We hear about data breaches in the legal sector relatively infrequently, however law firms are in fact regular targets of cyber attack; a lack of publicity does not reflect a lack of hostile activity. While the motivations may not be immediately obvious, they are very real.
A 2015 Freedom of Information request revealed that the UK’s Information Commissioner’s Office investigated 187 Data Protection Act incidents at law firms in 2014, 29% related to
security incidents.
Why hackers attack law firms
A law firm may well hold, or have access to, intellectual property or commercially sensitive information regarding their clients that is of tremendous value. Often, in these cases, hackers will look to establish if the firm has the data it seeks, prior to launching a direct attack.
Attackers prefer to take the path of least resistance, making the least effort with the greatest likelihood of success. It could be that they consider a law firm to be a softer target than the organisation or person they are truly targeting thinking they can get the information they want more easily.
In addition, law firms have access to sensitive information for multiple clients, so a breach may yield multiple results, besides the original target. In this instance, attackers may target them without a particular end goal, under the assumption that there will be a treasure trove of information available.
The range of information held can also mean that, following a breach, it’s not always clear the attacker’s primary target. This makes responding to the breach and identifying the source more challenging than in other industries.
How these attacks work
Cyber attacks can be highly specialised and bespoke; however, the majority of hostile actors opt simply for the most time- and cost-effective methods of compromise.
Sophisticated attackers often use highly targeted spear phishing attacks that include details relating to the recipient’s work or personal life, making the emails believable. A similar threat is the use of ‘watering holes’, where websites regularly visited by targeted individuals are compromised and infected with malware, for the targets to unwittingly download.
Compromise of even a single user in this manner will generally provide a full bypass of perimeter firewalls and allow the attacker to act like an employee on the internal company network. It may be that the users they have targeted have direct access to the information they seek, in which case the game is already over.
In other cases, they may seek to move laterally inside the network to gain multiple redundant command and control channels and increasingly wider levels of access to information beyond what any single solicitor may have individually. They’ll look to maintain this access far into the future, knowing if one command and control channel is discovered they still have others to use as backup.
How to deflect these attacks
Organisations need to be aware of the threats that face them and accept that their part in society places them in the firing line of some skilled and motivated attackers. Here’s five steps to strengthen defences:
• Understand why the organisation is a target to attack and from whom. From a single, malicious insider to state-sponsored cyber programmes, there is a vast range of actors with a great variety of objectives.
• Identify the information that might be coveted, where it is stored, and all the attack paths connected to these assets
• Work to remove these attack paths, and/or consolidate the assets to reduce the attack surface area and the people with access
• Put strong preventative security controls in place to counter the remaining viable attack paths
• Develop systems that monitor for attacks and compromises, with processes in place to respond to incidents, so that attacks that are successful can be identified early and contained
Such is the persistence, resourcing and resolve of advanced attackers that a holistic approach – underpinned by an in-depth understanding of the threats – is essential. Only in this way can legal firms effectively limit their attack surface, build and secure systemic resilience, and detect and contain successful cyber-attacks.
About MWR InfoSecurity
Established in 2003, MWR InfoSecurity is a research-led information security consultancy, with a client list spanning the major world indices and Government agencies & departments. MWR consults with clients around the globe, providing specialist advice and services on all areas of security, from mobile through to supercomputers.
Central to its philosophy is the desire to deliver high quality cyber security consulting services and unsurpassed levels of support to clients. MWR’s focus is working with clients to develop and deliver a full security programme, tailored to meet the needs of each individual organisation.
MWR’s services range across professional and managed services, technical solutions and training covering areas such as security research, mobile security, web defence, phishing, payment security, managed attack detection and incident response.