GT - Playing Games with Cybercriminals

good afternoon welcome to bides Las Vegas day two ground truth and today we have Jonathan lusta with playing games with cyber criminals before we get started I've got a couple announcements we'd like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Plex track Toyota and conductor 1 it's their support along with our other sponsors donors and volunteers that make this event possible uh these talks are being streamed live and as a court see to our speakers and the audience we'd ask that you check to make sure your cell phone is on silent or do not disturb if there is time for questions at the end I have a microphone in the middle there and uh we'll see how uh whether you go up to get it or I'll I'll bring it to you uh I'll plan to if there are questions go get the mic and I'll bring it to you and with no further Ado Jonathan well it's a privilege to present this research to you uh before I start though I just want to acknowledge quite clearly that this is a team effort uh so I'm presenting This research today I'm the the pi on the project uh but there's a number of others involved here uh so we have a co-authors in Eduardo Gallow and Federico Veri but particular I want to note the contribution of Rebecca Heath who's done a huge amount of work for for this project so it's by no means uh myself presenting uh on behalf of myself this is very much a team effort now what I'm going to talk to you today might be slightly weird as a type of presentation uh for a few different reasons one you'd note there's an Oxford Cambridge collaboration which were meant to be sworn enemies so that's quite unusual but there's no there's no serious beef there and you know you want to work with good people so we managed to do that so that that seems a little bit weird but it's not that weird uh secondly this is a very social sciency type of presentation which might be a bit weird if you don't come from a social science type of background and particularly I'm a sociologist but I'm drawing on another field which is experimental economics and so the collaborators we have have brought us into that space so I'll try and be a little bit gentle with that I have to learn that myself uh so I'll be quite clear in those sorts of elements because it gets a little bit technical in its own kind of way uh but the third part that's weird which is I think the most interesting thing about this is that if you look at conventional economics a lot of this is about how do you make markets work more efficiently and more effectively and the weird thing we're doing in this presentation is actually trying to think about how to make markets work less well so how do we screw them up uh how do we disrupt them how do we make them less efficient so we're doing the opposite of what economists conventional economists would be trying to do now why would you want to do that and the reason for that is not all markets are good so we have bad markets or markets that we don't want to function so efficiently because they create harm of different kinds so cyber criminal markets which are the inspiration for this project uh fall into that category uh very much and so they've really inspired the work that we're doing here that's the background that I come from as as a sociologist I spent a long time interviewing former cyber criminals interviewing people in industry and law enforcement trying to understand more about that industry that that criminal industry and so here I'm talking to you about this one particular part which is the markets which are very very important to how cyber crime functions so as we all know cyber crime is a major burden for for business it causes a lot of trouble for for a lot of people but what is really quite Central to this industry is markets because they allow people who do things like breaches or carry out other types of activities to monetize the data or to engage with others with different types of Specialties from the ones that they have so this is very important to finding friends who can do things that you can't do right working with other people have Specialties and skill sets that you just don't have and so the markets are very very essential to this and they operate in different ways we get very small ones we get large ones that are you know thousands of members in them uh and they range from those that specialize in certain types of areas certain types of cyber crime to others that are more General some that are into more drugs and things like this we get a whole kind of spectrum but the essence there is you need a place to trade to do business to work together so looking at the disruption of these markets is actually very valuable as a as a policy exercise and as a broader exercise and trying to understand how these markets work and how we can make them work uh less efficiently so we can think about that so just as an example some of you might be familiar with this this is a kind of historical case now dark code uh quite a few years back now but just as an example if you're not familiar with some Cyber chronal Markets what they look like and they look quite similar to a whole bunch of other sites to be quite honest we often look for things that are very unusual very Innovative in cyber crime and they're not in a lot of instances they use a lot of things we see in other aspects of Life other aspects of tech even the the software that they used to create the sites is very similar to all other sites so here what we have dark code you can see the the little tagline there about being a Marketplace for sewing machines and other stuff the other stuff is like malware uh exploit kits all sorts of things uh this was known before it was shut down as being a more highend more technical kind of English language site so we get other sites that specialize more in carding and credit card for things like this this had a little bit of stuff going on like that but it was known as being at the more Technical and at least in the English language uh scene and so that was the place that you went as that type of factor of where you wanted to find the good stuff in terms of of malware so you can see a little bit of a spread of some of the things that were on offer in this particular Marketplace so this just an example again posts look like what posts look like uh they're not anything particularly special what we have here I'm not expecting you to read all this tiny writing it's just an example of what we see in these types of markets and here what we have is one particular cyber criminal under the name uh JP Morgan which I think is a fantastic uh cyber criminal name and actually it was very very uh effective and well-known cyber Criminal Eastern European actor uh very very important uh cyber criminal a number of respects and he's looking to buy exploits that's what he's posting about so he wants people to come and do business with him the key here how do these markets work a lot of them work quite simply like this which is you advertise often you're selling or you're advertising to buy and you'll find partners that way some of them evolve to work in slightly different ways but that's the core of it you advertise you're looking for someone to to trade with and then you trade that's as simple as that trust is a key component here so we see a couple people jumping in in this thread basically verifying JP Morgan as being a serious person uh we can see down there near the bottom porch who's another uh big Russian speaking cyber criminal was arrested in Russia a few years back who basically comes in and says yeah I know this person he's he's very legit so trust is important and that's very important to to trading in these types of settings so as a social scientist what I really want to emphasize here is the people involved that we're talking about people so we see on the left there's probably the the most widely used image of cyber crime that's in any kind of report that you might see uh and so I'm including it here not as an endorsement but actually to criticize it a little bit uh which is the main problem is that they all have faces uh and this image does not depict that so on the right we have a a real world uh cyber criminal it's tied back to that uh to that dark code example I just used which is this was one of the administrators of darkode so his nickname is Aero and he's been arrested multiple times now so he was also known for being one of the the key people involved in the maraposa botnet uh and he went on to do a bunch of other stuff you can see him there wearing a t-shirt because he after his first arrest went on to work for a startup in crypto mining uh and so you can see actually even just in that case a little bit of what we're talking about here that there is actually a strong similarity between some of these actors and regular humans uh across you know these are people that's the point I like to make these are people too uh they're not so unique and so unusual that we sort of think oh let's reinvent the wheel let's think about them in a completely unusual way no they they're 99% like other people and they're 99.9% like other people in Tech uh because that's you know the skill set and so we often see some individuals who moving between spaces sometimes in Gray areas sometimes moving between legitimate Enterprises and more criminal ones so here the point is that if we're trying to understand more about these types of people uh we can look at them through the lens and as I said I'm a social scientist of studying humans we don't have to view it purely as as a tech kind of problem all right so how have we tried to deal with this threat so far so we've been talking about these cyber criminal marketplaces what has been the approach up to this point in terms of conventional law enforcement the strategy has been conventional law enforcement tactics which has been around takedowns and arrests so if we think about how do we deal with crime if you want to get to the photo for instance I showed you one just there of a Soo you ultimately have to arrest the person to attribute exactly who they are right so that's been the the core of the strategy which is okay we try and arrest these people when we can we also try and do takedowns we try and hit the infrastructure so that might be in in relationship to these types of cyber criminal marketplaces we try and take those marketplaces out in different ways maybe twinned with an arrest strategy going on together or if if we're talking about bot Nets we're trying to take out some of the bot net infrastructure we're trying to hit uh really the the most sort of visible and obvious aspects of this and we're trying to arrest the people involved now the problem becomes how effective can we be in this particularly when we're talking about uh cyber criminals based all across the world and sometimes based in jurisdictions where we don't have good relationships uh between different countries right so we can think about the example of Russia if you're operating in say the us or the UK or somewhere else and you have a a cyber criminal is operating out of Russia can you get good cooperation at this point in time if you're trying to make an arrest if you're trying to get uh that type of cooperation actually the same would apply in Russia uh in relation to say Kazakhstan or something like that so everyone faces a similar type of problem which is this jurisdictional barrier that that there is when you're trying to to make AR rest so the question is how much Effectiveness can you have with this type of approach the other part of it is if you look at these types of takedowns of infrastructure whether it's pot Nets or whether it's marketplaces do the actors just move so you hit a particular Marketplace you shut a down they they set up a new one and off they go again or if you take out the bot net infrastructure if you haven't taken out the people behind the bot net infrastructure they're just going to set up a new infrastructure so there's this kind of question about is this sort of a whacka mole type of situation obviously there's very strong reasons why law enforcement goes in that direction but the question is are there this issue of what we call displacement which is displaces either in time so people stop for a short period of time and then restart again or it displaces in space which is they move somewhere else and they or even move into a different type of activity so that's something we need to be aware of so part of the core of of what we're trying to do with this project is understand are there other types of approaches we might adopt that are less Hammer likee that are less strict less strong less conventional in terms of law enforcement are there softer and sometimes cheaper approaches in terms of not requiring a massive operation that crosses jurisdictions that involves a huge amount of attribution huge amount of arrests and these kind of things so that's what we were kind of inspired by and the the question we ask is can we play games of cyber criminals in a sense can we mess with the marketplaces can we inject some kind of trust there uh and how would we go about doing that that was the core motivation that we adopted here is there something not necessarily to replace these existing law enforcement strategies but something you might supplement them with and so that's what has been driving our work okay so this particular project has two questions which is how do cyral actors in online networks cooperate and trust each other so we've talked about that question of trust quite a lot already and then how can these networks be disrupted so what were the methods that we used and this is the part I mentioned as being slightly weird so I'm going to try and introduce them to you because I'm not expecting many of you to be experts in experimental economics and as I mentioned I'm not really an expert in experimental economics either so I'm going to do my best to try and explain it to you in a way that people can understand and a way that I tried to understand it myself so this is actually the first time anyone's used this this type of approach in relation to these markets to my knowledge anyway I'm willing to be corrected on that of course uh and so what we looked at was to design a market very similar what we call a market for lemons game so if you're not familiar what market for lemons is if you think about a used car market that is the most famous example which is if you're selling used cars uh you know a lot more about the particular car or cars that you have and if you're buying them you don't and you're in a bit of trouble because you have what's called an information asymmetry so the seller maybe knows they're selling you a lemon the buyer does not know right so you might think okay there's ways they can figure it out and things like this but just on face value in that interaction one site has much more information than the others and that's a very dangerous position to be in as the buyer right but it's also a dangerous position for the market because the theory is that the market like that will collapse over time it just won't work very well and so it have just spiral down uh so what we see here is the way out of that problem is things like reputation so there's various mechanisms have been developed over time to try and solve this problem so we get like branding licensing regulation and reputation is very very important for trying to solve this type of problem if people know that particular seller that particular vendor is good I trust them I trust the product then you're more likely to buy from them the market won't collapse in the same kind of way so there've been a number of market for lemons games that have been experimented with and when I what I mean by that is experimental economics what we're really talking about here is a type of game theory but we're not talking about the highly mathematical all the modeling of the game theory you're talking about getting humans to actually play games and see how they play them see what shakes out so what decisions they actually making rather than just trying to come up with a model of what decisions we think they would make right so that's the point of this so we took some of these off the shelf games we looked at that and then we built our own design to see how we would play around with this to to get to the key interventions we were interested in in studying so I I will maybe it might be a bit of a letdown but I'm going to say that we aimed at a broad kind of approach at first because this is the first time we're trying to do this one of The Temptations we had and it was a Temptation I really really strongly had was to make this as as realistic as possible to like get everything you could find in terms of how cyber criminal markets look like the ones I showed you make something looks like that give them you know let's play this for six months let's see how long you know we can do this let's track this for a really long time all this kind of stuff build in as much realism as possible but I was cautioned and correctly I think by those who had more expertise in the area which was to be very very careful about how much noise you built into the experiment right which is the less uh elements the less variation the more confidence you can have in that one particular variable one particular factor is driving a change of one kind or another so if you're trying to understand what interventions might succeed in in making these markets work less efficiently you want to have a high degree of confidence in terms of this is the only variable that we've changed and there's not 15 others that we need to pay attention to so that's what we did uh and this I view very much as a as a first step and we're looking at ways over time in a much more coordinated way of building in some of some of these extra variables uh so this built on on an earlier attempt a small pilot that we ran in a lab where literally people sat in a room like a classroom and played this on computers uh and then we moved into what I'm presenting to you today which is an online experiment where you can have people sitting at computers in their own home uh playing the game and this makes it much easier to recruit and to engage with far more participants than if you're just requiring everyone to turn up to a certain place it also means you can engage with different types of people as well okay so the experimental design was basically broken down into a series of mini markets so again rather than going with okay there's a market with thousands of people in it it was okay let's let's build this up in terms of what we can have confidence in so we ran these mini markets so each group was basically one such market so was 56 of them each one had four Sellers and three buyers so ultimately you're one of the buyers and there you have a choice in each round to buy from one of the four you've got some options there they play this game over 20 rounds so there's 20 potential transactions they can have if they want to buy and sell and then we're going to watch how that that uh plays out and ultimately there was 392 participants in this in this experiment so what we did was split them up into four sessions so we call them treatments but they're basically sessions and each of those uh there was 14 groups and so the idea here is rather than put all the interventions we were thinking about testing just smash them together which would lead to that type of noise I was talking about you actually want to test them one by one right and test them against what's effectively control to see which ones actually having the impact that you want or not so that's how we we went about structuring this uh the participants in this particular phase are recruited from Amazon Mechanical Turk uh if you're interested in why we did that and why you mi