Cyber Flash a Spotlight on Cyber and Privacy Trends Edition 1, December 2016

Cyber Flash | A spotlight on cyber and privacy trends

Cyber Flash A spotlight on cyber and privacy trends Edition 1, December 2016

00 Cyber Flash | A spotlight on cyber and privacy trends

Editorial

Edition 1, December 2016

Dear Cyber and Privacy Community Season’s Greetings and our sincere best wishes for 2017. Welcome to the first edition of our Cyber Flash – a quarterly spotlight on Yours sincerely, Swiss and global cyber security trends and regulatory developments.

As we reach the end of 2016, I would like to highlight a few key issues and developments the Swiss and global marketplace faced this year that will Highlights, issue 1 Mark Carter continue to have an impact on your Managing Partner daily business in 2017 and beyond. Cyber security Risk Advisory • Advanced Persistent The fast growing trend towards a Threat (APT) – latest digital economy offers an ideal developments, potential breeding ground for sophisticated impacts and cyber threat actors. Personal data, intellectual property, critical recommendations infrastructure and - as we have seen in the case of the cyber espionage on • Cyber espionage at the Iran nuclear deal negotiations in nuclear deal Geneva - even military and national negotiations in Geneva security can be compromised. This makes it crucial to stay on top of the Privacy and data latest Advanced Persistent Threat protection developments and to have a plan in • Towards data-centric place to protect your organisation. security: Enterprise Digital Rights Management Furthermore, the formal publication (EDRM) of the new GDPR text earlier this year, brought on a flurry of privacy and data protection related activities • Privacy issues you need across Europe, which you need to be to be aware of this aware of this winter. This news flash winter provides a brief summary. • Events, conferences and On behalf of our Cyber Risk Services contacts team I would like to thank you for your trust and ongoing relationship, and wish you an interesting read.

01 Cyber Flash | A spotlight on cyber and privacy trends

Cyber security

Advanced Persistent Threat Latest developments, potential impact and recommendations

“Advanced Persistent Threat” (APT) is probably one of the most hyped phrases since Mandiant published one of the first reports about such a sophisticated threat actor group in 20131. Now in 2016 we see “APT reports” almost monthly and all the interesting facts and details get lost in a lot of media and marketing hyperbole. This article provides a Figure 1: Advanced Persistent Threat explained. crisp explanation of APTs and summarises the latest developments made software for their attacks. APTs details on their tactics, techniques with recommendations to protect are dangerous because of the people and procedures. Unfortunately it your organisation. behind the operation - those who seems that there has not been much plan and run the APT campaigns and change in tactics in recent years. This What does it mean? control the tools.2 might be because APT groups are still APT stands for Advanced Persistent successful with their current Threat, describing a non- Latest developments approach consisting of: opportunistic group breaching The “APT1” report Mandiant organisations in a strategic, long- published in 2013 resembled the • Targeted phishing attacks via term manner with clear objectives. opening of a hunting season on APT e-mails and watering hole In addition, they will not easily be groups. Organisations around the attacks deterred in their actions until they globe - such as Kaspersky, • Custom-made malware with have achieved what they set out to CrowdStrike, HP, TrendMicro, to different infection stages do. The following graphic provides a name only a few - started publishing • Exfiltration via DNS, HTTP brief explanation of each term. details about identified APT groups POST and similar like “Putter Panda”, “FancyBear”, In simple words, APTs are the “KungFu Kittens” and “Playful The only things that have been “cyber hulks” out there and totally Dragon”. And the hunting season is evolving in recent years are: differ from the opportunistic threat far from over. actors who, for example, are only • APT groups no longer go dark looking to steal some credit card data Since then, these organisations have after successful campaigns for short term gain. Moreover, an identified more than 150 APT groups • Decreasing persistence APT is never just a random piece of globally. Thanks to these reports, the • Increasing usage of native malware even though they do industry is not only aware of the OS tools for operations sometimes use sophisticated self- evolving threats, but now also has

1 Mandiant: APT1 – Exposing One of 2 http://www.scmagazineuk.com/black- threats/article/450210/ (accessed China’s Cyber Espionage Units (2013) hat-attendees-na%C3%AFve-on- 19.09.2016) advanced-persistent-

2 Cyber Flash | A spotlight on cyber and privacy trends

decreasing. The Carbanak group - implement systematically, but that also known as Anunak group - are crucial to detect a compromise: illustrates this tendency. This group is spending only 42 days on average • Logging. Log proxy events, within a target network until it webserver events, DNS, AV fulfilled its objectives.4 For such short events (yes, also “cleaned” and timeframes, a fast detection and “moved to quarantine” events), rapid response is crucial. store all in a central location and have your security teams review The third and last observation is the them. increasing usage of native operating • Monitor the usage of native OS system tools like powershell, tools like powershell and commandline, psexec and others. psexec. The average user does One explanation for this phenomenon not need them. may be the very stealthy nature of • Use Two-Factor Our first observation of “going these tools, as most companies do Authentication wherever dark” refers to a group shutting not monitor their usage and AV possible, including high- down its infrastructure and systems do not report them as privileged Active Directory immediately discontinuing all malicious. In addition, they are very accounts. activities as soon as they achieved powerful and cheaper to use – their objectives and/or security compared to custom-made, self- Even though these groups are researchers detected them. Seeing engineered malware, as security labelled as “advanced”, it does not this behaviour change is surprising. researchers will detect and flag mean you have no chance to protect One would assume that an APT group (“burn”) them quickly during the your data against them. In many would go dark, vanish and stay ongoing “APT hunt”. A prominent cases, you cannot protect yourself hidden to protect itself from example where threat actors from an infection, but the infection detection. The first big campaigns compromised an organisation and itself and the compromise in your showed exactly this operating stole dozens of gigabytes of data network always leave traces that can pattern; recently, however, groups with the help of OS tools recently be detected and acted upon. continue their activities after their made headline news in Switzerland5. public disclosure. In fact, it seems Given this pressure resulting out of Felix Rieder like they immediately use the gained this “APT hunt”, we might see Senior Consultant information against new targets and memory-only malware in the future Risk Advisory move on seamlessly. This operating for APT campaigns, which has been +41 58 279 6515 model offers an excellent opportunity predicted by industry insiders for Email to prepare and defend. Because now some time. In fact, for malware such APT actors/groups can be better as the Mirai DDoS Bot, memory-only identified by their infrastructure, versions already exist, where a tactics, techniques and procedures – reboot clears the device. As a more as long as they are detected quickly sophisticated version of Mirai (called and organisations exchange threat “Hajime”) is in the wild, we might intelligence quickly. witness APT campaigns that have custom memory-only malware in The second development can be their repertoire as well. distinguished from entries in the “Targeted Cyberattacks Logbook”3. Detection is key for APTs, and there While the number of campaigns is are a couple of simple concepts that rising, their length is actually many companies do not yet

3 Targeted Cyber Attack Logbook against-financial-institutions2.pdf reports/technical- https://apt.securelist.com/#secondPage (accessed 17.11.2016) report_apt_case_ruag.html (accessed (accessed 17.11.2016) 5 RUAG APT Case, technical report 16.11.2016) 4 Anunak APT https://www.fox- https://www.melani.admin.ch/melani/en/ it.com/en/files/2014/12/Anunak_APT- home/dokumentation/reports/technical-

3 Cyber Flash | A spotlight on cyber and privacy trends

Cyber espionage at nuclear deal This reality finally sunk in when the • Hellsing is an APT campaign with negotiations in Geneva office of the attorney general in focus on Vietnam and other Government organisations Switzerland (“Schweizer governments in South Asia10 targeted by advanced cyber Bundesanwaltschaft”) recently • SVCMONDR is targeting threat actors confirmed an attack on the nuclear governments in Kazakhstan, deal negotiations with Iran. Parts of Kirgizstan, Uzbekistan, Myanmar, the negotiation took place in a Nepal, Philippines and India.11 The world has changed. A few conference hotel in Geneva, which • Hammer Panda has a clear focus hundred years ago spies relied on was compromised by an unknown on Russian organisations.12 infiltrating organisations in person threat actor using a sophisticated and a dozen years back they could at malware called “Duqu 2.0”6. A look at all these campaigns least install bugs. Based on today’s knowledge this confirms that government malware belongs to a so-called organisations are under attack – and „Advanced Persistent Threat” (APT) it is not a recent development, but campaign. The same group instead has been going on for quite responsible for developing the some time already. If the “APT” topic “Stuxnet” Trojan is suspected to also may have seemed a distant concern have developed this “Duqu 2.0” in the past, the above as well as the dubbed Trojan. Most of the activities recently confirmed attack on Ruag in by this group seem to target Iran. Switzerland have caused a shift in Stuxnet sabotaged Iran’s nuclear perception: the threat is real, close programme by infecting the by, and affects everyone including processor controlling the centrifuges governments and nation states. Are that separate nuclear material. The you prepared and taking all the Duqu 2.0 Trojan is mostly used for necessary precautions to be secure? intelligence gathering attacks. It can be assumed that this Trojan was built For further information about APTs, with the specific purpose of please revert to our “APT’s latest information exfiltration / intelligence developments” article in this Cyber gathering based on its functionality Flash. and the discovered modules.7 Currently more than 150 active APT Felix Rieder campaigns have been identified Senior Consultant around the globe; some of them Risk Advisory Nowadays nearly every electronic solely targeting government +41 58 279 6515 device can be turned into a bug to organisations:8 Email eavesdrop on anything that happens around them – in addition to the • APT6 targets government ability to steal digital communication organisations of the United States and files. of America9

6 Schweizer Bundesanwaltschaft bestätigt yberespionage_actor_returns.pdf 10 The Chronicles of the Hellsing APT, Spionagetrojaner bei Atomverhandlungen, (accessed 19.11.2016) https://securelist.com/analysis/publicatio http://www.heise.de/newsticker/meldung 8 APT Groups and Operations, ns/69567/the-chronicles-of-the-hellsing- /Schweizer-Bundesanwaltschaft- https://docs.google.com/spreadsheets/d/ apt-the-empire-strikes-back/ (accessed bestaetigt-Spionage-Trojaner-bei- 1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWM 22.11.2016) Atomgespraechen-3456012.html sdvePFX68EKU (accessed 19.11.2016) 11 Recent APT threats, (accessed 16.11.2016); Cyber-Spionage 9 APT6, https://securelist.com/analysis/publicatio bei Atomkonferenz in Genf, https://motherboard.vice.com/read/fbi- ns/74828/cve-2015-2545-overview-of- http://www.srf.ch/news/international/cyb flash-alert-hacking-group-has-had- current-threats/ (accessed 22.11.2016) er-spionage-bei-atomkonferenz-in-genf access-to-us-govt-files-for-years 12 Chinese Cyberspies Pivot To Russia In (accessed 16.11.2016) (accessed 22.11.2016); Wake Of Obama-Xi Pact, 7 The Mystery of Duqu 2.0, https://www.zscaler.com/pdf/technicalbri http://www.darkreading.com/endpoint/chi https://securelist.com/files/2015/06/The_ efs/tb_advanced_persistent_threats.pdf nese-cyberspies-pivot-to-russia-in-wake- Mystery_of_Duqu_2_0_a_sophisticated_c (accessed 22.11.2016) of-obama-xi-pact/d/d-id/1324242 (accessed 22.11.2016)

4 Cyber Flash | A spotlight on cyber and privacy trends

A content owner is empowered to revoke or change access rights at Privacy and data any time, or to set the expiration date so that once the content is no longer sensitive, access rights are protection relaxed or removed. The protection granularity is solution- and vendor- specific, and ranges from protecting a document library or a folder, a single file, to only protecting a confidential part of a file. Towards data-centric security: As Deloitte cyber security practitioners, we witness a growing Enterprise Digital Rights Implementation observations and interest in data-centric security Management (EDRM) recommendations among our clients. A technology that Although EDRM offers effective data has gained particular popularity and Digital transformation efforts protection capabilities, it is a recent that frequently appears on our typically aim at achieving improved technology and its impact on the customers’ security roadmaps is customer experiences, seamless existing business processes needs to Enterprise Digital Rights collaboration between employees and be carefully evaluated. For instance, Management (EDRM). EDRM partners, and automation through there are some common pitfalls technology has been around for M2M (Machine-to-Machine) associated with EDRM, such as several years, but its availability on communication, e.g. IoT. As such, content over-protection, mobile devices and compatibility with they foster digital ecosystems that inappropriately blocked access or widely used collaboration and email include mobile and cloud solutions, impact on e-discovery capabilities. To platforms enabled its recent as well as data transfers across address these concerns, we advise expansion. It is a combination of multiple networks, platforms, people, our clients to take a structured and identity and access management and applications and services. phased implementation approach. encryption. EDRM-protected content This includes a careful selection of is encrypted and coupled with a use cases and identification of protection policy that specifies business benefits, proof-of-concept permissions for different users and and pilot deployments, impact user groups, such as view, edit, assessments and close involvement download, print, save or forward. For of business stakeholders. a user to access protected content, Furthermore, EDRM is not only about authentication is needed. Based on technology: having a robust the identity, the user is granted governance structure, proper training permissions in accordance with the and awareness of the user protection policy. In contrast to a community are important success traditional, application-oriented As corporate boundaries erode, a factors as well. identity and access management traditional perimeter-based security solution, EDRM protection stays with may not be able to effectively protect Finally, our experience shows that the content and ensures it is secured companies’ data assets. To address EDRM is most effective when independently of the application, this growing risk, there is a need to combined with other data-centric device or access location. EDRM is apply protection on the data level protection technologies, such as DLP typically used to protect highly and to secure data throughout the (Data Loss Prevention). EDRM and sensitive documents and emails entire lifecycle, i.e. when it is DLP have complementary exchanged and accessed by multiple created, stored, used or exchanged capabilities, which can be leveraged parties. Prominent examples include between employees, partners and to provide a more cohesive data board memos, commercially sensitive external parties, until it is finally protection architecture. For instance, documents, such as product design archived or deleted. a DLP solution is able to detect documents, M&A (merger and sensitive data and apply EDRM policy acquisition) plans, financial reports, to restrict access to identified data. or customer information.

5 Cyber Flash | A spotlight on cyber and privacy trends

If you would like to have an initial preparing for the GDPR. Also related the French data protection conversation about EDRM and to the GDPR, the Article 29 Working legislation. Deloitte’s approach to making it a Party gave a comprehensive run- success, please get in contact with down of the various new GDPR In other key developments: our team. concepts that were discussed during • The Court of Justice of the the so-called ‘Fablab’ workshop on 31 European Union declares Dr. Dusko Karaklajic July, 2016. The purpose of this dynamic IP addresses to be Manager workshop, entitled “GDPR/from personal data in Breyer decision. Cyber Risk Services concepts to operational toolbox, • Last month, during her +41 58 279 7386 DIY”, had been to provide assistance appearance before the Culture, Email on how to properly prepare for the Media and Sports Select GDPR on a timely basis. Committee, UK Secretary of State Karen Bradley announced Finally, the French CNIL published that the UK shall implement the the results of their GDPR public GDPR in May 2018 regardless of consultation. Additional guidance, the circumstances around Brexit. both from the UK ICO as well as the This aspiration has been widely Article 29 Working Party, is expected approved, including by the ICO. over the coming weeks and months. • The European Parliament gives green light to the EU-US data In the area of enforcement, a British protection Umbrella Agreement. telecommunications company was fined £400,000 for failing to meet its Dr. Klaus Julisch security obligations in terms of Director implementing foundational security Cyber Risk Services measures. The company had done +41 58 279 6231 Email Privacy issues you need to be too little to protect the customers’ aware of this winter information which had resulted in a Our summary of the major data breach. This fine is one of the biggest of the ICO ever and falls November and December just below ICO’s limit of £500,000. Privacy Flash editions provides an overview of the The second major development most important privacy relates to enforcement actions. The developments of the past Dutch DPA has announced that it shall soon hand out fines following two months. various investigations around data breaches with several companies. Two areas stand out this winter. The DPA has further shared that it Firstly, much anticipated guidance on has received almost 4000 cases of the GDPR is slowly becoming data breaches including cases where available. Following the recently the protection of personal data was published GDPR guidance issued by considered “drastically insufficient”. Privacy Flash both the UK and Belgium, the It is therefore to be expected that Hungarian DPA also published a fines will follow in due course. For a detailed view of the latest guide for data controllers and data German DPAs announced that they privacy and data protection processors, explaining how to will start auditing around 500 trends across Europe, download become compliant with the upcoming companies on the topic of the PDF documents below: GDPR in 12 steps. In the coming international data transfers with the months, it is expected that DPAs will goal of raising awareness. In France, • Issue 9, Dec 2016 issue additional instruments and a new act was published that makes • Issue 8, Nov 2016 guidelines for further assisting class actions possible for violation of companies and organisations in

6 Cyber Flash | A spotlight on cyber and privacy trends

Events, conferences and contacts

These trainings allow attendees to Cyber Risk Services contacts learn how to efficiently manage For further information or an privacy and security in an integrated individual consultation on how our risk-based manner. Cyber Risk experts can help you, please do not hesitate to contact us. The next European Privacy Academy DPO Course sessions will take place on: 08 - 11 May 2017 and 18 Sep 2017 Dr. Klaus Julisch Director 13 - 16 Nov 2017 and 05 Feb 2018 Cyber Risk Services 07 - 10 May 2018 and 17 Sep 2018 +41 58 279 6231 CPDP Computers, Privacy & Data Email Protection Brussels, Belgium IAPP Europe Data Protection 25 – 27 Jan 2017 Intensive Mark Carter www.cpdpconferences.org London, United Kingdom Managing Partner 13 – 16 Mar 2017 Risk Advisory www.iapp.org/conference/iapp- +41 58 279 7380 The annual Computers, Privacy & Email Data Protection (CPDP) conference europe-data-protection-intensive/ brings together academics, lawyers, practitioners, policymakers, industry The Data Protection Intensive of the and civil society to discuss legal as International Association of Privacy well as technological developments in Professionals (IAPP) returns to data protection and privacy. London from 13 to 16 March 2017 and offers data protection European Privacy Academy professionals from around the world Dolce La Hulpe, Belgium the opportunity to deep dive into www.europeanprivacyacademy.com today’s critical data privacy topics and the coming challenges. The The European Privacy Academy is a intensive is divided into a two-day unique training, knowledge and training and workshop taking place networking centre, focused on as from 13 to 14 March. These practical day-to-day management of practical sessions are followed by the privacy challenges. It provides both actual conference on 15 and 16 an on campus data protection officer March. course and on-campus or in-house department-specific data protection training.

7 Cyber Flash | A spotlight on cyber and privacy trends

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/ch/about for a detailed description of the legal structure of DTTL and its member firms.

Deloitte AG is a subsidiary of Deloitte LLP, the United Kingdom member firm of DTTL.

Deloitte AG is an audit firm recognised and supervised by the Federal Audit Oversight Authority (FAOA) and the Swiss Financial Market Supervisory Authority (FINMA).

This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte AG would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte AG accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication.