All posts by Peter Cohen

About Peter Cohen

Email: [email protected]
Tel: +44 (0) 3302 230 434
Peter Cohen is Strategic Director at Countercept, the attack detection arm of MWR InfoSecurity. He works with customers across all sectors – but particularly those at higher risk – to implement managed detection and response measures in line with the threats faced by each organisation. His experience with attack detection extends to critical national infrastructure, the finance sector, defence, law firms, tech firms, mining and also oil & gas.

The Evidence of hackers

Most law firms believe the challenges they face set them apart from the industry at large – and this is largely correct.

The phrase ‘time is money’ perhaps doesn’t ring as true for other businesses as it does for the legal sector.  When every minute is clocked, it is important that business processes run smoothly and therefore, security controls in legal organisations need to be effective, yet lightweight as not to adversely impact the day to day running of the practice.

A further element is that often law firms are asked by key clients and prospects (particularly in finance) to implement specific security controls to achieve assurance or compliance. Rather than being helpful, this presents a significant problem, as the required controls are procured with no understanding of the specific attack paths and threat actor methodologies covered. At best, this is a budget spent to enable a firm to win business. At worst, it gives a false sense of security.

While the challenges may be different the reality is the same. In the world of information security, compromises are inevitable.

Effective detection controls

Legal firms need to face the fact that determined attackers will eventually get in.

It may be because of a vulnerability in the network perimeter, maybe a zero-day exploit, or a combination of phishing emails carrying custom malware and social engineering or maybe even through gaining physical access.

However, a single compromise doesn’t equate to game over for the organisation. With an understanding of the motivation and capability of the probable threat actors (as detailed in the first article in this series) effective detection controls can be chosen and deployed.

Here are five common compromise indicators and controls:

Phishing: Filtering email content may provide clues of an attack against the firm. For example, Sender ID or Sender Policy Framework (SPF) can be used to check for spoofed emails. Email content can also be inspected to look for typical phishing patterns and, in particular, for links and attachments. Such links and attachments can be automatically analysed within sandboxes to see if they expose suspicious behaviour and can be stopped before reaching the end user.

Anomaly analysis: In an organisation the majority of endpoints will have similar programs starting at boot time. By looking across the organisation to find the one or two computers that are starting something in addition to what all the others are starting, organisations might be able to spot malware for which no signatures exist.

Suspicious patterns: Look for connections to, or even from, odd places or at odd times; also be aware of any unusual user-agents in the proxy logs. A large number of failed logins to a server may indicate a brute force attempt.

Lateral movement: Behaviour to watch for includes suspicious Windows logon events, new services being installed, tasks being scheduled, and remote execution with legitimate Windows tools. All of these will be recorded in typical Windows event logs.

Data Exfiltration: There are several options an attacker might employ to exfiltrate data, from the basic (uploading files to webmail), to the advanced (DNS tunnelling), depending on the security controls in place. As part of this, volume based analysis can be particularly powerful as well. For example large unexpected transfers of data between hosts may indicate aggregation of files prior to an exfiltration.

Early detection is key

The ability to detect an attack largely depends upon two critical factors; first, having the right data available, and second, actually looking at it. Most organisations that fall victim to network intrusions have the evidence of compromise sitting in their logs all along, but the problem is that often nobody reviews logs until an incident occurs.

There is a choice when it comes to the output from a security control. It could be an unfiltered list of log events that require further manual investigation by in-house staff; or it could first be filtered to remove false positives, so that the only output is a confirmed security incident needing an immediate response. Law firms tend to prefer the latter category unless they have a large and hands-on security team, and that needs to change.

The application of prevention and hardening measures combined with effective intrusion detection and incident response can slow attackers down, forcing them down known paths and essentially making them ‘noisy’ and more easily caught.

Data exfiltration detection is too late

However, if you rely on the detection of data exfiltration alone, then you have already lost.

It is too late in the process to instigate an effective response and the costs of cleanup will be exponentially greater than if the initial compromise is detected as it occurs.

Furthermore, an advanced attacker will employ a stealthy exfiltration method to bypass security controls during this phase. Detection controls should be focused as early in the process as possible.

The best way to combat cyber threats is through 24/7 attack detection and response, which is capable of revealing the initial compromise early enough in the breach process and before any kind of control channel is opened to the attacker. Harking back to the motivations of attackers, it’s also imperative for legal firms to choose effective detection controls with an understanding of the motivation and capability of the probable threat actors.

The earlier the detection, the better chance the company has at making a full recovery and saving itself a lot of time, money and reputational damage in the process.

 

Countercept has written a whitepaper detailing how cyber security in law firms is misunderstood – and what can be done about it. This can be downloaded from: mwr.to/legalwhitepaper

Legal firms in the Hackers Crosshairs

Despite a media backdrop of breaches and compromises, Legal organisations are not automatically a target for hackers. That does not mean they are exempt, just there needs to be sufficient motivation to threat actors enticing them to launch a virtual raid.

This first article, of a two-part series, looks at why some Legal firms may become a target and the hackers M.O. (modus operandi.)

What is the specific security challenge faced?

A law firm will only be targeted if there is sufficient motivation for attack. As, without motivation, there is no targeted threat.

As for any organisation, the nature of the firm’s business will determine which threat(s) it is at risk from. A large multi-national organisation that deals with the corporate interests of international businesses may find itself at risk from state-sponsored attack; in addition, firms specialising in M&A, IPO, High Net Worth Individuals or Intellectual Property may find themselves coveted by those seeking financial gain; a human rights lawyer or even those practicing criminal law may find hacktivists wishing to cause disruption.

Just as clients come and go so too does the hackers attention. If the firm acquires a new client or moves into a new area of interest, the threats facing the law firm can radically change in tandem, meaning the security strategy needs to evolve alongside the business strategy.

The key question the firm needs to ask itself is, ‘Is there any activity that my firm is involved in now, or planning for the future, that provides the necessary motivation for threat actors to attack?’

The Hackers M.O.

Recognising that they’re a target in the first place is a struggle for many organisations, not just those in the Legal sector. This is often accompanied by the misperception that threat actors need to utilise fully customised, expensively researched exploits to successfully target the infrastructure.

The evidence is that, rather than a ‘sophisticated’ attack, most firms are generally breached with a combination of reconnaissance, widely available commodity malware, and well known ex-filtration techniques.

That said, there are those more sophisticated threat actors who might deploy advanced techniques to facilitate their objectives either more ‘quietly’, or in a way that carries more impact.

The initial attack path

How a criminal may strike is the first stage to understanding, and mitigating, the attack path that the threat actor will aim to leverage.

The majority of the effort spent in a targeted attack is in early reconnaissance. There is nothing particularly advanced about this, other than the need for time, logic and discipline. Indeed, law firms tend to make it rather more straightforward than other industries by publishing the contact details of individual lawyers online, along with their practice area. This openness, combined with the constant clamour for publicity from marketing departments issuing articles and press statements, enables threat actors to determine three key pieces of information to assist in the attack:

1) To whom should I deliver my initial payload, and how can I make sure they open it?

This could be as straightforward as sending an HR administrator malware embedded in a CV (phishing). However, in an advanced case of reconnaissance, it’s more likely to take the form of a document sent to a lawyer, ‘spoofed’ to come from a known client or perhaps from a journalist, attaching a list of questions regarding a sensitive case.

Whichever the approach, thorough reconnaissance can all but guarantee an initial payload is opened somewhere within the infrastructure.

2) Who are the organisation’s System Administrators or security personnel?

IT staff are the highest-value target in law firms; if compromised, their credentials can be used to accomplish anything from standard data exfiltration, to hard drive wiping, to setting up legitimate remote access for a threat actor to come and go undetected.

Armed with the knowledge of their identities, an attacker will either target these staff from the outset (and in increasingly sophisticated ways), or make IT staff their first target when landing elsewhere on the network.

3) Who in the organisation has the credentials to access the information I want to steal?

This phase of reconnaissance is usually the trickiest requiring an initial foothold within a network to enable the further internal reconnaissance of such assets as the company intranet, which could well contain staff lists, groups and roles.

However, law firms tend to make this easier than most firms; once again, the company website, press releases and resources such as The Legal 500 enable attackers to map individual lawyers to practice areas and key accounts. This means that attackers can target law firms with both eyes open and a clear plan, rather than taking the usual ‘sit and observe’ approach that tends to be necessary once an initial foothold has been established.

Effective Security Controls

Once an attacker gains an initial foothold on one system inside a victim network he needs to work to expand his influence. This will typically involve gaining credentials and privileges which will enable him to move to other systems.

As an attack progresses, more systems are compromised and more credentials are gained along the way. Eventually the attacker will gain access to a high value, high privilege account and the victim network is now effectively ‘owned’ by the attacker.

So, what factors will hinder the progress of an attacker on his way to becoming domain admin and stealing all of the firm’s secrets? Here are five steps to consider:

  • The privilege level of the attacker when the first system is compromised. For this reason it is highly advisable to configure all users to run with the minimum level of privilege required to perform their job, and no more.
  • The design of the network itself. An attacker can only compromise those systems which he is able to communicate with over the network, so network segmentation will be a big factor in preventing lateral movement.
  • Attackers will use whatever tools are available to them to achieve their objective. If they discover network enumeration tools, port scanners or password cracking utilities on a system then they will likely use them against you. Many system administration tools (especially Sysinternals) can also be abused in this way, so best practice would be to remove such software if it is not required.
  • Implementing Software Restriction Policies or AppLocker will also cause a potential headache for any attacker trying to move around the network.
  • Multi-factor authentication for systems/applications of high value could prevent an attacker from reaching the firm’s crown-jewels if he is unable to authenticate.

Covering relevant attack paths is only half the equation. At some point an attacker may be successful in moving around the network, gaining access to sensitive data and ex-filtrating that data. In this event, the ability to detect and respond to the malicious activity is paramount.

The next article, in this two-part series, discusses effective detection controls focused around typical attack paths and will look at ways to achieve best practice in light of the legal sector’s specific challenges.