Most law firms believe the challenges they face set them apart from the industry at large – and this is largely correct.
The phrase ‘time is money’ perhaps doesn’t ring as true for other businesses as it does for the legal sector. When every minute is clocked, it is important that business processes run smoothly and therefore, security controls in legal organizations need to be effective, yet lightweight as not to adversely impact the day to day running of the practice.
A further element is that often law firms are asked by key clients and prospects (particularly in finance) to implement specific security controls to achieve assurance or compliance. Rather than being helpful, this presents a significant problem, as the required controls are procured with no understanding of the specific attack paths and threat actor methodologies covered. At best, this is a budget spent to enable a firm to win business. At worst, it gives a false sense of security.
While the challenges may be different the reality is the same. In the world of information security, compromises are inevitable.
Effective detection controls
Legal firms need to face the fact that determined attackers will eventually get in.
It may be because of a vulnerability in the network perimeter, maybe a zero-day exploit, or a combination of phishing emails carrying custom malware and social engineering or maybe even through gaining physical access.
However, a single compromise doesn’t equate to game over for the organization. With an understanding of the motivation and capability of the probable threat actors (as detailed in the first article in this series) effective detection controls can be chosen and deployed.
Here are five common compromise indicators and controls:
Filtering email content may provide clues of an attack against the firm. For example, Sender ID or Sender Policy Framework (SPF) can be used to check for spoofed emails. Email content can also be inspected to look for typical phishing patterns and, in particular, for links and attachments. Such links and attachments can be automatically analyzed within sandboxes to see if they expose suspicious behavior and can be stopped before reaching the end user.
In an organization the majority of endpoints will have similar programs starting at boot time. By looking across the organization to find the one or two computers that are starting something in addition to what all the others are starting, organizations might be able to spot malware for which no signatures exist.
Look for connections to, or even from, odd places or at odd times; also be aware of any unusual user-agents in the proxy logs. A large number of failed logins to a server may indicate a brute force attempt.
Behavior to watch for includes suspicious Windows logon events, new services being installed, tasks being scheduled, and remote execution with legitimate Windows tools. All of these will be recorded in typical Windows event logs.
There are several options an attacker might employ to exfiltrate data, from the basic (uploading files to webmail), to the advanced (DNS tunneling), depending on the security controls in place. As part of this, volume based analysis can be particularly powerful as well. For example large unexpected transfers of data between hosts may indicate aggregation of files prior to an exfiltration.
Early detection is key
The ability to detect an attack largely depends upon two critical factors; first, having the right data available, and second, actually looking at it. Most organizations that fall victim to network intrusions have the evidence of compromise sitting in their logs all along, but the problem is that often nobody reviews logs until an incident occurs.
There is a choice when it comes to the output from a security control. It could be an unfiltered list of log events that require further manual investigation by in-house staff; or it could first be filtered to remove false positives, so that the only output is a confirmed security incident needing an immediate response. Law firms tend to prefer the latter category unless they have a large and hands-on security team, and that needs to change.
The application of prevention and hardening measures combined with effective intrusion detection and incident response can slow attackers down, forcing them down known paths and essentially making them ‘noisy’ and more easily caught.
Data exfiltration detection is too late
However, if you rely on the detection of data exfiltration alone, then you have already lost.
It is too late in the process to instigate an effective response and the costs of cleanup will be exponentially greater than if the initial compromise is detected as it occurs.
Furthermore, an advanced attacker will employ a stealthy exfiltration method to bypass security controls during this phase. Detection controls should be focused as early in the process as possible.
The best way to combat cyber threats is through 24/7 attack detection and response, which is capable of revealing the initial compromise early enough in the breach process and before any kind of control channel is opened to the attacker. Harking back to the motivations of attackers, it’s also imperative for legal firms to choose effective detection controls with an understanding of the motivation and capability of the probable threat actors.
The earlier the detection, the better chance the company has at making a full recovery and saving itself a lot of time, money and reputational damage in the process.
Countercept has written a whitepaper detailing how cyber security in law firms is misunderstood - and what can be done about it. This can be downloaded from here