Law Firm Security: Protecting Sensitive Data from Cybercriminals

November 17, 2011

Law firms increasingly face stealthy, targeted attacks seeking to steal sensitive data on clients, M&A activities, patent filings and other intellectual property. Cybercriminals are targeting law firms precisely because of the treasure trove of confidential information they have on high-profile companies and government organisations. Aggressive attacks this year have shown that no organisations, including security vendors themselves, are exempt from attacks.  

Rather than taking the old scattershot approach, cybercriminals are increasingly targeting specific organisations. The success of these targeted attacks is causing many to recognise the declining efficacy of their existing security defences. This is particularly true for those in law firms, which represent a sector that is increasingly being targeted by advanced attacks and attackers. Often, these firms lack the means to guard against the new high-end advanced persistent threats (APTs) that are being directed at specific individuals on their network. 

Within every law firm, key individuals have highly sensitive information on their computers – information that a cybercriminal could seek to exploit. So, instead of attacking data servers, criminals target key personnel using e-mail ‘spear phishing’ attacks or other types of ‘social engineering’ tactics like malicious PDFs or URLs. Consequently, these firms need to adopt measures that protect against Web-based and e-mail-based attacks to ensure that they themselves do not break data protection laws and suffer what could be an extremely damaging data theft.  

How should you measure your current risk posture and susceptibility to these attacks? What measures can these firms take to guard against today’s advanced threats?  

What are Cybercriminals Looking For? 

Whilst most law firms are relatively small, they are at the heart of many of the transactions conducted by businesses and government bodies. For cybercriminals, these firms represent a rich source of information on large, international corporations, financial institutions, and other lucrative groups or individuals. 

Given the wide array of potential motives and methods of criminals, no law firm is exempt from attack. For instance, a criminal may seek to access data for financial gain, so any firm managing information about stocks and shares, mergers and acquisitions, or patents may be a potential target. Alternatively, a cybercriminal may seek information about lawsuits or criminal proceedings concerning a person or company he or she supports—or is working against. Ultimately, firms manage a broad range of sensitive information—and that reality puts just about every firm at risk.  

What is an APT?

Advanced, persistent threats (APTs) are nation-state actors or organised cyber criminal gangs who conduct sophisticated, coordinated attacks to gain network access and steal assets over a sustained period of time. APT attacks use an array of tactics that keep them from being detected by traditional security infrastructures. Traditionally, APT attacks target organisations in sectors with high-value information, such as governmental bodies, manufacturing, financial services, and, increasingly, the law firms that are privy to high-value information.

Cybercriminals have developed advanced malware to bypass out-dated security techniques, such as signature. Signature-based technologies like IPS and antivirus software, both within perimeter and endpoint solutions, are increasingly ineffective against the rapidly evolving, blended nature of next-generation threats. The continued, persistent intrusions into commercial, governmental, and educational networks attest to the limitations of these existing security mechanisms.  

As recent data breaches show, conventional client-based antivirus scans and network-based intrusion scans are unable to disrupt these sophisticated, coordinated attacks. Criminals maintain long-term control over compromised systems by installing layers of malware. Once installed, this advanced malware can even re-install malware that was previously removed and disrupt endpoint security in order to prevent future removal. 

Phishing for Information 

One of the most common forms of APT attacks is a method known as ‘spear phishing’. A form of social engineering, this multi-layered approach not only uses common infection vectors and known malware to penetrate a system, but also leverages intimate knowledge about the target to assist in enticing him or her to click on a link or open an infected e-mail attachment that initiates the attack—all while remaining undetected by traditional security mechanisms. 

When it comes to attacks on law firms, criminals will often start by looking into the firm’s history and track record to identify the types of cases and activities that are normally conducted. Next, cybercriminals will target a small subset of employees and find out their interests, hobbies, or anything else that would be a trigger for them to read and respond to an e-mail.  

For example, it is straightforward to obtain the corporate biography for partners of a large financial law firm and learn the university they attended. The attacker would then send an alumni update message—along with a malicious PDF update form or include a malicious URL hyperlink. When the target receives the realistic e-mail, they click the embedded link or open up the form and the APT attack is underway to take control of the target’s computer. Very soon thereafter, the attacker will be able to gain long-term access to the victim’s corporate network and all of the data available. This is not a mass mail approach. For an APT attack to be effective, it is imperative that it remains undetected and that the attention of security or IT professionals is not drawn to it by high volumes of malware infecting the infrastructure. 

How do You Protect Your Firm’s Information? 

If criminals gain access to a law firm’s network and sensitive data, the results can be disastrous, both for the law firm and its clients. Due to the nature of APT attacks, you may not even realise you have been subjected to a spear phishing attack until after confidential information is released publicly or counterfeit products start appearing on the market. 

The state of IT security has reached this point because conventional defensive technologies have fundamentally remained stagnant, while threats have continued to evolve quickly. The sheer volume and escalating sophistication of modern attacks are overwhelming the limited IT resources available to law firms and are out manoeuvring the conventional defences that these firms have in place. While patching operating systems and applications continue to be a good practice, this has proven to be insufficient in the fight against cybercriminals. There are more proactive measures to mitigate the risk of a data breach as well as methods to rapidly cut off the theft of information once you realise you have been attacked. 

First, conducting a risk assessment helps to define the investment needed to mitigate the risk of a network compromise and subsequent data breach. IT security consulting firms can perform annual IT audits to identify trigger points in your business, map out your risk profile, define ways to minimize the attack surface, and provide the latest information on IT security technologies. 

Given the quickly evolving nature of security today, and the typically lean nature of IT groups, the right technology makes all the difference in disrupting the APT attack cycle. For example, there are new real-time detection technologies available to ensure that IT staff are aware that an APT attack is underway. Also, there are automated ways to correlate across common attack vectors, such as spear phishing e-mails and Web surfing activities, which are all important to identify the method of attack, the intended victims being targeted and the information being sought out. 

To be effective, modern anti-malware solutions need to be dynamic enough to analyse network traffic in real-time, rather than relying on signatures of old attacks. Advanced malware has been developed with conventional defences in mind to maximise its chances of successfully exploiting vulnerabilities on an end-user system.  

To protect the network, real-time analysis and blocking are essential to stop data exfiltration that can take place within minutes, if not seconds, of the zero-hour infection. It is important to be able to dynamically analyse network traffic to capture and detect zero-hour malware. Plus, it is equally critical to have real-time capabilities for stopping the outbound call-back communications of APTs in order to disrupt the malware infection lifecycle. A dynamic analysis capability, as opposed to static, signature-based comparisons, is critical to enable a product to detect and stop polymorphic malware. 

Law firms represent low hanging fruit for many attackers, and they have a lot to lose given the sensitive nature of the data they manage. By adopting a number of basic security hygiene rules—such as patching all applications, ensuring that staff members are aware of the outsider threats, and utilising real-time network analysis—you can reduce the chances of falling victim to a large-scale hack. 

Alex Lanstein is Senior Security Engineer at FireEye (www.fireeye.com)