PRIVACY ISSUES IN APT DEFENSES

There be (Some) Dragons

AGENDA

• Security & Privacy in conflict

• Review of APT attack methods

• Overview of defense & response strategies

• Deep dive & demo on specific examples

• Data protection refresh

• Data protection issues

• Privacy by design in defense

SECURITY/PRIVACY PARADOX

• Key privacy requirement is to protect against unauthorized access – lock it up behind a secure perimeter

• APTs are designed to elude perimeter defenses

• Detecting and eradicating APTs requires review of behavior and content in the systems and enterprise being protected

CONFLICTING GOALS

Security

vs.

Privacy

Obligation to provide security Obligation not to intrude on personal communications

Quick response to attacks and changing strategies

Requirements to obtain user consent and register applications/processing

Need to retain log and traffic data for analysis

Restrictions on data retention

Need to consolidate data for analysis

Export limitations on PI, banking information and “state secrets”

Examples

WHAT IS APT? • Advanced Persistent Threat

– State Sponsored (generally)

– Targeted and Coordinated

– Often originated from China or Russia

– Targets IP

• Spotting an APT case early

– Notified by three letter agency

– Not given much information

– Client is targeted industry (aerospace, energy, etc.)

– Methodology

6

A Company Inc.

Ops

ProjectX

HQ

HR

HR

Ops

Ops

ProjectX site

Internet

Exchange

Outbound Internet

Internet Services

Corporate Services Outsourced Services

Inbound

Spearphish

HQ

OPS

HR Internet

Internet Services Corporate Services

!

1

3

2 !

pwdump

pwdump

4 5

credentials

Data files

6

Intrusion Timeline

detection

response

initial vector

Malware analysis

Host-based analysis

Network-based analysis remediation

scoping - scanning Log analysis

4 1

2

3

5

7

6

8

investigation

APT ANALYTICS

• Network Traffic Monitoring (Sniffers)

• Host Based Forensic Analysis

– Memory Analysis

• Log Analysis

• Traffic Logging

APT TOOLS Category Description Examples

Systems Data Monitoring Tools (IDS, IDP)

These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally.

Proventia, Fidelis XPS, Netflows (SiLK analysis)

Server Monitoring Tools

These tools are similar to the above but work at a server rather network level, e.g. monitor a server to look for unusual events.

ECAT, MTDS, Symantec CSP

Systems Data Storage Tools

These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events.

SPLUNK

Consolidation Tools (SIEM)

These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis.

ArcSight, Alien Vault

Content Monitoring Tools (DLP)

These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers.

Symantec DLP

Content and Log Storage Tools

These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels. While this takes an enormous amount of storage, it provides a complete record of all communications entering and leaving the network which can subsequently be reviewed if necessary to investigate suspicious behavior and modes of attack.

Netwitness

Increasin

g Privacy Im

pact

METHODOLOGY

Detection Mechanisms

- Firewall Logs

- IDS Logs

- Packet Captures

- Lima Scans/Host-based Scanner

- SEIM

Analysis

- Host Forensics

- Network Logs

- Malware Analysis

Indicators of Compromise (IOC)

- IP Addresses

- Protocols

- Registry Keys

- Filenames

- Hash Values

12

Client Provided • Logs • Reports • Notifications • Interviews • Malware

SNIFFER

• DEMO

• So, Sniffer is crucial to success vs. APT

• Zero privacy

– SSL?

• Issues

– Trust in responders

– Protection of inv.? data

HOST FORENSICS

• Complete access to all bits on Hard Drive • Collection of targeted computers

– Malware compromised – Computers with sensitive data

• Analysis – Malware artifacts – Indicators of Compromise

• Registry entries • Filenames • Presence of certain .exe, batch files, command

history, etc. • Rar archives • Browsing?

MEMORY FORENSICS

• DEMO

• Analysis

– Strings: can reveal private data

– Volatility, Memoryze and other parser tools

• Looks for very specific structures

–Tasklist

–PS

–Connect

–Etc.

MEMORY ANALYSIS - JSON

e7c7234 => id": "56cb91e4-87b2-4c0e-95ce-c373838cecb1", "from": "002564AB5699_KSSVC120301", "to": "011034", "id": "967798d5-25a1-4758-a5e7-731a1f5901d4", "type": "config", "detail": { "action": "report", "ver": "KSSVC120301", "os": "5.1.2600 Service Pack 3", "displayname": "VICTIM-ks08-XXXPC3338", "looptime": 30, "server": [ "99.235.7.203:443", "89.108.129.53:9999", "93.74.130.253:443", "96.4.204.11:443" ] } }

e7c78f4 => id": "14549bcc-3f5f-4df5-a3d2-64443ec060f4", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "1c0cccf2-f98c-47b5-8d5b-73c9c65c466b",

"type": "shell", "detail": { "action": "data", "data": "dir 110-443.exe\r\n Volume in drive C is OS\r\n Volume Serial Number is 8858-9B5E\r\n\r\n Directory of C:\\WINDOWS\\system32\r\n\r\n04\/25\/2012 07:31 AM 1,536 110-443.exe\r\n 1 File(s) 1,536 bytes\r\n 0 Dir(s) 127,675,723,776 bytes free\r\n\r\nC:\\WINDOWS

1dffdbcc => id": "c449d622-efcc-4122-b474-0c8a64547e8a", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "592ac4d3-92fa-469b-9c99-c7c638389d82",

"type": "shell", "detail": { "action": "data", "data": "net start\r\nThese Windows services are started:\r\n\r\n ASF Agent\r\n Automatic Updates\r\n Background Intelligent Transfer Service\r\n CAS NET Start-Up\r\n COM+ Event System\r\n COM+ System Application\r\n Computer Browser\r\n Configuration Manager Remote Control\r\n

61aa1800 => c060f4", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "1c0cccf2-f98c-47b5-8d5b-73c9c65c466b",

"type": "shell", "detail": { "action": "data", "data": "net user VeraServiceUser \/domain\r\nThe request will be processed at a domain controller for domain victim.VICTIM.com.\r\n\r\nThe user name could not be found.\r\n\r\nMore help is available by typing NET HELPMSG 2221.\r\n\r\n\r\nC:\\WINDOWS\\system32>" } }

"type": "filedownload", "detail": { "hostfilename": "c:\\windows\\system32\\110-443.exe", "enginefilename": "\\wyd\\110-443.exe", "total_len": 0, "offset": 0 } }

6ef44a58 => { "sid": "14549bcc-3f5f-4df5-a3d2-64443ec060f4", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "1c0cccf2-f98c-47b5-8d5b-73c9c65c466b",

LOG ANALYSIS

• DC logs

– Used to determine attacker’s “lateral movement”

• Targets of Interest (users/computers)

• Attacker usually had full access to all accounts in domain

– Uses admin credentials

ACTIVE DEFENSE

• Mail and other edge gateways

– Spearphishing

• Proxy servers

• IDS/IPS

• SIEM

• SNIFFER/Full Traffic Logging

• Firewall/Egress filters (DLP)

ACTIVE DEFENSE EXAMPLE

• IDS/IDS or SIEM alerts to sharp uptick in DNS lookups

• Traffic logs are reviewed or sniffer is used to identify source of excess lookups

• Suspect machines in local network identified by MAC address info in traffic and IP address logs

• Suspect external IP addresses blocked

• Suspect machines are imaged and reviewed for malware

• Traffic from suspect machines reviewed to look for data exfiltration

• Internal network and server logs review for evidence of lateral attacks

INTRUSION RESPONSE EXAMPLE

• Law enforcement or customer notifies indicia or breach

• Scramble response to confirm breach and establish scope

– review available logs

– look for malware

• Implement monitoring tools to observe and trace any continued intrusion

• Deal with notification issues (DP and users)

Starting From Behind

DATA PROTECTION ISSUES

• Many issues arise under EU and EU-type data protection regimes – Collection/processing/access of any information about a

living person subject to regulation in EU

– Consent may not work

– Exceptions may not apply

– Export may create additional issues

APT TOOLS: A RISK VIEW Category Description Issues

General Issues for all tools Data subject consent, DP registration

Systems Data Monitoring Tools (IDS, IDP)

These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally.

IP addresses treated as PI by some jurisdictions ; collection/review of physical security data may violate workplace rules, especially when correlated with other data

Server Monitoring Tools

These tools are similar to the above but work at a server rather network level, e.g. monitor a server to look for unusual events.

Fact of access to particular servers may reveal protected health information or other PI

Systems Data Storage Tools

These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events.

Same as above but with data retention issues and increased prospect that substance of communications will be revealed

Consolidation Tools (SIEM)

These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis.

In addition to above, export issues (as data need to be normalized and compared (depending on configuration) ; additional retention issues

Content Monitoring Tools (DLP)

These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers.

Direct review of message content; export issues depending on configuration

Content and Log Storage Tools

These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels.

Direct review of message content, data retention issues, export issues

Increasin

g Privacy Im

pact

DATA PROTECTION ISSUES

• Issues beyond the EU – Protected Health Information in the US

– “Medical Information” under California Confidentiality of Medical Information Act

– Limitations on export of personal information (e.g., EU-type adequate protection requirements, express limits on personal financial information in China, anti-outsourcing laws for government contracts in the US,

RISKS IN NOT ACTING

• Failure to use adequate measure to protect personal information

• Failure to meet certification requirements (U.S.-EU Safe Harbor)

• Failure to meet contractual requirements (SCCs, BAAs, general client agreements)

• Failure to halt movement of PI and other controlled info within network by attacker (which movement may itself violate law)

RISKS IN ACTING

• Lack of consent

• Exceeding scope of consent or legitimate interests

• Use of unregistered applications or use of registered applications out of scope

• Undeclared use of data

• Export of PI without necessary consent or authority or in violation of express export limitations

• Unauthorized interception of communications

• Monitoring employees in violation of regulations and labor requirements

ISSUES: LOCAL EXAMPLES

Country Issue

Germany Takes a particularly strict approach and prohibits IP traffic interception in Germany and retention of such intercepted traffic data. Possible network security defense, but it is disputed

France Employees have a right to private use of work systems and private correspondence cannot be intercepted.

South Korea Requires consent from both parties to a conversation unless party doing monitoring is South Korean entity, in which case employee consent is sufficient.

China Prohibits export of “state secrets” and requires reporting of cyber-crime (which presents interesting issues when the attacker appears to be sponsored by China). China also imposes sectoral restrictions on export of certain personal and business information.

CIS Limits use of encryption tools and prohibits export of “state secrets” and “commercial secrets”

Columbia Sectoral limits on export of personal information

DATA PROTECTION ISSUES

• Security necessities (regulatory and contractual) potentially conflict with various data privacy and related requirements

• Apparently no cases dealing specifically with this conflict, so no direct guidance on weighing priorities

THE DILEMMA

• Evolving area of law with conflicting obligations in and across jurisdictions

• Seeking 100% compliance may be as much of a fool’s errand as counting on 100% exclusion of hackers from your network

• Potential liability on both sides (including some criminal)

• What’s a privacy professional to do?

A PRACTICAL APPROACH

• Back to privacy first principles – FIPS

• Disclosure

• Transparency

• Least intrusion necessary

• Balance interests

• Ensure monitoring is necessary and no less intrusive means available

• Obtain employee consent where possible

• As part of onboarding

• Sign-on banners

• As part of ongoing security awareness efforts

A PRACTICAL APPROACH

• Monitoring notified to and agreed with Works Councils where required

• Ensure DP filings and other compliance materials adequately disclose monitoring

• BCRs may afford additional flexibility in response

• Establish protocols to limit use, retention and export

• limit access to necessary members of security team; log use

• escalation required to view substantive content

• maintain logs locally; escalation required for export (except non-event logs for SIEM)

• delete data when reasonable period for ossible use in defense or response expires

NECESSITY?

• Why is monitoring necessary?

• Many examples establish that perimeter defenses do not protect against APTs

• Zero day, “must have” software and user issues

• Once intruder is in, monitoring internal activity is often the only way to identify and trace attacker

• Checking substance of communications may be the only way to detect and thwart exfiltration of protected data

FLASH RESPONSE RISKS

• Mo employee consents or employee consents too narrow

• Regulatory lead-time issues

• Management overhead issues (time to process issues)

• Lack of event data because logs/traffic information not available

PLANNING FOR DEFENSE

• Planning for defensive actions

– What tools, what data and where

– What law applies

– What have you already declared/registered

– Closing the gap

– Privacy enforcement risk vs security risk

PRIVACY BY DESIGN

• Notice to users

• Disclosure to regulators

• Limited use

– Access

– Purpose

• Limited retention

• Tool escalation based on need

CLOSING THOUGHTS

• Wrapping up

– Make sure you understand how tools are deployed in your environment

– As always, the particulars matter

– Plan now for active defense, breaches and forensic response

CONTACT INFORMATION STROZ FRIEDBERG

Scott J. Stein B.S. Comp. Sci., J.D. Managing Director 901 5th Avenue Suite 2401 Seattle, WA, 98164 T: +1 206 204 3602 M: +1 206 397 6745 F: +1 206 204 3610 sstein@strozfriedberg.com www.strozfriedberg.com News: http://www.strozfriedberg.com/category/mediaevents/news-mediaevents

Kevin C. Boyle J.D., CIPP, CISSP Partner 555 Eleventh Street, NW Suite 1000 Washington, D.C. 20004-1304 T: +1 202 637 2245 M: +1 231 715 1089 F: +1 202 637 2201 kevin.boyle@lw.com www.lw.com Blog: http://www.globalprivacyblog.com/