Ed. note: This is part two of a two-part series on how law firms can address critical vulnerabilities in their security posture. Part One focused on setting the stage for an external expert assessment and used a case study to examine physical security issues law firms should be examining. Part Two will continue with the case study by addressing assessment techniques including attack simulations, social engineering and open source intelligence review.
A hostile threat environment that requires lawyers to critically consider how to adequately protect their clients’ communications in the digital age is something the ABA tackled head-on in ABA Formal Opinion 477 in May 2017 stating that cybersecurity recognizes a world where law enforcement discusses hacking and data loss in terms of “when and not if.”
Law firms are logical targets for hackers because they collect and store highly sensitive information about clients. Small and medium-sized firms often struggle with ensuring they allocate proper attention to the electronic infrastructure in which to be productive and adequately protect data and communications. Additionally, client data notwithstanding, law firms have their own data, business practices, intellectual property, and employee data to protect. So it comes as no surprise that sophisticated hackers actively test the perimeters of law firms’ networks and cloud environments and are targeting employees to gain the fastest path into databases and other systems containing this valuable information. What’s on the line: reputational damages, lawsuits, and risk of regulatory enforcement.
Outside experts can help law firms reduce the risk of a harmful and costly breach. In part one, we discussed the benefit of physical security assessments. Now let’s get into additional attack simulation exercises which can bring great value to uncovering and shoring up vulnerabilities.
Attack Simulations
Typically, law firms have invested a great deal of hours and funding into what they believe are strong enough security stacks to withstand hackers. To create a truly resilient environment, however, it’s useful to vet this assessment against the realities of what sophisticated hackers can achieve. Traditionally, adversaries approach exploitation of a target through social engineering, email compromise, public websites, or gaining physical access to a facility.
With a deep dive assessment that mimics a real-world attack by a malicious actor, an outside expert can demonstrate the ability to gain access to an office through a “red team” approach: this simply means that an outside team (the red team) will stage an attack against all potential attack vectors to evaluate the effectiveness of the firm’s security infrastructure and response capabilities.
Aside from attempting to compromise physical security assets such as badge reading systems and closed-circuit TV (CCTV) once inside the physical perimeter, an additional goal of a red team exercise within this context is typically to perform lateral movement within a network to other geographically disbursed offices, highlighting any vulnerabilities in network segmentation. Shared applications and resources between different global locations are prime targets within the internal network and pose unique threats to organizations with global locations. These resources could range from file shares to intranet web pages, allowing unintended jump points between networks bypassing any segmentation between those systems.
Another tactic is to target key administrators with access to production systems and/or to attempt bypassing or compromising sensitive Security Operations Center (SOC) assets and tools. This delivers a clear view of the SOC’s ability to properly monitor against risk and gauges the ability and response time of automated security technology alerts and IT personnel.
Finally, the red team will try to compromise internet-facing applications and network infrastructure including open ports and vulnerable services. They do this by performing credential stealing, executing two-factor authentication bypass, and applying other attack methodologies.
After these attack simulations are complete, the red team compiles a final report containing findings, precise remediation recommendations, and a gap analysis demonstrating areas for improvement.
Targeted Social Engineering Simulations
Another form of attack simulation is a highly tailored social engineering campaign directed at agreed-upon initial targets such as global help desk operations or other personnel who are typically on the front lines of inbound communications.
The primary objective of social engineering is to circumvent network defenses, leveraging an approach that targets trusted users to gain access to privileged information or resources. Attackers often use social engineering to establish initial access and gather intelligence to prepare for a future remote attack.
Additional objectives of social engineering attack simulations include:
- Identify remote code execution vulnerabilities on workstations.
- Collect data on likelihood that your personnel will click on potentially malicious links or open emails yielding network credentials. This can be used to measure effectiveness of anti-spear phishing training.
- Bypass security controls, restrictions, and boundaries.
- Inform and prioritize risk mitigation and avoidance to prevent catastrophic effects from such attacks.
An important goal of these assessments is to determine a firm’s maturity in withstanding phishing attempts. Broadly speaking, phishing denotes an adversary’s attempt to exploit a target by gaining entry (physical or electronic) by convincing employees or contractors to take an enabling action allowing entry or assets transfer to an attacker. Phishing can take many forms including the following:
- Email/Chat Spearphishing
- Emails impersonating fictitious entities which may contain malicious links, embedded malicious content, or attachments that contain malicious code.
- The attack effort can include:
- Establishing whether the email infrastructure is properly flagging spam.
- Enticing users to click or execute malicious messages which ultimately would provide a hacker with access to a corporate endpoint.
- Enticing high-level individuals (think: C-suite) to take actions more productive to the adversary because of the access and actions available to the high-level target (aka “whaling”).
- Enticing targeted administrators to take enabling actions (aka “spearphishing”).
- Phone Phishing
- Phone calls in which operators attempt to elicit sensitive corporate data, reset a users’ password, or paired with email phishing, establish remote access to a user’s workstation through “pretexting,” which amounts to pretending to be someone else to obtain private information.
- Physical Phishing
- Attempts to gain physical access to a corporate environment with the purpose of either collection of sensitive data, or installation of remote connectivity (see: physical security assessments).
Deploying the proper training, monitoring, email scanning/filtering, and policies designed to segment off critical assets can fend off even the most clever social engineering hackers. Understanding the capabilities of a firm’s people and systems is an important first step.
Open Source Intelligence Assessments
Through reviewing publicly available information on the internet, law firms can gain a better grasp of how hostile actors may be building profiles of their organizations. Physical and digital vulnerabilities often begin with a small thread discovered online, such as in an employee’s social media postings or client files entrusted to a firm now being sold on the dark web. Experts use a full suite of open source research tools and methodologies including social media to comprehensively identify personally identifiable information, leaked credentials, or breached data. With an understanding of what hackers can learn about their executives, practices, clients, and physical assets online, firms can shore up their defenses and create a more secure perimeter around their critical assets.
No organization, law firms included, can fully reduce the risk of being a target of hacking. The best approach is to understand the risk more comprehensively through sophisticated and tailored external assessments. From there, detailed recommendations can direct internal resources to fix technical gaps. The goal is not to extinguish the threat altogether, but to at least do so better than the next law firm.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at [email protected].