HACKING GDPR: TIPS FOR THE RED TEAM, BLUE TEAM AND LEGAL TEAM KELLY VILLANUEVA TWITTER: @FUZZZYNOISE EMAIL: [email protected]

WHAT IS GDPR? • General Data Protection Regulation • Applicable to any companies who use, process, or store EU citizen data – globally • Enforcement fines – Greater of 4% of global revenue or €20 Million • Enforcer: EU • May 25, 2018

GDPR CONCEPTS TO BE AWARE OF • PII - Personally Identifiable Information • Security of processing - ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and service • Data availability - the impact to personal freedoms • Breach notification – 72 hour rule • The right to be forgotten

ABOUT ME • Network penetration tester with experience working with legal and blue teams • Purpose of this presentation • Disclaimer: These views are my own and do not represent the position of my employer

MY INTEREST / BACKGROUND IN GDPR • GDPR assessments • Incident Response • Tracked the 2017 security & privacy enforcements with monetary fines • Observed the disconnect between compliance and security teams • Phishing with GDPR

RED TEAM Reconnaissance Initial Compromise Establish a Foothold Lateral Movement & Privilege Escalation Data Exfiltration Internal reconnaissance Establish persistence Escalate privileges

RECON & INITIAL COMPROMISE • Right to be forgotten • IP info can be considered PII • Setting up phishing domains • Updated website best practices US - ARIN EU - RIPE

LATERAL MOVEMENT • User hunting • Data maps • Privacy impact assessments (PIA) • What is the easiest solution? • Active Directory • Domain trusts

DATA EXFIL • Why decrypt ransomware? • Investigation incentives • Malware with PII: Alina, ZEUS

BLUE TEAM • WHOIS gone!?! • Identifying malicious domains

LEGAL TEAM • GDPR adds materiality - # of enforcements expected to rise • Enforcement $ amount expected to rise • Unintended consequences of GDPR

FINAL THOUGHTS • Impact to security landscape • Questions? Reach me via email: [email protected] twitter: @fuzzzynoise