PRIVACY ISSUES€¦ · ArcSight, Alien Vault Content Monitoring Tools ... • IDS/IDS or SIEM...
Transcript of PRIVACY ISSUES€¦ · ArcSight, Alien Vault Content Monitoring Tools ... • IDS/IDS or SIEM...
PRIVACY ISSUES IN APT DEFENSES
There be (Some) Dragons
AGENDA
• Security & Privacy in conflict
• Review of APT attack methods
• Overview of defense & response strategies
• Deep dive & demo on specific examples
• Data protection refresh
• Data protection issues
• Privacy by design in defense
SECURITY/PRIVACY PARADOX
• Key privacy requirement is to protect against unauthorized access – lock it up behind a secure perimeter
• APTs are designed to elude perimeter defenses
• Detecting and eradicating APTs requires review of behavior and content in the systems and enterprise being protected
CONFLICTING GOALS
Security
vs.
Privacy
Obligation to provide security Obligation not to intrude on personal communications
Quick response to attacks and changing strategies
Requirements to obtain user consent and register applications/processing
Need to retain log and traffic data for analysis
Restrictions on data retention
Need to consolidate data for analysis
Export limitations on PI, banking information and “state secrets”
Examples
WHAT IS APT? • Advanced Persistent Threat
– State Sponsored (generally)
– Targeted and Coordinated
– Often originated from China or Russia
– Targets IP
• Spotting an APT case early
– Notified by three letter agency
– Not given much information
– Client is targeted industry (aerospace, energy, etc.)
– Methodology
6
A Company Inc.
Ops
ProjectX
HQ
HR
HR
Ops
Ops
ProjectX site
Internet
Exchange
Outbound Internet
Internet Services
Corporate Services Outsourced Services
Inbound
Spearphish
HQ
OPS
HR Internet
Internet Services Corporate Services
!
1
3
2 !
pwdump
pwdump
4 5
credentials
Data files
6
Intrusion Timeline
detection
response
initial vector
Malware analysis
Host-based analysis
Network-based analysis remediation
scoping - scanning Log analysis
4 1
2
3
5
7
6
8
investigation
APT ANALYTICS
• Network Traffic Monitoring (Sniffers)
• Host Based Forensic Analysis
– Memory Analysis
• Log Analysis
• Traffic Logging
APT TOOLS Category Description Examples
Systems Data Monitoring Tools (IDS, IDP)
These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally.
Proventia, Fidelis XPS, Netflows (SiLK analysis)
Server Monitoring Tools
These tools are similar to the above but work at a server rather network level, e.g. monitor a server to look for unusual events.
ECAT, MTDS, Symantec CSP
Systems Data Storage Tools
These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events.
SPLUNK
Consolidation Tools (SIEM)
These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis.
ArcSight, Alien Vault
Content Monitoring Tools (DLP)
These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers.
Symantec DLP
Content and Log Storage Tools
These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels. While this takes an enormous amount of storage, it provides a complete record of all communications entering and leaving the network which can subsequently be reviewed if necessary to investigate suspicious behavior and modes of attack.
Netwitness
Increasin
g Privacy Im
pact
METHODOLOGY
Detection Mechanisms
- Firewall Logs
- IDS Logs
- Packet Captures
- Lima Scans/Host-based Scanner
- SEIM
Analysis
- Host Forensics
- Network Logs
- Malware Analysis
Indicators of Compromise (IOC)
- IP Addresses
- Protocols
- Registry Keys
- Filenames
- Hash Values
12
Client Provided • Logs • Reports • Notifications • Interviews • Malware
SNIFFER
• DEMO
• So, Sniffer is crucial to success vs. APT
• Zero privacy
– SSL?
• Issues
– Trust in responders
– Protection of inv.? data
HOST FORENSICS
• Complete access to all bits on Hard Drive • Collection of targeted computers
– Malware compromised – Computers with sensitive data
• Analysis – Malware artifacts – Indicators of Compromise
• Registry entries • Filenames • Presence of certain .exe, batch files, command
history, etc. • Rar archives • Browsing?
MEMORY FORENSICS
• DEMO
• Analysis
– Strings: can reveal private data
– Volatility, Memoryze and other parser tools
• Looks for very specific structures
–Tasklist
–PS
–Connect
–Etc.
MEMORY ANALYSIS - JSON
e7c7234 => id": "56cb91e4-87b2-4c0e-95ce-c373838cecb1", "from": "002564AB5699_KSSVC120301", "to": "011034", "id": "967798d5-25a1-4758-a5e7-731a1f5901d4", "type": "config", "detail": { "action": "report", "ver": "KSSVC120301", "os": "5.1.2600 Service Pack 3", "displayname": "VICTIM-ks08-XXXPC3338", "looptime": 30, "server": [ "99.235.7.203:443", "89.108.129.53:9999", "93.74.130.253:443", "96.4.204.11:443" ] } }
e7c78f4 => id": "14549bcc-3f5f-4df5-a3d2-64443ec060f4", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "1c0cccf2-f98c-47b5-8d5b-73c9c65c466b",
"type": "shell", "detail": { "action": "data", "data": "dir 110-443.exe\r\n Volume in drive C is OS\r\n Volume Serial Number is 8858-9B5E\r\n\r\n Directory of C:\\WINDOWS\\system32\r\n\r\n04\/25\/2012 07:31 AM 1,536 110-443.exe\r\n 1 File(s) 1,536 bytes\r\n 0 Dir(s) 127,675,723,776 bytes free\r\n\r\nC:\\WINDOWS
1dffdbcc => id": "c449d622-efcc-4122-b474-0c8a64547e8a", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "592ac4d3-92fa-469b-9c99-c7c638389d82",
"type": "shell", "detail": { "action": "data", "data": "net start\r\nThese Windows services are started:\r\n\r\n ASF Agent\r\n Automatic Updates\r\n Background Intelligent Transfer Service\r\n CAS NET Start-Up\r\n COM+ Event System\r\n COM+ System Application\r\n Computer Browser\r\n Configuration Manager Remote Control\r\n
61aa1800 => c060f4", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "1c0cccf2-f98c-47b5-8d5b-73c9c65c466b",
"type": "shell", "detail": { "action": "data", "data": "net user VeraServiceUser \/domain\r\nThe request will be processed at a domain controller for domain victim.VICTIM.com.\r\n\r\nThe user name could not be found.\r\n\r\nMore help is available by typing NET HELPMSG 2221.\r\n\r\n\r\nC:\\WINDOWS\\system32>" } }
"type": "filedownload", "detail": { "hostfilename": "c:\\windows\\system32\\110-443.exe", "enginefilename": "\\wyd\\110-443.exe", "total_len": 0, "offset": 0 } }
6ef44a58 => { "sid": "14549bcc-3f5f-4df5-a3d2-64443ec060f4", "from": "002564AB5699_KSSVC120301", "to": "011030", "id": "1c0cccf2-f98c-47b5-8d5b-73c9c65c466b",
LOG ANALYSIS
• DC logs
– Used to determine attacker’s “lateral movement”
• Targets of Interest (users/computers)
• Attacker usually had full access to all accounts in domain
– Uses admin credentials
ACTIVE DEFENSE
• Mail and other edge gateways
– Spearphishing
• Proxy servers
• IDS/IPS
• SIEM
• SNIFFER/Full Traffic Logging
• Firewall/Egress filters (DLP)
ACTIVE DEFENSE EXAMPLE
• IDS/IDS or SIEM alerts to sharp uptick in DNS lookups
• Traffic logs are reviewed or sniffer is used to identify source of excess lookups
• Suspect machines in local network identified by MAC address info in traffic and IP address logs
• Suspect external IP addresses blocked
• Suspect machines are imaged and reviewed for malware
• Traffic from suspect machines reviewed to look for data exfiltration
• Internal network and server logs review for evidence of lateral attacks
INTRUSION RESPONSE EXAMPLE
• Law enforcement or customer notifies indicia or breach
• Scramble response to confirm breach and establish scope
– review available logs
– look for malware
• Implement monitoring tools to observe and trace any continued intrusion
• Deal with notification issues (DP and users)
Starting From Behind
DATA PROTECTION ISSUES
• Many issues arise under EU and EU-type data protection regimes – Collection/processing/access of any information about a
living person subject to regulation in EU
– Consent may not work
– Exceptions may not apply
– Export may create additional issues
APT TOOLS: A RISK VIEW Category Description Issues
General Issues for all tools Data subject consent, DP registration
Systems Data Monitoring Tools (IDS, IDP)
These tools send alerts based on rules of non-routine events, patterns of suspicious behavior, or unusual activity. The alerts will contain systems data to provide evidence of the type of issues spotted, e.g. file type, IP address, communications protocols, and what it was communicating with internally.
IP addresses treated as PI by some jurisdictions ; collection/review of physical security data may violate workplace rules, especially when correlated with other data
Server Monitoring Tools
These tools are similar to the above but work at a server rather network level, e.g. monitor a server to look for unusual events.
Fact of access to particular servers may reveal protected health information or other PI
Systems Data Storage Tools
These tools save all log / network data so it can be reviewed at a later date. These differ from the monitoring tools as the monitoring tools do not save all data but only provide information of suspicious events.
Same as above but with data retention issues and increased prospect that substance of communications will be revealed
Consolidation Tools (SIEM)
These tools take feeds from all of the other tools to enable suspicious events to be cross referenced. This technology can correlate event information and bring together a larger picture of activity above and beyond individual technology collection and analysis.
In addition to above, export issues (as data need to be normalized and compared (depending on configuration) ; additional retention issues
Content Monitoring Tools (DLP)
These tools undertake deep packet inspection (looking at Business Content) based on a set of rules to try and identify content being exfiltrated or moved around the network by the attackers.
Direct review of message content; export issues depending on configuration
Content and Log Storage Tools
These tools effectively store all log and content data that passes over a certain point in the network, e.g. firewall, mail server, VPN tunnels.
Direct review of message content, data retention issues, export issues
Increasin
g Privacy Im
pact
DATA PROTECTION ISSUES
• Issues beyond the EU – Protected Health Information in the US
– “Medical Information” under California Confidentiality of Medical Information Act
– Limitations on export of personal information (e.g., EU-type adequate protection requirements, express limits on personal financial information in China, anti-outsourcing laws for government contracts in the US,
RISKS IN NOT ACTING
• Failure to use adequate measure to protect personal information
• Failure to meet certification requirements (U.S.-EU Safe Harbor)
• Failure to meet contractual requirements (SCCs, BAAs, general client agreements)
• Failure to halt movement of PI and other controlled info within network by attacker (which movement may itself violate law)
RISKS IN ACTING
• Lack of consent
• Exceeding scope of consent or legitimate interests
• Use of unregistered applications or use of registered applications out of scope
• Undeclared use of data
• Export of PI without necessary consent or authority or in violation of express export limitations
• Unauthorized interception of communications
• Monitoring employees in violation of regulations and labor requirements
ISSUES: LOCAL EXAMPLES
Country Issue
Germany Takes a particularly strict approach and prohibits IP traffic interception in Germany and retention of such intercepted traffic data. Possible network security defense, but it is disputed
France Employees have a right to private use of work systems and private correspondence cannot be intercepted.
South Korea Requires consent from both parties to a conversation unless party doing monitoring is South Korean entity, in which case employee consent is sufficient.
China Prohibits export of “state secrets” and requires reporting of cyber-crime (which presents interesting issues when the attacker appears to be sponsored by China). China also imposes sectoral restrictions on export of certain personal and business information.
CIS Limits use of encryption tools and prohibits export of “state secrets” and “commercial secrets”
Columbia Sectoral limits on export of personal information
DATA PROTECTION ISSUES
• Security necessities (regulatory and contractual) potentially conflict with various data privacy and related requirements
• Apparently no cases dealing specifically with this conflict, so no direct guidance on weighing priorities
THE DILEMMA
• Evolving area of law with conflicting obligations in and across jurisdictions
• Seeking 100% compliance may be as much of a fool’s errand as counting on 100% exclusion of hackers from your network
• Potential liability on both sides (including some criminal)
• What’s a privacy professional to do?
A PRACTICAL APPROACH
• Back to privacy first principles – FIPS
• Disclosure
• Transparency
• Least intrusion necessary
• Balance interests
• Ensure monitoring is necessary and no less intrusive means available
• Obtain employee consent where possible
• As part of onboarding
• Sign-on banners
• As part of ongoing security awareness efforts
A PRACTICAL APPROACH
• Monitoring notified to and agreed with Works Councils where required
• Ensure DP filings and other compliance materials adequately disclose monitoring
• BCRs may afford additional flexibility in response
• Establish protocols to limit use, retention and export
• limit access to necessary members of security team; log use
• escalation required to view substantive content
• maintain logs locally; escalation required for export (except non-event logs for SIEM)
• delete data when reasonable period for ossible use in defense or response expires
NECESSITY?
• Why is monitoring necessary?
• Many examples establish that perimeter defenses do not protect against APTs
• Zero day, “must have” software and user issues
• Once intruder is in, monitoring internal activity is often the only way to identify and trace attacker
• Checking substance of communications may be the only way to detect and thwart exfiltration of protected data
FLASH RESPONSE RISKS
• Mo employee consents or employee consents too narrow
• Regulatory lead-time issues
• Management overhead issues (time to process issues)
• Lack of event data because logs/traffic information not available
PLANNING FOR DEFENSE
• Planning for defensive actions
– What tools, what data and where
– What law applies
– What have you already declared/registered
– Closing the gap
– Privacy enforcement risk vs security risk
PRIVACY BY DESIGN
• Notice to users
• Disclosure to regulators
• Limited use
– Access
– Purpose
• Limited retention
• Tool escalation based on need
CLOSING THOUGHTS
• Wrapping up
– Make sure you understand how tools are deployed in your environment
– As always, the particulars matter
– Plan now for active defense, breaches and forensic response
CONTACT INFORMATION STROZ FRIEDBERG
Scott J. Stein B.S. Comp. Sci., J.D. Managing Director 901 5th Avenue Suite 2401 Seattle, WA, 98164 T: +1 206 204 3602 M: +1 206 397 6745 F: +1 206 204 3610 [email protected] www.strozfriedberg.com News: http://www.strozfriedberg.com/category/mediaevents/news-mediaevents
Kevin C. Boyle J.D., CIPP, CISSP Partner 555 Eleventh Street, NW Suite 1000 Washington, D.C. 20004-1304 T: +1 202 637 2245 M: +1 231 715 1089 F: +1 202 637 2201 [email protected] www.lw.com Blog: http://www.globalprivacyblog.com/