open source is notable, too, panelists noted. Instead of only looking at highly technical indicators of compromise, the researchers are also relying on publicly available sources of information: social media accounts, which can reveal who in the criminal world is “friends” with whom, as well as public information including indictments and other court documents as well as published blogs and analysis of various crime rings.

“One of the problems we frequently bump up against when we’re talking about sharing information is: Is it proprietary from the private sector? Is it a work product such that they don’t necessarily want to share? Is it classified information from governments? But that doesn’t mean there isn’t information that’s available,” said Amy Hogan-Burney, associate counsel and GM of Microsoft’s Digital Crimes Unit.

Microsoft, along with Fortinet and CTA, is a founding member of the WEF’s Centre for Cybersecurity, which began in 2019. The Atlas project spun out of that group.

An online search can reveal “a tremendous amount” of information, Hogan-Burney continued, noting that once this “entire mountain” of data is unearthed, “you need to figure out what from that is useful? And then how can we use it in an appropriate way?”

13 crime gangs to start

The Atlas project will select 13 cybercrime gangs to start with, but the organizations involved haven’t yet revealed the names of the lucky 13. 

Hogan-Burney did, however, mention TrickBot and Cosmic Lynx during the RSA Conference panel. And it’s probably a safe bet that Conti, Evil Corp, Lazarus Group, DarkSide, LockBit, Ragnar and Clop will make the cut.

After choosing which miscreants to study, the group will collect all of the publicly available information on each that they can dig up. Then, we’re told, they’ll drill down into more technical indicators such as email addresses and IPs associated with the various gangs.

The third step involves creating links, Hogan-Burney said, adding that “this is where things get exciting.” And then she name-dropped the notorious trojan. 

“They were looking into TrickBot,” during the proof-of-concept for Atlas, “which is something that we at the Digital Crimes Unit at Microsoft, have been looking into forever, and governments have been looking into,” Hogan-Burney said. One of TrickBot’s commonly used IPs was also used by Russian business email compromise gang Cosmic Lynx, she added.

“That kind of thing is useful as we’re starting to think about how would we disrupt this infrastructure,” Hogan-Burney continued. And, of course, crime ring infrastructure disruption is one of the Microsoft Digital Crimes Unit’s favorite pastimes.

Finally, the Atlas project aims to make these maps usable for both the private and private sector organizations by the WEF’s annual meeting in Davos in January 2023.

“We need to drive action against cybercrime,” said Tal Goldstein, head of strategy at the WEF’s Centre for Cybersecurity, adding that it’s an “action-oriented group,” as opposed to an academic exercise. “This is all about impact.” ®