Peter Cohen, Strategic Director of Countercept at MWR InfoSecurity, is involved with setting up, detecting and responding to targeted cyber-attacks across critical national infrastructure across the UK.
His experiences with service in the legal industry, have largely been positive. He states there’s a lot of good people in the security teams at law firms who are living through a change where cyber-security is moving in the right direction. He speaks with us today on the protocols law firms should take when protecting their data, where to allocate their budgets and why cyber security insurance should be re-thought.
Do you believe any legislation needs to be developed to ensure justice is served post cyber-attack?
Interesting question! I think legislation is a difficult one as it is already in place to ensure that criminal proceedings can be dealt with appropriately, so I would say the only way around this is with effective attribution of cyber-attacks. Attribution is one of the hardest things to be completely accurate with as it’s a grey area and you’re always looking at multi-jurisdictional cases, particularly when law firms have been targeted by criminal breaches from overseas. When attribution is effective and it’s done accurately, and the criminals responsible are based in the same jurisdiction as their victim, then existing legislation is sufficient. What is difficult, however, is that attribution.
A reason why law firms tend to be attacked is because they tend to be quite exposed. What do you think can be done to ensure this isn’t used to help the hackers?
That’s another good point. The problem with security is that attackers won’t go directly for those assets. They’ll go for people instead. If you hide the assets, it’s not going to affect the first stage of an attack.
Anyone at a law firm: a lawyer, a paralegal a secretary, support staff, or even IT, will be the person who is breached and an attacker will then utilise their credentials to facilitate the rest of the attack. If you hide assets, you’re making it harder for the people in the organisation to do their job and you create security through obscurity, but at the same token, making the ease of doing business harder for the sake of security, so hiding assets doesn’t really work.
What firms should be doing is ensuring they can quickly detect user compromise. So if you understand that your users and the user accounts are going to be breached and will be utilised to get the assets, you can detect that attack and nip it in the bud before any assets are compromised.
What is the best protocol?
To effectively detect rapid user compromise, you need some kind of advanced endpoint protection, an agent which can detect any kind of anonymous behaviours, anything out of the ordinary happening on that user’s machine which may be indicative of an attacker action.
Where do you think law firms lag when it comes to security?
Another interesting point as I’d say the last 9-12 months have seen a bit of a change in attitudes towards security – not from the security teams in law firms as they have always had a passion to ensure that they’re as secure as they can be – but in the partners and the budget holders, because security expenditure does come out of their end of year bonus. We’ve seen a far more pragmatic approach as they are willing to allocate the necessary resources to bring law firms up to more in line with the rest of industry. We are seeing more momentum within the industry to make sure that they aren’t the weakest link and not the softest underbelly within and the first place attackers would go to, but there is still room for improvement.
Do you think smaller law firms are under more threat?
Smaller law firms face a different threat to larger firms. Typically, a smaller firm would hold less motivation to the more advanced criminal groups – particularly those groups that are motivated by data related to mergers and acquisition deals. Smaller firms typically, will not hold data that will give an advanced threat the requisite reservation to target. So, from our perspective – do their defences need to be as high as a larger firm who is involved in multi-national M&A deals? No they don’t. However, smaller firms do hold more motivation for less advanced criminal groups who might be utilising ransomware or commodity malware with a view to extract some quick ransom money from a firm. A smaller law firm is less likely to have the controls in place to block that activity or that ransomware but are also less likely to have the IT process in place to recover from the ransomware attack without paying the ransom. At the moment, smaller law firms are being targeted by those threat attackers lower down the food chain but they are being targeted more frequently than the larger firms who are ignored by those less capable attackers.
Do companies and firms tend to incorrectly pinpoint the motivation behind the hackers attack?
Like I said before, attribution is seriously hard but having said that, it depends on post breach and what data has been stolen. From there, you can start to piece together what the motivation behind the attack would have been. What we should really do is flip that and understand the key is to have a grasp on the motivations related to different data assets before a breach. Understand who, which groups, which nations/states, which hacker groups, would have a motivation to access this kind of data and understand the capability of those groups and how they operate and the techs they might use. We ought to look at the own systems and controls and see if there’s a mismatch between the attacker and the controls and infrastructure you have surrounding that data. If there is, you’ll need to make a risk calculation to determine whether you’re protecting that data appropriately or not.
How difficult would you say it is to gain that information? How long should it take to figure out motivations?
In short, the answer is 1-2 weeks. Worst case scenario is that you could go on for 6 months and never get to the bottom of it. After an attack, it depends on the complexity. If it’s just one or two compromised users and one data set has been stolen or lifted, then it’s quite straightforward to determine the extent of the breach; attributing it to a specific criminal group or nation depends a lot on the infrastructure and tools used to perform the breach. If they are commodity pieces of malware that have been bought on criminal forum by a known criminal group using infrastructure that has been known the security industry before, it’s quite straightforward and be attributed quite quickly, however that’s not usually the case. You can’t usually say with 100% certainty who it was, particularly with a targeted attack.
An attack with specific infrastructure or specific attack sectors or new malware to target a law firm wouldn’t have been seen before because it would have been newly designed . From this, you can only really make assumptions to who performed the breach. That being said, if you follow the trace back through the rabbit hole far enough, you can start to improve your chance of working out where the attack has come from.
A prediction for cyber security is increased regulations, what do you think this poses for companies or law firms?
Regulations do not equate to security, they typically equate to compliance. A series of requirements a firm has to meet in order to be able to bid for any piece of work or meet a certain standard that’s important to them or the industry. Those tend to require certain technologies to be procured and put in place but actually, if we look at it from a security perspective they don’t cover the attack paths at all that an attacker would look to exploit. With more regulation, comes more “stuff” that a firm has to do which will lead to a false sense of security, particularly by the business owners. They’ll see that they’ve spent a whole load of money on things which allow them to be compliant and potentially bid for more work, but have done nothing to improve their security posture. It will create a challenge for security teams in law firms as they may be forced to spend the budget that they have on compliance and regulations rather than actually defending the business.
What would you suggest be done or changed?
The first thing to do is to ensure the business owners are up to speed and understand the threat profile of the firm based on the data which it keeps, the clients which it keeps, the markets in which it operates and the geographies in which its present. That threat profile, if understood by the business owners and partners, should, if properly understood, trigger the appropriate level of budget to secure that firm.
In a lot of firms, that’s already been done and so the next thing to look out for would be the budget allocation. We’ve talked about regulatory compliance and how that doesn’t equate to security and so perhaps it falls under a different pot of budget; it should be spent on effective detection and response. This will enable a rapid response to user compromise and ensure targeted attacks can be detected and stopped.
Firms should perhaps move away from the more preventative traditional controls that have been put in place which are being bypassed by targeted attackers, such as next-gen firewalls and anti-virus products (anything securing the perimeter), and instead be able to respond to a user compromise.
Leading on from that point, John McCathy said that his predictions of cyber security is that the anti-virus paradigm will be seen as dead. Can you comment on the effect of this on firms and companies?
He’s completely correct, antivirus is dead in regards to targeted attacks. We can say that with 100% confidence because we see it every week. If a law firm or any other firm is targeted and someone has a specific motivation to breach that, then malware will be used that doesn’t carry a signature and would bypass antivirus. The effect that this has on security for law firms, is that they need to understand that this shift has taken place and if they are likely to be targeted they need to put in additional security controls. If they’re not likely to be targeted because they don’t carry the requisite information with the requisite motivation to cause a targeted attack, the more traditional security controls are likely to be okay. If anything they carry is of value, they need to change the focus of where they’re spending security budget.
Do you think it’s essential that law firms invest in insurance?
The short answer is no. The reason for that is because cyber security insurance kicks in after you’ve been breached and it basically pays for the appropriate incident response: clearing up and stating what has happened. The biggest thing a law firm has is its reputation and that’s one of its most valuable assets. Cyber security insurance will not in any way, help a law firm maintain its reputation. It might pay for a PR agency to put a spin on it post-breach, but it won’t actually stop the breach. A law firm in particular, is far better of spending its money on actual security, something to make it safer, rather than an insurance policy to clear up, as its main asset will still be hit.