Despite a media backdrop of breaches and compromises, legal organizations are not automatically a target for hackers. That does not mean they are exempt, just there needs to be sufficient motivation to threat actors enticing them to launch a virtual raid.
This first article, of a two-part series, looks at why some legal firms may become a target and the hackers M.O. (modus operandi.)
What is the specific security challenge faced?
A law firm will only be targeted if there is sufficient motivation for attack. As, without motivation, there is no targeted threat.
As for any organization, the nature of the firm’s business will determine which threat(s) it is at risk from. A large multi-national organization that deals with the corporate interests of international businesses may find itself at risk from state-sponsored attack; in addition, firms specializing in M&A, IPO, High Net Worth Individuals or Intellectual Property may find themselves coveted by those seeking financial gain; a human rights lawyer or even those practicing criminal law may find hacktivists wishing to cause disruption.
Just as clients come and go so too does the hacker's attention. If the firm acquires a new client or moves into a new area of interest, the threats facing the law firm can radically change in tandem, meaning the security strategy needs to evolve alongside the business strategy.
The key question the firm needs to ask itself is, ‘Is there any activity that my firm is involved in now, or planning for the future, that provides the necessary motivation for threat actors to attack?’
The Hackers M.O.
Recognizing that they’re a target in the first place is a struggle for many organizations, not just those in the legal sector. This is often accompanied by the misperception that threat actors need to utilize fully customized, expensively researched exploits to successfully target the infrastructure.
The evidence is that, rather than a ‘sophisticated’ attack, most firms are generally breached with a combination of reconnaissance, widely available commodity malware, and well known exfiltration techniques.
That said, there are those more sophisticated threat actors who might deploy advanced techniques to facilitate their objectives either more ‘quietly’, or in a way that carries more impact.
The initial attack path
How a criminal may strike is the first stage to understanding, and mitigating, the attack path that the threat actor will aim to leverage.
The majority of the effort spent in a targeted attack is in early reconnaissance. There is nothing particularly advanced about this, other than the need for time, logic and discipline. Indeed, law firms tend to make it rather more straightforward than other industries by publishing the contact details of individual lawyers online, along with their practice area. This openness, combined with the constant clamor for publicity from marketing departments issuing articles and press statements, enables threat actors to determine three key pieces of information to assist in the attack:
1) To whom should I deliver my initial payload, and how can I make sure they open it?
This could be as straightforward as sending a HR administrator malware embedded in a CV (phishing). However, in an advanced case of reconnaissance, it’s more likely to take the form of a document sent to a lawyer, ‘spoofed’ to come from a known client or perhaps from a journalist, attaching a list of questions regarding a sensitive case.
Whichever the approach, thorough reconnaissance can all but guarantee an initial payload is opened somewhere within the infrastructure.
2) Who are the organization’s System Administrators or security personnel?
IT staff are the highest-value target in law firms; if compromised, their credentials can be used to accomplish anything from standard data exfiltration, to hard drive wiping, to setting up legitimate remote access for a threat actor to come and go undetected.
Armed with the knowledge of their identities, an attacker will either target these staff from the outset (and in increasingly sophisticated ways), or make IT staff their first target when landing elsewhere on the network.
3) Who in the organization has the credentials to access the information I want to steal?
This phase of reconnaissance is usually the trickiest requiring an initial foothold within a network to enable the further internal reconnaissance of such assets as the company intranet, which could well contain staff lists, groups and roles.
However, law firms tend to make this easier than most firms; once again, the company website, press releases and resources such as The Legal 500 enable attackers to map individual lawyers to practice areas and key accounts. This means that attackers can target law firms with both eyes open and a clear plan, rather than taking the usual ‘sit and observe’ approach that tends to be necessary once an initial foothold has been established.
Effective Security Controls
Once an attacker gains an initial foothold on one system inside a victim network he needs to work to expand his influence. This will typically involve gaining credentials and privileges which will enable him to move to other systems.
As an attack progresses, more systems are compromised and more credentials are gained along the way. Eventually the attacker will gain access to a high value, high privilege account and the victim network is now effectively 'owned' by the attacker.
So, what factors will hinder the progress of an attacker on his way to becoming domain admin and stealing all of the firm’s secrets? Here’s five steps to consider:
- The privilege level of the attacker when the first system is compromised. For this reason it is highly advisable to configure all users to run with the minimum level of privilege required to perform their job, and no more.
- The design of the network itself. An attacker can only compromise those systems which he is able to communicate with over the network, so network segmentation will be a big factor in preventing lateral movement.
- Attackers will use whatever tools are available to them to achieve their objective. If they discover network enumeration tools, port scanners or password cracking utilities on a system then they will likely use them against you. Many system administration tools (especially Sysinternals) can also be abused in this way, so best practice would be to remove such software if it is not required.
- Implementing Software Restriction Policies or AppLocker will also cause a potential headache for any attacker trying to move around the network.
- Multi-factor authentication for systems/applications of high value could prevent an attacker from reaching the firm’s crown-jewels if he is unable to authenticate.
Covering relevant attack paths is only half the equation. At some point an attacker may be successful in moving around the network, gaining access to sensitive data and exfiltrating that data. In this event, the ability to detect and respond to the malicious activity is paramount.