Securing Stealer Logs: A Brief Legal Review

Stealer Logs:?

Within the cybersecurity landscape, a specific threat vector that has rapidly been gaining notoriety is the Stealer Log. These recordings of keystrokes, session cookies, browsing history, & user-credentials are not nefarious in nature, yet their exfiltration by adversaries can prove catastrophic for the modern enterprise. As employees’ personal & professional online presence intermingle, the delineation between these once distinct arenas is becoming increasingly blurred. Employees surf Amazon & edit shared Google Docs on their work computer & personal devices, while reusing passwords at a rate of 82% ( IBM ). Unfortunately, cyber adversaries ignore our predefined line between work & play, as, “adversaries can authenticate to a system and/or user account using stolen credentials, which can either be obtained by the adversary directly or by purchasing them” ( CrowdStrike )

Stealer Malware:

Stealer malware operates by clandestinely infiltrating a victim's device, often through phishing emails, compromised websites, or malicious downloads, with a rapidly growing black market ecosystem of Stealers & Stealer-as-a-service Malware, including Redline, Vidar, Racoon, etc. Once installed, this malware stealthily “intercepts user credentials, financial information, and other sensitive data stored on computers and mobile systems” ( SOCRadar? Extended Threat Intelligence ). The stolen information is then exfiltrated to remote servers controlled by cybercriminals, who may exploit it for various illicit purposes, including identity theft, financial fraud, corporate espionage, or for sale on the dark web. It can also be leveraged as the initial foothold for catastrophic ransomware & business email compromise attacks, as the session cookies allow these adversaries to bypass multi-factor-authentication.?

Thesis:?

In response to this burgeoning threat, we must reevaluate the responsibility of the modern enterprise to maintain oversight of their employees' vulnerabilities. It must be made clear that we are not arguing that employees' personal activities should be monitored, but that a non-intrusive and external threat detection system highlighting stealer logs is essential to ensuring these potential threats are mitigated. This article will continue by analyzing the existing U.S. Legal framework governing this intersection of employer surveillance & employee rights, in hopes of shedding light on how to strike the delicate balance between security & sovereignty.

Legal Framework:

Since the dawn of the Internet, the United States has introduced several legislations governing organizations’ responsibilities for information privacy, however, “very little of that legislation has a direct effect of employee surveillance & monitoring” (Stanton). The Electronic Communications Privacy Act (ECPA), first broached the subject matter by imposing restrictions on employers' ability to monitor employee communications, including requiring adherence to certain procedural safeguards like obtaining consent or providing notice in certain circumstances. Since the enactment of the ECPA, several industry specific regulations have been introduced including in Accounting (Sarbanes-Oxley Act), Finance (Gramm-Leach-Bliley), & Healthcare (Health Insurance Portability and Accountability Act). Although each describes the need for safeguards & control systems to be put in place, similar to the ECPA, the matter of employee monitoring is covered more as an afterthought than a fundamental component. Furthermore, the concept of Stealer Logs is absent from these legislations entirely. With the SEC Cyber Rules released in 2023 requiring companies to disclose “both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance,” there is now a bureaucratic framework mandating proactive investigation of threats (SEC). The ambiguity within the SEC’s Rules, as well as the aforementioned legislations, leaves one wondering how to accomplish these aims in a law-abiding manner.

Conclusion:

After reviewing the existing legal framework in the United States regarding corporate surveillance of employees, it is clear that there are no restrictions preventing enterprises from dark web monitoring to detect stolen employee stealer logs. It has also been made clear that exfiltration of stealer logs can prove disastrous for businesses, both financially & in damaging brand-reputation. As such, it is the recommendation of this author that companies of all industries & sizes leverage externally monitoring technologies to scrape the dark web for potentially stolen data in order to mitigate potential threats stemming from this threat vector.?

Bibliography:

1. SOCRadar, End of Year Report 2023 V2 (SOCRadar 2024), https://socradar.io/wp-content/uploads/2024/01/SOCRadar-2023-End-of-Year-Report-.pdf ?
2. CrowdStrike, Global Threat Report 2024 (CrowdStrike 2024), https://go.crowdstrike.com/rs/281-OBQ-266/images/GlobalThreatReport2024.pdf
3. Stanton, Jeffrey, The Visible Employee: Using Workplace Monitoring and Surveillance to Protect Information Assets―Without Compromising Employee Privacy or Trust, (CyberAge Books 2006)
4. 17 CFR Parts 229, 232, 239, 240, & 249 (2023), https://www.sec.gov/files/rules/final/2023/33-11216.pdf ?
5. 18 U.S.C. Parts 2510-2532 (1986), https://bja.ojp.gov/program/it/privacy-civil-liberties/authorities/statutes/1285 ?
6. SOCRadar, Snapshot of 70 Million Stealer Logs, (SOCRadar 2023). https://socradar.io/wp-content/uploads/2023/04/Whitepaper.pdf ?
7. IBM, Security & Side Effects of the Pandemic, (IBM 2021). https://filecache.mediaroom.com/mr5mr_ibmnews/191177/Pandemic%20Security%20Side%20Effects%20Global%20Survey_IBM%20Analysis.pdf ?