[Privsec-discuss] detecting exfiltration

Brian Trammell (IETF) <ietf@trammell.ch> Wed, 08 November 2017 16:22 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: privsec-discuss@ietfa.amsl.com
Delivered-To: privsec-discuss@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 804F8128768 for <privsec-discuss@ietfa.amsl.com>; Wed, 8 Nov 2017 08:22:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id tXHqhpXK3UQc for <privsec-discuss@ietfa.amsl.com>; Wed, 8 Nov 2017 08:22:30 -0800 (PST)
Received: from gozo.iway.ch (gozo.iway.ch []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697901286D6 for <privsec-discuss@iab.org>; Wed, 8 Nov 2017 08:22:30 -0800 (PST)
Received: from gozo.iway.ch (localhost []) by localhost (Postfix) with ESMTP id 371A9340D88; Wed, 8 Nov 2017 17:22:29 +0100 (CET)
Received: from localhost (localhost []) by localhost (ACF/18338.26655); Wed, 8 Nov 2017 17:22:29 +0100 (CET)
Received: from switchplus-mail.ch (switchplus-mail.ch []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Wed, 8 Nov 2017 17:22:29 +0100 (CET)
Received: from [] (account ietf@trammell.ch HELO []) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 35354388; Wed, 08 Nov 2017 17:22:29 +0100
From: Brian Trammell (IETF) <ietf@trammell.ch>
Message-Id: <20264F85-19D3-4CFD-859E-5CF0978B45F2@trammell.ch>
Content-Type: multipart/signed; boundary="Apple-Mail=_212FE71A-1F59-4A20-AF3B-AF56B045B386"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Wed, 8 Nov 2017 17:22:28 +0100
In-Reply-To: <1ba3b565-3bcf-2493-0f79-36ca3bf6a933@cs.tcd.ie>
Cc: IETF Discussion Mailing List <ietf@ietf.org>, privsec-discuss@iab.org
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <9bd4e3f2-b781-16cd-f486-56e491c239f7@ericsson.com> <77bb17eb-abd2-f611-b737-f5b9d8b5188e@network-heretics.com> <> <02fd9185-eb3b-80bb-9b09-536b6120e911@network-heretics.com> <> <d9288b89-a7b8-a510-2c01-d1284b10dbdf@network-heretics.com> <9a7f241c-e8ad-18eb-392f-276c62af287c@ericsson.com> <37687bbf-4c06-0542-8efa-b3cd8a016c4a@network-heretics.com> <4450ac76-f3d4-96c7-7df6-bc424d9cfd3b@ericsson.com> <EBD240D1-A363-4237-BAFF-044987B0D760@network-heretics.com> <c62c4d03-abf8-d418-7097-7aaa3477a1ba@ericsson.com> <9edf410b-54dd-66a6-12f0-6b65cbe7a32a@cs.tcd.ie> <D6274256.8B776%lee@asgard.org> <55B7E8CA-A4E7-4A74-A10B-21FBD56DCFCF@google.com> <D6277B2F.8B95A%lee@asgard.org> <0d41ecbf-f0a8-d4d5-fdaf-94251d2cabaa@cs.tcd.ie> <88CBE84D-6BF8-4540-A7FF-FA1EF35E580C@trammell.ch> <1ba3b565-3bcf-2493-0f79-36ca3bf6a933@cs.tcd.ie>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/privsec-discuss/JSMj4zQ223hLCi4Y5ly_xlgW3L8>
Subject: [Privsec-discuss] detecting exfiltration
X-BeenThere: privsec-discuss@iab.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Privacy and Security Discussion List <privsec-discuss.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/privsec-discuss>, <mailto:privsec-discuss-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privsec-discuss/>
List-Post: <mailto:privsec-discuss@iab.org>
List-Help: <mailto:privsec-discuss-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/privsec-discuss>, <mailto:privsec-discuss-request@iab.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 16:22:33 -0000

hi Stephen,

trimming CC, proposing we move this to privsec-discuss to stop accumulating Narten points... :)

> On 8 Nov 2017, at 10:36, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> On 08/11/17 09:16, Brian Trammell (IETF) wrote:
>> Indeed, I've been disappointed and perplexed that so much of the
>> rhetoric around encryption post-Snowden (as epitomized by 7258) has
>> focused exclusively on a nation-state
> Ahem:-) 7258 says:
>  "The
>   motivation for PM can range from non-targeted nation-state
>   surveillance, to legal but privacy-unfriendly purposes by commercial
>   enterprises, to illegal actions by criminals. "
> I think we got that right. I agree that there has been too little
> focus put on the non-state actor cases.

7258-the-document is fine. It's the simplification of the discussion following 7258 that I'm disappointed with.

>> or co-opted/evil
>> large-network-operator attacker model, which is certainly a point of
>> concern but not really where the biggest threat to collective privacy
>> lies these days. I'm concerned that in our drive to Encrypt All The
>> Things, absolutely the correct response when your only concern is a
>> nation-state on the wire, we risk making it difficult to understand
>> and defend against (what I'll call) the corporate-data-hording
>> attacker model. To date, most of the evil toys phoning home and other
>> such nastiness that I've heard of has been discoverable in part
>> because said evil toys were using circumventable, crap, or no
>> crypto.
> Yea, a different thread.

...here is that thread...

> I agree with Ted though, our job is partly
> to ensure that the bits on the wire don't give the game away in all
> cases. I'd also note that those exfiltrating data have plenty of
> standard and non-standard tools available to try hide their actions
> so us making standards such that exfiltration seems easier to spot
> doesn't change the problem much for the exfiltrator.
> So I don't agree that the tension here is between standard crypto
> protocols and spotting exfiltration as the latter can be done via
> stego or covert channels or other non crypto ways of hiding data.

There are two and a half exfiltration models here which are technically similar but operationally distinct, and it might make sense to tease them apart to see if that sheds some light on ways to approach this problem:

(1) Corporate exfil (your "marketing slides" example below). Here, in most cases, the data exfiltrated is stored on systems owned by the data owner, and is accessed using credentials issued by the data owner, usually by an employee, contractor, or other natural person intentionally given access to some of those systems, if not to the specific data owned. A lot of the "we need to see content" argument is based on this model. In any case, best practices in enterprise IT prescribe a defense-in-depth approach, with a network perimeter (currently with cleartext inspection, in the future hopefully without) as well as endpoint security on servers and clients, and there is an IT security department/organization with a clear responsibility to detect and prevent exfiltration. In this envrionment, we're probably already down the stego rathole, and as in most things human intelligence, though expensive and difficult, is the best way to prevent the insider threat.

From a technical standpoint, in almost all of these cases, the exfiltration can *could* be detected on the endpoint, before it's sent, though to my knowledge most of the systems research in this space (doing things like trying to taint RAM, files, and sockets that *could have seen* information content derived from a given object) has results that cannot currently be made to apply to most practically usable systems. Trying to close the gap between theoretical and applicable in terms of endpoint exfil detection is certainly worth effort here.

(2) IoT exfil (a lazy characterization, but let's run with it for the headline potential). Here, the data exfiltrated is generated by a device owned by the data owner, but the data owner has no access to that data without exceptional means -- for these purposes I'm going to go ahead and make a stretch that the law hasn't universally yet, and say that pictures of you taken in your house by a teddybear you bought belong to you.

Most consumers don't have a corporate IT department behind them, so the defense now is some researcher notices that teddybear X is sending a *whole lot* of data to some AWS instance somewhere, hacks the crap crypto and figures out that, yeah, that's video of what the teddybear sees. There might be stego here already, too, but we wouldn't know about it without treating all IoT firmware as malware and analyzing it as such. Come to think of it, that might be a promising (if high-risk) career direction for young malware researchers.

(2.5) Platform/app exfil: stuff like apps keeping full mobility traces, even when the app isn't focused or the trace isn't necessary for the app's function. Here, you have a lot of the same properties as IoT exfil, with the caveat that the platform owner steps into the IT security management role. It can restrict apps' access to information through app store restrictions, API restrictions, and a system of permissions (though we all know how well that works in practice on Android) and user prompts ("do you want TrackMeEverywhere to see your location even when you aren't using it?"). This works better than (2) above as long as you have absolute trust in the platform, and decays to (2) above when you don't.

I think that (1) and (2/2.5) are fundamentally different beasts, in terms of who's doing the detecting and maybe in terms of how.

> The following may well work regardless of crypto: "I'll send you
> the marketing slides, in one of which will be an image that you
> can zoom until you can read the paper the actor is holding and on
> that you'll find the secret formula":-)
> I do however think it could be worthwhile someone documenting
> the myriad ways in which exfiltration can be done or has been done
> (esp. from home/enterprise networks) but I don't recall one of
> those. Anyone know of a good survey that is not aiming to sell
> some specific product/service?

Argh, no. Adding it to my list of things I'd like to have time to think more about.