Discover how a top 100 UK law firm moved to a risk reduction security model after realising the importance of IT hygiene, policy enforcement and user education when they fell victim to a targeted attack.
Secrutiny were able to quickly establish the root cause of the attack, raising a level of confidence within our team that undoubtedly helped us achieve a successful outcome.

Head of IT



Top 100 Law Firm.


No dedicated in-house cybersecurity skills.


Perimeter Based Email & Web Protection.

Next-Generation Endpoint Solution.
Penetration Testing.


A top 100 law firm thought they were keeping up with the threat of a cyber-attack; they had a standard, traditional security position with perimeter based email and internet protection.

While there were no dedicated cyber security skills in-house, the firm had purchased a managed next-generation endpoint security solution and undertaken penetration testing with positive results.

the attack

The firm first became aware of the attack when malicious emails were sent to clients.

Secrutiny was quickly contacted to initiate an incident and begin forensic investigation. Arriving on site the next day, we were swiftly able to establish that this was a sophisticated persistent attack and that the breach had in fact begun two months previously.


Straightaway, suspicious network traffic from several computers to unknown external sites was identified, however, the full scope of the situation could not be understood by looking at network traffic alone.  

A lack of forensic data delayed investigations by a week while Secrutiny deployed an agentless forensic analytics tool to scan the entire estate. Within hours of deployment completing, 10% of computers were found to be impacted by the breach, with others exhibiting suspicious behaviours from other sources.

The initial breach was accomplished via spear phishing, which allowed the attackers to exploit application vulnerabilities and place their malicious code into obscure directories. From here, they were able to steal user credentials and drop additional payloads to achieve their ultimate objective which was large-scale data theft.

Lateral movement was possible due to the firm’s authorised use of a standard remote access tool, Dameware. The attackers were able to move around using approved business tools and known credentials without alerting to their activity.  By analysing Dameware usage, statistical patterns, and other analytics from the endpoints accessed, Secrutiny were able to isolate the machines used as hop points across the network.

This diagram maps the stages of the attack outlined in this case study to the industry standard Kill Chain.

In all breaches, the threat actor must affect some, or all, of the levels of the kill chain, manipulating the categories of risk to achieve their target.


After 3 weeks of investigation to hunt down and isolate the attack, 81 affected endpoints were identified, a remediation plan was drawn up and eviction activated. The firm went dark over the weekend while 81 devices were re-imaged, a total password reset of all Active Directory and SQL accounts were applied and remote access was disabled.

Incident Response engagement with Secrutiny was extended post-eviction for 3 months as the hackers attacked, again and again, hoping to re-establish a foothold.

what happened next?

The law firm decided that to limit exposure to future attacks they would embark on an Information Security Maturity Programme focusing on IT hygiene, policy enforcement and user education.

Firstly, to identify the risks and threats specific to their firm, they tasked Secrutiny with conducting a Cyber Risk Audit to assess security posture and hygiene to identify and evidence operational risk, misuse, infection and compromise.

Determining risk in these areas enabled the firm to define and prioritise actions for greatest risk reduction, embed security within IT Operations and develop a business understanding of security.

The law firm have also purchased Secrutiny’s Patrol Services to maintain continuous visibility of risk through monitoring of all aspects of IT and behaviour to inform of change and risk as it appears in the business.

key takeaways

Malware is not the problem it is sensationalised to be. IT hygiene, policy enforcement and user education should drive security strategy.
While malware was utilised by the attackers in this case, it was purely to gain access.
Theft of credentials, sensitive data and ultimately the risk to brand reputation was only possible due to the over privilege standard users had within the estate, a hygiene issue.
The estate was vulnerable to attack without the attackers having to employ particularly sophisticated tools and when it happened there was no detection capability to know something was wrong.
Having a well-tested Incident Response Plan with forensic capabilities would have dramatically reduced the firm’s investigation time and cost by circa 50%.

Ready To Get Started?

Get in touch