Law and Disorder: Firms in the Firing Line
By Max Heinemeyer, Director of Threat Hunting at cyber security company, Darktrace
Since July 2018, an increasing number of cyber-attacks have been identified targeting law firms. Of concern is that the attacks are emerging not from opportunistic malware, like banking trojans, but ‘threat actors’ who actively conduct cyber-intrusions, seeking to exfiltrate data from these organisations.
Law firms are actively pursued because their systems contain the sensitive data of many other organisations. The essence of a lawyer’s work involves managing confidential client information. Firms are privy to a huge variety of valuable data, from tax affairs, to intellectual property. Consequently, law firms’ ability to protect highly-sensitive information is critical; a successful cyber-attack might cause reputational damage resulting in the diminishing of their most valuable asset – clients’ trust.
As an industry, law, is structured around sharing revenues among a minimal number of highly qualified professionals. As such, they can rarely employ large IT teams – and even smaller IT security departments.
With the increased number of attacks seen in recent years, as well as the added risks of the cloud, and the Internet of Things, security teams lack the capacity to defend their networks against the sophisticated, machine-speed attacks which characterise today’s threat landscape.
In addition, lawyers often have to research obscure or potentially illegal activities, while communicating and receiving files from third parties. This complicates any attempt to impose and regulate highly restrictive security policies, placing a significant burden on small, overstretched security teams.
Living off the Land
Interestingly, the recent surge of targeted attacks against law firms is unified by the methods used. The attacks were all performed using publicly available hacking tools, including:
- Mimikatz (for credentials dumping),
- Powershell Empire (for Command & Control communication),
- Dameware (additional C2/backdoor), and,
- PsExec variants such as the Impacket Python variant of PsExec (for lateral movement).
Perhaps surprisingly, using generic methods against such high-level targets is actually beneficial to the attacker. Adopting mainly publicly available tools, rather than individually crafted malware, makes attribution much harder.
Although some of these tools, such as Mimikatz, have to be downloaded into the environment; the stealthiest, like Dameware or PsExec, are able to use the infrastructure within their environment.
Known as ‘living off the land’, these tools are almost undetectable by traditional security approaches, as their malicious activity is designed to blend in with legitimate system administration work.
AI Securing the Legal Sector
Cyber-attackers are constantly discovering novel ways of evading rule-based security systems. Attackers ‘living off the land’ are generally too subtly anomalous for humans to identify.
Some machine learning technology has the ability to learn the pattern of any network, which means it is able to distinguish this behaviour, as it is still unusual compared to legitimate administrative functions. For small security teams, AI is a game changer.
Using machine learning can take care of the heavy lifting of separating interesting anomalies from ordinary noise.
AI technology can also autonomously respond to threats as they emerge in real time, even after hours and on the weekends, in order to slow down, or even stop, traffic to the affected parts of the network before any data can be compromised. This buys security teams crucial time to fix the issue – before it’s too late.
[P.S. for readers who are curious, Darktrace is a sister company of legal AI pioneer, Luminance – both are part of the Invoke Capital-backed stable of companies. Invoke is run by the well-known tech entrepreneur, Mike Lynch, who previously founded Autonomy.]