Cyber Security and Law Firms

Is it all doom and gloom?

Posted on 4 January 2017

Reading the headlines you'd be forgiven for thinking that legal organizations are continuously under attack from hackers. The reality is that, while not completely ignored, a law firm will only be targeted if there is sufficient motivation for attack. Without motivation, there is no targeted threat.

Legal firms in the Hackers Crosshairs

In an article on this subject written for Lawyer Issue, [read article] Peter Cohen argues that just as for any organization, the nature of the firm’s business will determine which threat(s) it is at risk from. A large multi-national organization that deals with the corporate interests of international businesses may find itself at risk from state-sponsored attack; in addition, firms specializing in M&A, IPO, High Net Worth Individuals or Intellectual Property may find themselves coveted by those seeking financial gain; a human rights lawyer or even those practicing criminal law may find hacktivists wishing to cause disruption.

The key question firms need to ask are:
  • Is there any activity that my firm is involved in now, or planning for the future, that provides the necessary motivation for threat actors to attack?
  • How a criminal may strike
  • How to mitigate the attack path that the threat actor will aim to leverage
  • What factors will hinder the progress of an attacker on his way to becoming domain admin and stealing all of the firm’s secrets?


The Evidence of hackers

Covering relevant attack paths is only half the equation. At some point an attacker may be successful in moving around the network, gaining access to sensitive data and exfiltrating that data. In this event, the ability to detect and respond to the malicious activity is paramount.

There are five common compromise indicators and controls:
  • Phishing
  • Anomaly Analysis
  • Suspicious Patterns
  • Lateral Movement
  • Data Exfiltration

In his second article for Lawyer Issue, [read article] Peter expands on these five indicators, explaining that most organizations that fall victim to network intrusions have the evidence of compromise sitting in their logs all along, but the problem is that often nobody reviews logs until an incident occurs.

SRA Principles and Security Practices

Law firms are required to act within the ‘Principles’ of the SRA, which lead to required ‘Outcomes’. If not adhered to it can affect the regulatory status of a law firm.

 

The guidelines could be explained a little more clearly so, deciphering these into a cyber security process, it simply means: understand your critical assets; understand the attacker’s motive; determine what is the likely threat you face; ascertain the attacker’s capability; identify your attack paths; and finally put in place appropriate attack detection and response measures.

 

Covering relevant attack paths is only half the equation. At some point an attacker may be successful in moving around the network, gaining access to sensitive data and exfiltrating that data. In this event, the ability to detect and respond to the malicious activity is paramount.

 

In a further article by Countercept, [read article] we discuss how attack detection and wider cyber-security controls, in the context of SRA guidelines, enables a common language between the security function and the business owners.

 

The earlier the detection, the better chance the company has at making a full recovery and saving itself a lot of time, money and reputational damage in the process.

 

The best way to combat cyber threats is through 24/7 attack detection and response, which is capable of revealing the initial compromise early enough in the breach process and before any kind of control channel is opened to the attacker. Harking back to the motivations of attackers, it’s also imperative for legal firms to choose effective detection controls with an understanding of the motivation and capability of the probable threat actors.

Countercept has written a whitepaper detailing how cyber security in law firms is misunderstood - and what can be done about it. This can be downloaded from HERE