 Good morning, and thank you. I think my role here today is take all the hope that you might have had after that session away as we head into lunch. So Neela Rossi-Howe, Chief Strategy Officer at RSA, and what I wanted to talk about today is the Hacker Industrial Complex. At RSA, we have this incredible fraud team that for the past 10 years has basically gone underground and infiltrated a lot of the criminal networks and really tried to study the latest tools, techniques, as well as some very interesting social patterns, which are beyond the scope of the talk today. But I wanted to start by just setting the context here and why all of this matters, and to try and understand some of the craziness that's going on. Everyone in this room really knows what 2016 was all about. It was some of the biggest attacks we've had. And from my perspective, it was just a window into possibilities for the future. I don't actually think we understand the full ramifications of what we saw in 2016. So whether you look at the Mariah Botnet, the largest DDoS attack in history, which showed that your refrigerator can take down Twitter. You look at Yahoo and the unending sort of news stories that seem to be coming from that breach. One billion accounts hacked. There's three billion users, internet users. So the impact there is pretty huge. Of course, the DNC hack, a country with the 11th largest economy in the world, has repeatedly shown how it can cause us to lose faith in our systems, in our government, in our most fundamental processes, despite the fact that they don't have the economic power that we do. And despite the fact that every demographic trend is working against them, they've been incredibly effective in cyberspace. 1.2 million pieces of malware released every day. And it all has very interesting implications to what we call the hacker industrial complex, or the wild wild west of the internet. So why is this all happening? It used to be the case that it was pretty hard to break into systems and actually extract valuable information. Rob Joyce, who is the new White House cybersecurity advisor, former head of TAO, gave a talk at the Enigma USNIX conference in February 2016, where he, on YouTube, you can watch the guy who ran offensive cyber for the NSA, talk about how he broke into systems, with the hope, by the way, of showing people what they had to do to defend their networks. And basically, it's a six-step process, right? Reconnaissance, you learn what systems they're being used. You can use scanning tools. You can use email attachments, removal media, et cetera. You exploit those systems. You find a way in. You figure out how to persist, install your tools so you can move laterally, and all with the goal of collecting, exfiltrating, and exploiting. Now, this entire attack chain used to actually be pretty hard to deploy successfully. The problem is it really isn't that hard anymore. Not just because the tools are readily accessible, but what's happening out there is there's a crowdsourcing of the attack chain that's going on. So you only have to know one piece of this attack chain, and you can get together through social media with people who are experts in other pieces of the attack chain, and you can actually conduct an entire operation impossible to have attribution because it's different groups doing it. And all of this makes, of course, our life on the defense side pretty hard, because their goal, of course, is to get to know your networks better than you do, which isn't that hard. The only way you can actually defend your network is to actually know what's going on. And it brings me to a couple of ground truths. We have basically lost control over our network. All of the advances that have made our lives more productive, more accessible, more connected, have fundamentally disintermediated our ability to protect our environments. The democratization of information, of technology, of goods and services, of banking, of financial transactions with blockchain, et cetera, means every aspect of our lives has become accessible and therefore vulnerable. We've moved from a world where you had to be invited in and trust was presumed in our networks to a world where trust is presumed not to exist. And when you look at the combination of unmanaged devices, unmanaged digital identities, the sheer number of applications that are being created, and importantly, the changing nature of the workforce, which today is demanding, to be able to access any application from any device at any time from anywhere in the world, means that without vigilant dedication to security, knowing our networks, let alone protecting them, has become very, very hard. Now, even when you have best practices in place, network segmentation, dual factor authentication, there are some headwinds that those of us who are on the defensive side have to face. First of all, it's asymmetric. An attacker only has to be right once to get into our systems, whereas the defenders have to be right every single time to stop them. The ROI on attack tools is continuous and basically unending, the same tools can be used over and over and over again. And when attribution is difficult, retribution is almost impossible. Layer on top of that, the fact that attackers have increasing access to more and more sophisticated tools, tools that nation states only had access to a few years ago or in the wild and being used by them, and the fact that we have a global internet, but no global norms of behavior that we've all agreed to, or frankly, standards as an industry that we're going to build our products to, you kind of get to the wild west. Now, the weakest link in all of this is us. It's humans. Even with everything else in place, we kind of keep messing it up over and over again. And so there's kind of an identity crisis going on. You have the world population over 7 billion, 3.2 billion internet users, 60 billion digital identities. And the reason I say digital identities is because it's not just human identities. It's not just you and me. It's all the applications and devices also have their own identity. So it's not just the internet of things we're talking about. It's the identity of things that we're talking about. And when you look at the attack vectors and why these identities are so important, web application attacks are the most common form of attack. 95% of them last year used stolen credentials. There were over 3 billion account credentials that were compromised. And so it's no surprise that phishing attacks are on the rise. What we saw between 2015 and 2016 was a three-fold increase in phishing attacks. And they continue to be incredibly successful. And the tools that are being used for ransomware and all of that are really starting to become available to the bottom feeders of the criminal community. By that, I mean the least sophisticated folks in there. So this brings me to basically the third ground truth, which is we criminals no longer need to hide in the dark. What we have seen is an absolute rise in an industrial and a new industrial complex of hackers actually working in plain sight to conduct all of their criminal activity. So now today you can buy cybercrime as a service. You want a point of service malware tool. You don't know how to make it, that's okay. You can go to a website and buy it. And here's what's amazing, you don't just get the malware, you get all of the resources, all of the tools that you need to conduct your attack is available to you through these websites. By the way, a lot of them also have call centers and service-level guarantees. You want to buy call center services. Pick your language, pick your gender, pick your accent. They're all available. Credit card troves, and we'll get to this in a second, but the internet is littered now with stolen credit card information. And what's interesting is in some geographies like Brazil, they actually take advertising and try to differentiate themselves through marketing very seriously. So they're using movie posters to advertise the services that they sell. Let's say you want to launch a DDoS attack, but you don't exactly know how. Totally. You can buy a spot on the Mariah Botnet. 50,000 bots for $4,600. That's about 10 cents a bot. Kind of affordable. And they will launch the attack for you. So what's really fascinating as we look at what's going on in this criminal industrial complex is the use of social media as the platform for conducting criminal activities. So outside of the U.S., where there is still some laws in existence, around the world, the need to go into the dark web is becoming less and less required because prosecution rates are less than 1%. So the criminals have actually moved to these social media platforms, and I kind of want to show you really quickly what the new dark web looks like. So let's take a look at what's going on. So let's hope this works. Okay. So this is my Facebook page. And by the way, let's just make sure it's working. It's my son getting a hockey award. It's my daughter. My son's putting on her goalie pad. So just showing you this is real. So let's say I got fired from RSA, and I really, really needed to buy a pair of shoes and can't afford them. So I kind of need someone else's credit card to do that. So you guys all know what CVVs are, right? They're credit card verification value. It's what you need in order to use someone else's credit card. So let's just run a search on CVVs. Here we go. First post. There's the credit card number. Expiration date is April, 2015. I don't think I can use that one. Let's keep going. Some advertisements for some places we can go. Let's look at this one. He's just advertising his wearers. You need to actually contact him. Oh, here's a good one. Peter Bingham. Does anyone know Peter Bingham in Australia? Because his credit card is right there with the CVV information, as well as from the Commonwealth Bank of Australia. And you can keep going down. There's, here's a good one from JPMorgan Chase, Michael Lynch. I even have his address and his zip code and his phone number. All right there for me to use, right? Right on Facebook. Now, let's go on Twitter for a second. 19 notifications. Cool. So, here's what's fun on Twitter. By the way, before the election, when you put in dump, really it wasn't that that came up. Okay, so here's a website that basically, a Twitter feed that basically scrapes the internet for all sorts of dumps of personal information. And here's what's really cool. I went on this this morning just to make sure that we could do this fast. So, they post emails and passwords. This just got posted early this morning. This is 68 million hacked accounts, Dropbox accounts, and they've listed the email address as well as the hashed password for you to access. So, they're just giving you a taste of what's in that trove. If you want to actually access all those accounts, they give you the URL to go to, which is awesome. I actually, let me do this real quick. There were a few other places that I liked this morning. So, here's a more common one that you find. So, this is actually just another dump, but it's got all the usernames and passwords for these emails. So, if anyone knows Ben Warhammer, for example, in Germany, username and password is up here. So, in less than 30 seconds, I can either go find a credit card on Facebook that I can use. By the way, I was looking on Facebook last night just to see what was there. And there was a post on exactly how to use step-by-step instructions, a stolen credit card on Amazon, how to set up the account, the minimum purchase that would let you sort of not get caught by their fraud team, and what dollar values you should use as you made your purchases with these stolen credit card accounts. Now, interestingly, that post got taken down within a few hours of being put up there. And so, the social media sites really do try and scrape for content. And the reason I liked a bunch of the fees on Twitter is because they do get sort of pulled every once in a while, but not before they can cause a fair amount of damage. So, again, the whole reason that I wanted to show this to you is it's all out there. I mean, the amount of information that you can access online is fairly crazy. So, as we look at what's going on out there over the past six months, we have seen a 300% growth rate in the use of social media online. It varies by geography. In China, by doing QQ, tend to be the most common platforms that are used, for example, they're actually really good about scraping criminal activity off of those platforms, but the criminals have figured out how to use evasive techniques, use characters that don't get caught within those systems. So, the WhatsApp continues to be the most common and favorite source social media platform that's being used. And when you go onto these social media platforms, the amount of activity that's going on is fairly endless. The carding services I showed you is the easiest thing to access when you're there, but everything from malware hacking tools, mulling services, phishing botnet services, all of that is accessible with just a few clicks. Now, as we look at how this activity takes place, and this is just a map of countries that are launching the targets, and the countries that are the target, the red being the attackers, and the blue being who's being attacked, you can see that the US and UK are the target, and the attacks are coming from all over the world. Now, you will notice, for anyone who knows much about cyber crime, that Brazil's not on this map, and the reason Brazil's not on the map is because Brazilians tend to be very localized in what they do, so their fraud activities are pretty geographically limited. They don't tend to go out of their geography, but we are absolutely the targets for most of these activities, and the skill set for sure varies by geography that you look at. So, for example, the Russians tend to be incredibly sophisticated, very business oriented. Probably they've come up a few times today, and I assume they'll be continuing to come up a few times. Chinese are also very sophisticated. They focus a lot more on hardware and mobile, and then as you make your way to West Africa, it tends to be very much about financial transactions and things that can generate money very, very quickly. So, to highlight the complete absurdity of what's going on online, I thought I would show this website, which is a carding service website. I don't know if you can tell, but it's a very kind of professionally set up website. It has a cart, it has a place for billing questions, tickets, if you have questions about what they do. And this particular group was subjected to a DDoS attack, and they were really upset that they were subjected to a DDoS attack. Now, keep in mind, right, they're selling stolen information, right? They're selling stolen credit cards. Here was their reaction. So, this is from June 2015, for anyone who cares, this is a website set up in West Africa. Dear friends, we noticed that our site was under several attacks when a group of hackers, because they're not, tried to blackmail us, intimidating us with DDoS attacks and abuse, right? How dare they? Let's keep going. With our friends and customers, right? With our friends and customers, we overcame all the difficulties and saved our business, right? How many criminals talk about it this way? We always play fair, brothers, and we want you to play fair. So, what is beautiful about this from my perspective is just trying to understand the mindset of the people who are doing these activities and their view of right and wrong is very, very different from our view of right and wrong. And they, some believe it's a legitimate business, doesn't really have victims, and it's simply a way to make money in very difficult environments. And it kind of underscores the need for us to keep working and pushing, which is why all the policy conversations are important. This is the global internet, and we do not have norms of behavior that we've all agreed to, and clearly they vary so much in geography. So, I will end on that note, and hopefully it's not completely hopeless as you guys head into lunch, but I'm happy to entertain a couple of questions as well if anyone has them. No, there's no need to be depressed. There's just a reality out there. I mean, the good news right is, credit cards are pretty well protected, but if you're connected to the internet, this is the world and the people that you're connected to, and it's just really important to understand that reality. Just following up on that final point about norms of responsible behavior, in your research or as you looked at these different criminal actors, did you find that there were any attempts to establish kind of standards for responsible behavior among that crowd? And if not, is that something that you see coming? So the answer to that totally varies by region. I wouldn't say that there's necessarily standards of behavior, but there are folks who are invited in and folks who are not invited in. So if you take, for example, the Arab speaking countries, if you are not an Arab, if you can't interact with them using not just the language, but also the way they greet each other and speak to each other and all the pleasantries that goes around it, you will absolutely not become part of the community. So there's very well-defined norms in terms of communicating who's allowed in, who's not allowed in, where you conduct your activities, but there aren't really standards of behavior emerging as far as we can see. Okay, I know you guys do this for a living, so go easy on me. Don't worry. So we track a lot of, in addition to Russian and Chinese cyber criminals, we look at a lot of American cyber criminals. And one of the things I was wondering is within your team's research, do you see similar sophistication in US based cyber criminals? I know they tend to be kind of localized in their targeting. Do they run businesses in the same way? I'm kind of curious what you guys are seeing. So most of our research has focused on the international communities for a lot of reasons including, and my talk here, because in the US, we actually enforce our laws. So it is much more difficult to conduct business the way folks around the world are conducting business where the laws may not be well-defined. Prosecution simply doesn't happen. In certain parts of the world. But it is a very different environment in the US. Thank you.