Cyber criminals are exploiting the Internet to build agile and resilient infrastructures. The Internet is open and info to expose these infrastructures is out there. The challenge is making sense of the fragmented data out there. Connecting the dots, by analyzing data (DNS queries, BGP anomalies, ASN reputation, network prefixes/IP fluctuations), allows us to map out where malicious infrastructure is and attacks are staged. This gives the defender the upper hand by letting them pivot through the criminal infrastructure. This session will explain how some of the Cisco Umbrella classifiers work and provide examples of threats that have been detected using this technology. First we focus on the detection models that can be built and applied (such as co-occurrences, NLPRank, Spike Detectors, Malvertising-clustering), and how these can expose malicious infrastructures and APTs. The next part provides a practical use case on how this innovative approach can be used to pivot through attackers' infrastructure and protect organizations from advanced threats. Examples include crypto phishing and crypto jacking. Finally, we will show some of this analysis visualized in 3D.