Law and Disorder: Firms in the Firing Line
By Max Heinemeyer, Director of Threat Hunting at cyber security company, Darktrace
Since July 2018, an increasing number of cyber-attacks have been identified targeting law firms. Of concern is that the attacks are emerging not from opportunistic malware, like banking trojans, but ‘threat actors’ who actively conduct cyber-intrusions, seeking to exfiltrate data from these organisations.
Law firms are actively pursued because their systems contain the sensitive data of many other organisations. The essence of a lawyer’s work involves managing confidential client information. Firms are privy to a huge variety of valuable data, from tax affairs, to intellectual property. Consequently, law firms’ ability to protect highly-sensitive information is critical; a successful cyber-attack might cause reputational damage resulting in the diminishing of their most valuable asset – clients’ trust.
The legal industry is designed to distribute earnings among a limited group of highly trained professionals, which makes it difficult for them to have sizable IT departments. With the surge in cyber attacks in recent years and the additional threats posed by the cloud and the Internet of Things, security teams are ill-equipped to protect their systems against the advanced, rapid-fire attacks that are common today. In addition, lawyers frequently investigate obscure or potentially unlawful activities and exchange files with external parties, which further complicates enforcing strict security policies and places a substantial strain on small, overwhelmed security teams.
Living off the Land
Interestingly, the recent surge of targeted attacks against law firms is unified by the methods used. The attacks were all performed using publicly available hacking tools, including:
- Mimikatz (for credentials dumping),
- Powershell Empire (for Command & Control communication),
- Dameware (additional C2/backdoor), and,
- PsExec variants such as the Impacket Python variant of PsExec (for lateral movement).
Perhaps surprisingly, using generic methods against such high-level targets is actually beneficial to the attacker. Adopting mainly publicly available tools, rather than individually crafted malware, makes attribution much harder.
Although some of these tools, such as Mimikatz, have to be downloaded into the environment; the stealthiest, like Dameware or PsExec, are able to use the infrastructure within their environment.
Known as ‘living off the land’, these tools are almost undetectable by traditional security approaches, as their malicious activity is designed to blend in with legitimate system administration work.
AI Securing the Legal Sector
Cyber-attackers are constantly discovering novel ways of evading rule-based security systems. Attackers ‘living off the land’ are generally too subtly anomalous for humans to identify.
Some machine learning technology has the ability to learn the pattern of any network, which means it is able to distinguish this behaviour, as it is still unusual compared to legitimate administrative functions. For small security teams, AI is a game changer.
Using machine learning can take care of the heavy lifting of separating interesting anomalies from ordinary noise.
AI technology can also autonomously respond to threats as they emerge in real time, even after hours and on the weekends, in order to slow down, or even stop, traffic to the affected parts of the network before any data can be compromised. This buys security teams crucial time to fix the issue – before it’s too late.
[P.S. for readers who are curious, Darktrace is a sister company of legal AI pioneer, Luminance – both are part of the Invoke Capital-backed stable of companies. Invoke is run by the well-known tech entrepreneur, Mike Lynch, who previously founded Autonomy.]