GT - Playing Games with Cybercriminals

good afternoon welcome to bides Las Vegas day two ground truth and today we have Jonathan lusta with playing games with cyber criminals before we get started I've got a couple announcements we'd like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Plex track Toyota and conductor 1 it's their support along with our other sponsors donors and volunteers that make this event possible uh these talks are being streamed live and as a court see to our speakers and the audience we'd ask that you check to make sure your cell phone is on silent or do not disturb if there is time for questions at the end I have a microphone in the middle there and uh we'll see how

uh whether you go up to get it or I'll I'll bring it to you uh I'll plan to if there are questions go get the mic and I'll bring it to you and with no further Ado Jonathan well it's a privilege to present this research to you uh before I start though I just want to acknowledge quite clearly that this is a team effort uh so I'm presenting This research today I'm the the pi on the project uh but there's a number of others involved here uh so we have a co-authors in Eduardo Gallow and Federico Veri but particular I want to note the contribution of Rebecca Heath who's done a huge amount of work for for

this project so it's by no means uh myself presenting uh on behalf of myself this is very much a team effort now what I'm going to talk to you today might be slightly weird as a type of presentation uh for a few different reasons one you'd note there's an Oxford Cambridge collaboration which were meant to be sworn enemies so that's quite unusual but there's no there's no serious beef there and you know you want to work with good people so we managed to do that so that that seems a little bit weird but it's not that weird uh secondly this is a very social sciency type of presentation which might be a bit weird if you don't come from a social science

type of background and particularly I'm a sociologist but I'm drawing on another field which is experimental economics and so the collaborators we have have brought us into that space so I'll try and be a little bit gentle with that I have to learn that myself uh so I'll be quite clear in those sorts of elements because it gets a little bit technical in its own kind of way uh but the third part that's weird which is I think the most interesting thing about this is that if you look at conventional economics a lot of this is about how do you make markets work more efficiently and more effectively and the weird thing we're doing in this presentation is

actually trying to think about how to make markets work less well so how do we screw them up uh how do we disrupt them how do we make them less efficient so we're doing the opposite of what economists conventional economists would be trying to do now why would you want to do that and the reason for that is not all markets are good so we have bad markets or markets that we don't want to function so efficiently because they create harm of different kinds so cyber criminal markets which are the inspiration for this project uh fall into that category uh very much and so they've really inspired the work that we're doing here that's the background

that I come from as as a sociologist I spent a long time interviewing former cyber criminals interviewing people in industry and law enforcement trying to understand more about that industry that that criminal industry and so here I'm talking to you about this one particular part which is the markets which are very very important to how cyber crime functions so as we all know cyber crime is a major burden for for business it causes a lot of trouble for for a lot of people but what is really quite Central to this industry is markets because they allow people who do things like breaches or carry out other types of activities to monetize the data or to engage with

others with different types of Specialties from the ones that they have so this is very important to finding friends who can do things that you can't do right working with other people have Specialties and skill sets that you just don't have and so the markets are very very essential to this and they operate in different ways we get very small ones we get large ones that are you know thousands of members in them uh and they range from those that specialize in certain types of areas certain types of cyber crime to others that are more General some that are into more drugs and things like this we get a whole kind of spectrum but the essence there is you

need a place to trade to do business to work together so looking at the disruption of these markets is actually very valuable as a as a policy exercise and as a broader exercise and trying to understand how these markets work and how we can make them work uh less efficiently so we can think about that so just as an example some of you might be familiar with this this is a kind of historical case now dark code uh quite a few years back now but just as an example if you're not familiar with some Cyber chronal Markets what they look like and they look quite similar to a whole bunch of other sites to be quite

honest we often look for things that are very unusual very Innovative in cyber crime and they're not in a lot of instances they use a lot of things we see in other aspects of Life other aspects of tech even the the software that they used to create the sites is very similar to all other sites so here what we have dark code you can see the the little tagline there about being a Marketplace for sewing machines and other stuff the other stuff is like malware uh exploit kits all sorts of things uh this was known before it was shut down as being a more highend more technical kind of English language site so we get other sites that specialize

more in carding and credit card for things like this this had a little bit of stuff going on like that but it was known as being at the more Technical and at least in the English language uh scene and so that was the place that you went as that type of factor of where you wanted to find the good stuff in terms of of malware so you can see a little bit of a spread of some of the things that were on offer in this particular Marketplace so this just an example again posts look like what posts look like uh they're not anything particularly special what we have here I'm not expecting you to read all this

tiny writing it's just an example of what we see in these types of markets and here what we have is one particular cyber criminal under the name uh JP Morgan which I think is a fantastic uh cyber criminal name and actually it was very very uh effective and well-known cyber Criminal Eastern European actor uh very very important uh cyber criminal a number of respects and he's looking to buy exploits that's what he's posting about so he wants people to come and do business with him the key here how do these markets work a lot of them work quite simply like this which is you advertise often you're selling or you're advertising to buy and you'll find

partners that way some of them evolve to work in slightly different ways but that's the core of it you advertise you're looking for someone to to trade with and then you trade that's as simple as that trust is a key component here so we see a couple people jumping in in this thread basically verifying JP Morgan as being a serious person uh we can see down there near the bottom porch who's another uh big Russian speaking cyber criminal was arrested in Russia a few years back who basically comes in and says yeah I know this person he's he's very legit so trust is important and that's very important to to trading in these types of settings so as a

social scientist what I really want to emphasize here is the people involved that we're talking about people so we see on the left there's probably the the most widely used image of cyber crime that's in any kind of report that you might see uh and so I'm including it here not as an endorsement but actually to criticize it a little bit uh which is the main problem is that they all have faces uh and this image does not depict that so on the right we have a a real world uh cyber criminal it's tied back to that uh to that dark code example I just used which is this was one of the administrators of darkode so his

nickname is Aero and he's been arrested multiple times now so he was also known for being one of the the key people involved in the maraposa botnet uh and he went on to do a bunch of other stuff you can see him there wearing a t-shirt because he after his first arrest went on to work for a startup in crypto mining uh and so you can see actually even just in that case a little bit of what we're talking about here that there is actually a strong similarity between some of these actors and regular humans uh across you know these are people that's the point I like to make these are people too uh they're not so unique

and so unusual that we sort of think oh let's reinvent the wheel let's think about them in a completely unusual way no they they're 99% like other people and they're 99.9% like other people in Tech uh because that's you know the skill set and so we often see some individuals who moving between spaces sometimes in Gray areas sometimes moving between legitimate Enterprises and more criminal ones so here the point is that if we're trying to understand more about these types of people uh we can look at them through the lens and as I said I'm a social scientist of studying humans we don't have to view it purely as as a tech kind of problem all right so how have we tried

to deal with this threat so far so we've been talking about these cyber criminal marketplaces what has been the approach up to this point in terms of conventional law enforcement the strategy has been conventional law enforcement tactics which has been around takedowns and arrests so if we think about how do we deal with crime if you want to get to the photo for instance I showed you one just there of a Soo you ultimately have to arrest the person to attribute exactly who they are right so that's been the the core of the strategy which is okay we try and arrest these people when we can we also try and do takedowns we try and hit the

infrastructure so that might be in in relationship to these types of cyber criminal marketplaces we try and take those marketplaces out in different ways maybe twinned with an arrest strategy going on together or if if we're talking about bot Nets we're trying to take out some of the bot net infrastructure we're trying to hit uh really the the most sort of visible and obvious aspects of this and we're trying to arrest the people involved now the problem becomes how effective can we be in this particularly when we're talking about uh cyber criminals based all across the world and sometimes based in jurisdictions where we don't have good relationships uh between different countries right so we can think about

the example of Russia if you're operating in say the us or the UK or somewhere else and you have a a cyber criminal is operating out of Russia can you get good cooperation at this point in time if you're trying to make an arrest if you're trying to get uh that type of cooperation actually the same would apply in Russia uh in relation to say Kazakhstan or something like that so everyone faces a similar type of problem which is this jurisdictional barrier that that there is when you're trying to to make AR rest so the question is how much Effectiveness can you have with this type of approach the other part of it is if you look at these types of

takedowns of infrastructure whether it's pot Nets or whether it's marketplaces do the actors just move so you hit a particular Marketplace you shut a down they they set up a new one and off they go again or if you take out the bot net infrastructure if you haven't taken out the people behind the bot net infrastructure they're just going to set up a new infrastructure so there's this kind of question about is this sort of a whacka mole type of situation obviously there's very strong reasons why law enforcement goes in that direction but the question is are there this issue of what we call displacement which is displaces either in time so people stop for a short period of time and then

restart again or it displaces in space which is they move somewhere else and they or even move into a different type of activity so that's something we need to be aware of so part of the core of of what we're trying to do with this project is understand are there other types of approaches we might adopt that are less Hammer likee that are less strict less strong less conventional in terms of law enforcement are there softer and sometimes cheaper approaches in terms of not requiring a massive operation that crosses jurisdictions that involves a huge amount of attribution huge amount of arrests and these kind of things so that's what we were kind of inspired by and the the

question we ask is can we play games of cyber criminals in a sense can we mess with the marketplaces can we inject some kind of trust there uh and how would we go about doing that that was the core motivation that we adopted here is there something not necessarily to replace these existing law enforcement strategies but something you might supplement them with and so that's what has been driving our work okay so this particular project has two questions which is how do cyral actors in online networks cooperate and trust each other so we've talked about that question of trust quite a lot already and then how can these networks be disrupted so what were the methods that

we used and this is the part I mentioned as being slightly weird so I'm going to try and introduce them to you because I'm not expecting many of you to be experts in experimental economics and as I mentioned I'm not really an expert in experimental economics either so I'm going to do my best to try and explain it to you in a way that people can understand and a way that I tried to understand it myself so this is actually the first time anyone's used this this type of approach in relation to these markets to my knowledge anyway I'm willing to be corrected on that of course uh and so what we looked at was

to design a market very similar what we call a market for lemons game so if you're not familiar what market for lemons is if you think about a used car market that is the most famous example which is if you're selling used cars uh you know a lot more about the particular car or cars that you have and if you're buying them you don't and you're in a bit of trouble because you have what's called an information asymmetry so the seller maybe knows they're selling you a lemon the buyer does not know right so you might think okay there's ways they can figure it out and things like this but just on face value in that

interaction one site has much more information than the others and that's a very dangerous position to be in as the buyer right but it's also a dangerous position for the market because the theory is that the market like that will collapse over time it just won't work very well and so it have just spiral down uh so what we see here is the way out of that problem is things like reputation so there's various mechanisms have been developed over time to try and solve this problem so we get like branding licensing regulation and reputation is very very important for trying to solve this type of problem if people know that particular seller that particular vendor is good I trust them I

trust the product then you're more likely to buy from them the market won't collapse in the same kind of way so there've been a number of market for lemons games that have been experimented with and when I what I mean by that is experimental economics what we're really talking about here is a type of game theory but we're not talking about the highly mathematical all the modeling of the game theory you're talking about getting humans to actually play games and see how they play them see what shakes out so what decisions they actually making rather than just trying to come up with a model of what decisions we think they would make right so that's the point of this so we took

some of these off the shelf games we looked at that and then we built our own design to see how we would play around with this to to get to the key interventions we were interested in in studying so I I will maybe it might be a bit of a letdown but I'm going to say that we aimed at a broad kind of approach at first because this is the first time we're trying to do this one of The Temptations we had and it was a Temptation I really really strongly had was to make this as as realistic as possible to like get everything you could find in terms of how cyber criminal markets look like the ones I

showed you make something looks like that give them you know let's play this for six months let's see how long you know we can do this let's track this for a really long time all this kind of stuff build in as much realism as possible but I was cautioned and correctly I think by those who had more expertise in the area which was to be very very careful about how much noise you built into the experiment right which is the less uh elements the less variation the more confidence you can have in that one particular variable one particular factor is driving a change of one kind or another so if you're trying to understand what interventions might

succeed in in making these markets work less efficiently you want to have a high degree of confidence in terms of this is the only variable that we've changed and there's not 15 others that we need to pay attention to so that's what we did uh and this I view very much as a as a first step and we're looking at ways over time in a much more coordinated way of building in some of some of these extra variables uh so this built on on an earlier attempt a small pilot that we ran in a lab where literally people sat in a room like a classroom and played this on computers uh and then we moved

into what I'm presenting to you today which is an online experiment where you can have people sitting at computers in their own home uh playing the game and this makes it much easier to recruit and to engage with far more participants than if you're just requiring everyone to turn up to a certain place it also means you can engage with different types of people as well okay so the experimental design was basically broken down into a series of mini markets so again rather than going with okay there's a market with thousands of people in it it was okay let's let's build this up in terms of what we can have confidence in so we ran these mini

markets so each group was basically one such market so was 56 of them each one had four Sellers and three buyers so ultimately you're one of the buyers and there you have a choice in each round to buy from one of the four you've got some options there they play this game over 20 rounds so there's 20 potential transactions they can have if they want to buy and sell and then we're going to watch how that that uh plays out and ultimately there was 392 participants in this in this experiment so what we did was split them up into four sessions so we call them treatments but they're basically sessions and each of those uh

there was 14 groups and so the idea here is rather than put all the interventions we were thinking about testing just smash them together which would lead to that type of noise I was talking about you actually want to test them one by one right and test them against what's effectively control to see which ones actually having the impact that you want or not so that's how we we went about structuring this uh the participants in this particular phase are recruited from Amazon Mechanical Turk uh if you're interested in why we did that and why you might do other things I'm happy to discuss that in question time but that's uh one of the ways people engage uh one

of the participant pools people use in these type of online experiments but there are others as well okay so this is what the game structure was so this is the seller side so you're a vendor you're a cyber criminal vendor effectively you're trying to sell a product what is it that what are the steps that you go through when you're in one of these mini markets so you're one of the vendors in this group of seven what do you do so you had the option here of producing up to two goods uh two units of a good and there was two types of goods you had regular Goods which we can view as the poorer

ones and then Super Goods which are more valuable they're they're better ones those are the ones you really want to buy right so they have the choice of saying okay I want to produce two super Goods or two regular groups of goods or one of each so not one of each but just one regular or one super you couldn't do one of each in this particular experiment or or zero goods and then they could advertise but the ads do not have to be truthful and that's where the all this kind of Deception comes in which we see in in real cyber criminal markets and what we're trying to understand whether we could push that deception more get it

happening at a higher level so in this sense you could advertise in a completely untruthful way so you could say that you are you know selling two super Goods but you're really selling one regular good and things like this so that's the the key to this the seller's production decision is private so no one knows this other than them that's the market for lemons part and ultimately they get a choice of how how they want to price this so they can price between 1 and 200 uh points and ultimately the seller can default so they can not produce a product they cannot send the product that someone buys and that's the worst thing that could happen to the

buyer is not only is a potentially a poor product there's just no product that's provided they buy the product and the product does not come okay so this is what uh it looks like in the interface so this was coded in OT which has become a relatively standard platform for doing these types of online experiments and here you can see basically what I just outline to you which is the the decisions that a a seller can make within this game so they can produce none all the way up to producing two superg goods they then have the pricing option in terms of points and then they can decide how they want to advertise and whether they want

to advertise truthfully or whether they want to deceive in terms of uh not being quite honest about what they are producing here okay so this is the game from the buyer side now as we mentioned in a market for lemons game the buyer doesn't know very much but they do know some things so what they do know is the advertised quality they know you know and so this is basically what the ad is they know what the price is because that's also being advertised they know in this game the identification letter of the seller so they can track them over the course of a number of rounds so they can say I know J or I know a or I

know Zed I did business with them two rounds ago that was a good interaction so I'm going to go with them again so they know that and then they get some information which we've built in there to replicate the kind of reputation mechanism as it exists within cyber criminal marketplaces which is effectively around the average rating over the previous rounds and uh also the the last three ratings so you're getting some sense of a track record you're getting some sense of um what you want to know really uh Beyond knowing the actual product itself you're knowing a little bit about the the seller okay so they don't know the most important piece of information which is what is the

quality of the actual good that they're buying and that's very very important to them so at the end of each round that's the information that they learn and then ultimately the last and very important part of this is they then get to rate so they get to say whether they like the transaction so whether they got the product that they wanted so they paid for a super good they got a super good and they're going to say maybe give it a high score uh five or maybe they had a terrible interaction they're going to give it a one so we know this is very familiar to how we do things on the internet how we do things in life in

terms of rating transactions so this is the same thing this is the way we're trying to capture reputation within this particular uh game so you can see here on the uh purchasing side so on the buyer side what that decision looks like it's uh again you can see the options here in terms of the the different products that are being advertised you can see something about the the ratings so you can see the question marks there is because this is only trading round two so that data doesn't exist yet so the question marks are listed for those rounds that haven't occurred yet and then you can see the average rating overall so in this case they've gone for

a slightly risky option so they've gone for the cheapest option uh because it's 20 points and that's nice but ultimately uh that person's average rating is one from the first round so maybe we won't trust this person but they've gone for it so they've gone for a bit of risk uh to see what they can get out of this okay so what matters here and it's a very important point which is you actually get paid to play this game like we paid people to play this game it's very expensive to run these types of experiments so I don't recommend it unless you've thought about it a lot uh because otherwise they're very costly mistakes that come into this uh that's

why we have to think very hard about the design of this and about how much we're building into this because it really means something when you blow the whole budget and then it's gone because you can't actually repeat it if you don't have budget so what happens here is uh people get paid to play the game and that creates an incentive and so going back to the point about cyber criminals are people too people like money cyber criminals like money we're just basing it off that that core thing which is if you're playing a game you want to make more money rather than less money and so what we're talking about here is we said

the participants are not cyber criminal participants that's a variation you could build in later once we had more certainty about this game trying and find people uh who maybe used to be former cyber criminals as I'll talk about at the end of the presentation maybe there's ways of doing this out in the wild uh where you could learn more about how this works in the real world but UL Ely for us we were just going off the core profit motivation of the people who are participants in the game and there these are people as I mentioned who who were from M Turk and so this is the business this is how they earn money in a lot of cases by doing tasks on M

Turk and so we provided them with one such task now it's very important within experimental economics not only do you pay people but you pay them at minimum wage so the idea here is that even if you're terrible at the game and you really lose quite badly we still have to pay people minimum wage um so that's you know you have to pay for the time that people are giving to the experience so there are things that you do in terms of kind of in some sense cleaning the participant pool of trying to make sure that you have a good group of participants before you recruit them they do a survey do some task you're

basically trying to uh verify that you've got people who are taking this task seriously so a lot of these elements that kind of go on scene but they're very important in terms of how you go about doing this so ultimately that's the key they get paid uh they get paid at least minimum wage but if they play the game well they get paid more than minimum wage and that's the whole point so they can earn more and more if they do more uh and uh but they're not going to earn like a million CU we didn't not have that in the budget uh but they're going to earn something and they're going to earn a good a good wage

for for the amount of time that they're putting in so ultimately the payoffs then become built into the game so the better you do at the game the more you get paid so here we can see how that works so we have the the production decision which is basically on the on the seller side you want to advertise product uh you want to produce that product that product cost you something uh to produce and on the buyer side it's worth something when when you buy it so we can see that the payoffs the buyer payoff is the value of the received product so the received good minus the vendor's price so if we go to say a

regular good on the Reed good that's worth 30 say the price was 20 so they make 10 right so that's the idea and on the seller side the payoff is sales revenue minus the cost of production so say again we go to regular good they advertise it for 20 it's the cost is 10 they make 10 right but you can see they can go endlessly in different directions in terms of how they do this the way that then converts into real world money uh is that 100 points equals $2 uh there's more complexity in terms of the payment structure and how this all works which I'm happy to talk about if you want but that's the the core of it uh

and you can see there that obviously there's a gap between the cost and the value and the point of that that's the economics right people deciding how they make money whether they're going to be in this case uh making money as a seller that game looks different than if you're making money as a buyer so you don't get to choose you assign these roles but you can see the the payoffs and the calculations are different uh in that respect okay so now we get to the the interventions which is what we're actually trying to do uh to m with these markets so this is the games we're trying to play with with these people and so what we did here was take

uh from the existing literature so people had written about how would we disrupt marketplaces in terms of injecting distrust what are the particular tactics we would use to do that and so that's where we tried to draw those from to test what had been talked about conceptually but hadn't actually been tested in in any way really so that's what we did so we took and I'll explain them in a second the slander attack and the Cil attack were the two that have been discussed most WID in the literature uh we could talk about others and actually we're very keen to explore others so these as we'll go through the presentation you might think are not particularly good attacks

for different reasons uh but this is the ones the ones that have been talked about so before I get into that uh we had a baseline which is basically a control which we have no intervention so we talked about these different sessions these different treatments where we ran so one of them runs with no intervention whatsoever so it's the game as I as I mapped it out they play the game and that's it uh there's no intervention on on our behalf then we get into the three other treatments the three other sessions where we make those interventions happen but we do them one by one so instead of as I mentioned just grouping them all together uh we split

them out so the first one is the the slander attack so that in the literature is talked about is basically what you might expect it to be uh if you're a buyer uh you know you buy a product and then you just start slandering the the seller so if they sell you a good quality product you say it's terrible uh or you could do the other way around as well depending on what type of uh sort of deception you're trying to create but the idea there is it's really like a bias attack you're trying to hit the reputation of sellers by providing inaccurate information so in our experiment what we did was add a 20%

probability that each rating from a buyer was replaced with a different random rating so uh they are doing going through this process as I mentioned the last step is as the buyer as you rate the transaction once it's gone through so we're providing that extra added bit of noise in terms of ruining some of those ratings so we making those ratings not what they were put in to be originally the Civil attacks a little bit more complicated uh in its purest form it's really the idea of undercover agents coming into a market and then really trying to flood that market with poor quality product or defaulting much higher rates uh there's more an external type of version of that as well which

would be trying to intercede in certain ways so the transactions are happening you're kind of outside in some sense but if you can put yourself between them and cut off those interactions cut off the transactions so it's easier to examine that in a more physical sense if someone sends a package and that package is intercepted then you can block that transaction right so the the receiver may not know why that package uh didn't come but they will know uh you know but they will suspect and they will have maybe negative feelings about the seller as a result of that so the Civil attack and our experiment was adding a 20% probability that each good did not

arrive independent of the seller's decision and what I mean by that is that the seller can default as we talked about so the seller might be ripping them off anyway so we're just increasing the likelihood of that default of there being no product that's provided so they buy the product and nothing comes which is fairly common scam that some cyber criminals carry out against victims but also against other other cyber criminals and then at the end here we have the combined treatment which I mentioned before about not wanting to create noise but here we're actually trying to do it in a more systematic way of of intentionally putting them together having separated them and so the idea

here is we want to see if there's interaction between these two tactics if you put in the two interventions at the same time will it actually create something else that doesn't happen if you just have each of them on their own so that's the uh the basic design in terms of of the interventions we're taking what has been discussed within the academic literature and we're trying to understand how that might play out to test it to see if they work or not maybe they work maybe they don't okay so I'm going to walk you through here some uh key findings I'm not going to walk you through this table uh but that's an illustration of of some

of the the underlying work of which there's much more but I'm just going to pull out some of the the key takeaways for you that uh may be of interest here so out of these different interventions that we looked at the Civil attack reduces seller earnings by 43% uh which is quite substantial and gets more substantial than that which is in the last 10 Rounds it it decreases uh these seller earnings by 63% uh so what we're seeing there is quite useful and interesting because what we look for in these types of experiments is basically what's known as a learning effect and so you think okay over the first part of the experiment people are trying to

figure out how to play the game how it works how they're going to do it well the second 10 Rounds the last 10 Rounds they've learned the lessons and so what you're seeing there is the behavior that's been impacted by the types of interventions that you've made so in this case what we see there is the Civil intervention had quite a profound impact particularly in the second half of the experiment uh which is nice to see in terms of looking for something and if we're thinking about we're trying to disrupt the business of cyber crime in some sense uh by looking at disrupting the earnings that is the core reason that profit-driven cyber criminals are

involved in this that's a pretty nice thing to be achieving so that's potentially positive I'll get in discussion a little bit some of the complexities around that but that's a potentially interesting finding now we looked at what number of sub findings that kind of connected to this core finding and so one of them is around the increase in BIO inactivity so we actually saw that this means basically buyers are not buying as much so they get discouraged and they stop purchasing as many products and so what we see there is actually across all the treatments these three three interventions we saw some impact there but particularly within the the Cil and also combined we saw that uh inactivity

increasing by 15% which is quite substantial and so we think that that is actually what's driving uh this loss of of of earnings and I'll show you a figure in the next slide which will map this out in a little bit more uh detail and Clarity so overall uh what we saw there this third finding is a civil attack reduces the proportion of regular Goods purchased so it was quite surprising to us we talked about the super Goods being the better quality goods and then these regular Goods being the kind of average or worst quality Goods if there's only two types uh was that the super good Market actually held quite strongly so people didn't flee

from that market it seems almost as if they stopped trading as much they stopped buying as much these regular Goods but if they were going to buy they wanted to stick with the ones that they knew maybe better quality it's almost as if the risk of possibly getting a better payoff was driving this type of activity so uh what we saw across these three findings and in general was that the Civil attack was the one that we had the clearest results for the combined intervention actually had almost as good results uh but what's interesting about that is they were not better uh and they were not substantially different a number of ways so if you're going to

invest in a particular intervention you go with the cheaper one which is just the single cble there's no reason to put the slander and the cble together because that's just going to cost you more in terms of resources if one's basically achieving the same thing and pretty much is actually uh the fourth finding there is the slander attack appeared to have uh only limited effect so uh that means effectively if you're looking at this particular study and I'll caution you in a moment when we get onto the discussion to look at this and maybe slightly different way uh it would look as if the slander attack doesn't work at all it certainly didn't work in

this experiment uh we didn't really have any any findings of note that we'd stand behind in terms of statistical significance so uh that would be the the core kind of takeaways of what you would uh see here in relation to these key findings a Cil attack looks like the the winner uh in terms of this particular experiment so what we can see here is just an illustration of this uh to make it a little a little clearer so on the left hand side we have the seller earnings so you can see there the the blue line on the far left is the Baseline the control the gray one is the Civil intervention mention so we can see

that big drop in seller earnings um and we can see that for both the combined but but more for the for the civil and so this kind of illustrates a little bit why that narrative about why those earnings drop so why cyber criminals are earning less why people in this Marketplace are earning less uh and so what we're seeing here is that's tied to this this drop in Revenue so basically they're not selling as much but the key part of that is that the production costs don't drop so what we're seeing on the on the buyer side is they're not buying as much but on the seller side they're still trying to produce they're still trying to play a role within this

Market they don't just give up uh so the buyers are the ones that kind of start to give up a little bit but the sellers are still trying uh and so that's quite interesting so this uh this figure kind of explains a little bit uh what we're talking about in terms of that particular narrative uh of of what's driving that that drop in seller earnings so we can understand that a little bit more okay so to bring you on to a discussion a little bit how do we put this into context how do we make sense of this more broadly in terms of understanding this particular experience expent and more broadly into terms of understanding disruption activities

against cyal marketplaces trying to understand how we can kind of mess with this type of ecosystem I think the broad takeaway from this uh is that there's potential value here so this is still very early days as I mentioned it's the first time we tried to do something like this uh it's something that needs to be explored in much greater detail but the early suggestions are there seems to be some value some impact in terms of these types of softer tactics these types of uh less uh intensive approaches that are really about the economic manipulation of some of these markets so we see value in that and we see that in particular ways so the the data particularly

supports the Civil attack as we talked about but the caution I would give you here is that this is as I mentioned just one specific experimental design and what you really need to do is not only replicate but actually start to build in Greater variation over time and so one of the points of variation which we realized after we did the experiment was that the Civil attack can be designed in a number of different ways so we designed it as a market wide type of intervention right so for both these particular interventions they're hitting across the market uh and so can hit potentially any any vendor or any any buyer depending on the attacking question so what we're talking about

here is specific ways that they can be played out so if we think about a different type of slander attack it might be one that's much more targeted so you may pick particular high value sort of high-end vendors say okay we don't need to hit all the vendors within this Market these are the top five these are the ones that are the best at this so let's try and slander them and so that's something that could be tested further to look at that more targeted type of approach which is a more kind of uh better value approach as well in terms of where you put your resources where you hit those targets uh rather than going across a whole market and

that brings us to this other point which is there are certain practicalities here around the implementation of these so we can look at what the impact of different interventions will be whether worth investigating at all right so we can say the Civil attack is worth investigating but when it comes to a practical implementation there may be challenges around that there may be resource costs around that as well so that's something to think about so if you ask me before the experiment and this is why you know in terms of science things happen as they happen I would have much preferred if the if the slander attack had come out on top because it's much easier to put

out into the field uh you know if you think about the way law enforcement works not just in cyber crime but in general you know one of the common ways that you infiltrate markets or that you play to play the game in some sense is as a buyer because it's much easier to get into a market like that it's much easier to kind of commit a lowlevel for of criminality or to pretend to do so coming at that buyer side and it's just much simpler than trying to either get up really high within a market as a vendor as a trusted vendor and then try and inject this trust at that level you can do it but that takes much more time

or you know that more external type of attack uh which is complicated in a different kind of way so what we can see here is we have to think about um you know it's good to know that there's potential value in this type of approach it's good to know which interventions may work but the Practical imp implementation is key and we can't go uh further Without Really knowing more about that kind of thing so on top of that uh we may also explore different types of of these types of interventions so as I mentioned we we chose two that have been talked about a lot uh already conceptually but hadn't been tested but there might be others that haven't been

talked about as much there might be others that people have in this room and I'm very open to suggestions about how to engage in this type of uh research what may work what injects distrust uh these are the ideas that have been discussed these are the ones that we tested But ultimately there are others that we might want to think about as well so uh and the the last point there is about multiple markets so one of the one of the issues I raised earlier is about this issue of displacement which is if you are arresting or doing takedowns do you just displace that type of cybercriminal activity somewhere else the same question might arise here right

so you need to think about you may be successful in disrupting a particular Marketplace but will some of the the actors in that Marketplace simply just move to another one so they realize is not a great Market you've successfully disrupted this Market I don't so so badly I don't want to be here anymore and I'm going to go to that market right so so we need to think about the broader kind of game it's a much bigger game uh and it gets bigger and bigger and bigger uh as as you go along so there are there are a lot of nuances here that we need to consider in terms of practical application okay uh the last Point here

is on future directions so as I've sort of alluded to already we're very keen to think about this uh not just as an intellectual exercise but also how this would have real world impact right so uh how do you get sort of real world action against Real World cyber criminals uh move out from this kind of uh very sort of uh space at scientific and kind of testing things out into real world application how do you design things in a way uh that may Aid that so we've already had a lot of very positive discussions with law enforcement uh particularly in Europe and the UK uh there's been a lot of uh input fed into

some of the designs we've had some of the discussions we've had up to this point already but that's an angle that we need to think about going forward in terms of not just the real world design and how to make these types of experiments very accurate but also in terms of implementation uh different individuals different units within law enforcement and also industry more broadly may look to actually start to roll out some of these disruptive ideas some of them are doing this already in different ways so uh we'd need to to kind of think about how to build this research out uh into something that that can be of use to to to practitioners and

ways in which it's very very policy relevant and and relevant to the real world so that engagement is is very key and ultimately sort of look at this question of how do you uh best disrupt cyber criminal markets in the wild to not just do it in this very controlled setting which has its its reasons for why it's so controlled and why we can say things with with greater degree of confidence But ultimately the real world application is key and that's where this has to head in the end so we're very keen to very open to to any suggestions in that kind of space all right so just to to finish uh you're welcome to to get in touch with

me if you want and just a very quick thank you to Cisco research who basically provided uh the funding for for This research uh and quite frankly uh we couldn't have done it without that funding and we're very grateful that they provide this sort of independent academic uh research funding for projects like this uh so that we can carry out this type of research uh and that's uh very much appreciated so on that note I'm happy to open it up to any questions and uh please let me know if there's anything you want to hear more

about uh just so first one comment is that a long time ago I actually did some similar economic studies the opposite intent he was actually stting power Market design and we're trying to BU a positive in the market but I will tell you anal finding that we have is that the winnings had the material significant to the players to affect their behavior so like depending on what GEOS you're recruiting players for it might actually affect your outcome right so like if they can for example current minimum wage and by playing the game well double the minimum wage which is obviously Geo that had a huge impact on our study like really M just but with the Cil attack I'm

wondering if you have any concrete ideas about how that like I'm not clearification in your game that you actually disrupt you just intervene at the engine the game engine level to cause a simp attack so I'm wondering what a real world strategy would be for executing aiv attack like I mean it's a good question because I'm also wondering uh which is basically because they saying that the the end point is is how to kind of engage further with that that type of thing because I think it's it's a very real question uh so as you pointed out I think you're correct that we're intervening in a certain kind of way which appears to be external so in some

sense you could say it looks more like that external type of intervention of this kind of interdiction uh another way it depends on how you look at it um that you can also think of it as as we're just sort of trying to model in some sense sense what it might look like if there was an internal attack but the other way of doing that with an experimental design is to actually have people acting as these kind of Rogue agents so again that's another kind of point of variation you can build in which is to have uh specific undercover agents that are either you know you control them or they tasked with that role as part of the function that they

do these sort of activities from time to time so you could build in a little more detail and as I said this a first step you could start building in to try and understand more that difference between the internal and the the external uh in terms of the real world thing I mean that's that's the challenge right so as I mentioned I use the example of the of the physical packages so if we're talking about like a drug Market or something like this I mean that we know that exists right that there are uh packages that get stopped for for different reasons by different agencies uh and so that's one way that we know occurs the question is how do you do

that in more cyber terms right that's a much more difficult question and actually that's a question as as someone who's not a technologist in a meaningful way I'm curious as whether people have ideas about whether that is possible in in cyber terms uh so uh the other way I mean we know in in terms of uh the the origin of civil attack the way it's been talked about you know undercover agents if you build up an identity over a long period of time that identity can do whatever you want it to do right so that identity as we know from past cases can be used to carry out large scale operations that lead to arrests it can

be used to inject a degree of distrust uh so that's the question is uh that would be the model of what we'd expect to see but the problem with that is the amount of investment required um to build up that kind of identity over time so I should say when I go back as I mentioned we took these two attacks out of the ex literature it's not necessar an endorsement to say uh you know we want this to to be the way it should be it's more this was talked about we're then testing it and the point I made is you know the practical application is the next test to it uh so you need to

know does it do anything at all because if it doesn't do anything in a controlled setting there's absolutely no point uh investigating in a real world setting but if you at least know that it does something in a controlled setting then you can look at the the practical application which is which is the next step but I'm very very eager if if there other suggestions on on that application side uh to get that that realism and built-in Mo so this attack can 20% of the time you randomly replace score to a random score so it's possible that it could have been a negative score that got repl positive right but in a true slander attack you would only go to the negative

side never positive side so then that introdu noise that made the slander attack less effective so I mean it depends so you may have a view of the slander attack that it is purely about you know that idea of saying okay they're doing good quality trade and you're going to say it's terrible uh so if you want to be a purist about it you may say well that's that's that so um yeah basically what that means in terms of design is you could then replicate so we talked about altering the way the slander attack is implemented one way of doing that is making it more targeted the other way is what you're talking about which is to just say we just want

to look at the the high ratings and then compromise those uh rather than sort of scramble randomly so in some sense as I said because it was a first step we just trying to figure this out honestly the lab version that occurred before this we really trying to figure this out because when you're doing something for the first time there's a lot of things you got to learn how to do um so that that's correct I wouldn't necessarily say um that we introduce noise I'd more say that we we model one type of attack that involves compromising any rating to a to a random rating and you could look at a more kind of specific attack that looks

just at the highest ratings and then trying to compromise those to the to the lowest but it's it's an absolutely Fair Point again looking at implementation and looking at what are the types of variations you would want to look at to see how how effectively you can make this work yeah my point is just if you're trying to disrupt cyber Cy crime you would never take a one hey for the super well I mean you might because if that person selling terrible product and then you make a whole bunch of people buy terrible product uh that's not bad actually that might be better we don't know right so we could do the the opposite of that and look for all the

worst ratings and push them up to fives who knows I mean it's one of these things where people often say you know you do research like this or something else and people say well isn't that finding obvious but the point is that sometimes one scientifically you need to prove things are obvious are true and then the other time is sometimes things are not as obvious as you think they are uh so that that's a an interesting point which is there's a lot of different options that you could take in terms of the slander attack and what direction you take it in but yeah I think that's a that's interesting

point so do you feel Quita I like qualitative questions because I'm a qualitative researcher that the results Bor out by the experiment are reflective of say the last three four years primarily sort of the RW space and the for associated with those the develop is that so do you mean how how generalizable do you think this type of Market is to a ransomware market as opposed to say cting Market or something

else yeah so I mean one of the problems is that uh there are some rans Moore actors who don't well let me take a step back uh the concept of markets is broader than the concept of marketplace uh so the concept of markets really about trading right so you can have a market which is just a few people uh or you can have a Marketplace which is a formal location either online or offline people go to so uh the issue with some ransomware actors is that a lot of them are not on the formal marketplaces some of the top ones so um you know we hear this term like crime as a service or malware as a service or ransomware as a

service so the origin of that term was really about marketplaces and now the reality of ransomware groups and some of the other malware groups is much more like a series of Partnerships uh and often people working with each other who've known each other for a long period of time uh and not engaging with strangers on marketplaces right so again it depends where you're looking uh so in some sense yeah if you're looking at that would be another key point of variation right so if you're trying to inject trust you'd have to look at that type of business model in a in a different way than one that's looking at a kind of broader Marketplace business

model uh so that application would would differ because I think what you're speaking about there is tighter trust groupings in some sense more longer term relationships and less about uh finding people on an Open Marketplace very much that is that by going for the higher value product we're almost introducing the idea of a Prestige product into the market right also creating Monopoly with most trusted actors and also entry yeah I mean those are all good points uh so there were certain things we actually did with this design to reduce the amount of monopolization that could occur but that's another point that could be looked at uh and particularly when you're looking at uh as we mentioned about say the slander

attack and trying to hit those high value uh vendors uh if we're really looking at like tracking that side of things and looking at the more kind of high level Prestige stuff or the really attractive type of products the really attractive type of enders that's a direction you could go in uh but I still think there's a difference between uh that and some of these groups and these networks that are just operating in a in a very different way more in a firm likee way or in a part more a partnership way between firms and individuals and less in a in a Market but the marketplaces certainly haven't gone away and they're certainly not irrelevant it's just again the

application of what what are you trying to apply it to what are you speaking about what part of the Cyber criminal industry the under underground is is enormous and highly specialized so we need to find where we're looking uh even when we have some of these very general principles that we might think about applying but yeah very very good points yeah excellent uh thank you Jonathan and that's the end of our time here if you have further questions please reach out to them or follow up outside thanks so much thanks a lot