CASE STUDY
CYBER SECURITY IN LEGAL
Head of IT
INDUSTRY
SECURITY POSITION
No dedicated in-house cybersecurity skills.
TECHNOLOGY
Next-Generation Endpoint Solution.
Penetration Testing.
background
A top 100 law firm thought they were keeping up with the threat of a cyber-attack; they had a standard, traditional security position with perimeter based email and internet protection.
While there were no dedicated cyber security skills in-house, the firm had purchased a managed next-generation endpoint security solution and undertaken penetration testing with positive results.
the attack
The firm first became aware of the attack when malicious emails were sent to clients.
Secrutiny was quickly contacted to initiate an incident and begin forensic investigation. Arriving on site the next day, we were swiftly able to establish that this was a sophisticated persistent attack and that the breach had in fact begun two months previously.
investigation
Straightaway, suspicious network traffic from several computers to unknown external sites was identified, however, the full scope of the situation could not be understood by looking at network traffic alone.
A lack of forensic data delayed investigations by a week while Secrutiny deployed an agentless forensic analytics tool to scan the entire estate. Within hours of deployment completing, 10% of computers were found to be impacted by the breach, with others exhibiting suspicious behaviours from other sources.
The initial breach was accomplished via spear phishing, which allowed the attackers to exploit application vulnerabilities and place their malicious code into obscure directories. From here, they were able to steal user credentials and drop additional payloads to achieve their ultimate objective which was large-scale data theft.
Lateral movement was possible due to the firm’s authorised use of a standard remote access tool, Dameware. The attackers were able to move around using approved business tools and known credentials without alerting to their activity. By analysing Dameware usage, statistical patterns, and other analytics from the endpoints accessed, Secrutiny were able to isolate the machines used as hop points across the network.
This diagram maps the stages of the attack outlined in this case study to the industry standard Kill Chain.
In all breaches, the threat actor must affect some, or all, of the levels of the kill chain, manipulating the categories of risk to achieve their target.
eviction
After 3 weeks of investigation to hunt down and isolate the attack, 81 affected endpoints were identified, a remediation plan was drawn up and eviction activated. The firm went dark over the weekend while 81 devices were re-imaged, a total password reset of all Active Directory and SQL accounts were applied and remote access was disabled.
Incident Response engagement with Secrutiny was extended post-eviction for 3 months as the hackers attacked, again and again, hoping to re-establish a foothold.
what happened next?
Firstly, to identify the risks and threats specific to their firm, they tasked Secrutiny with conducting a Cyber Risk Audit to assess security posture and hygiene to identify and evidence operational risk, misuse, infection and compromise.
Determining risk in these areas enabled the firm to define and prioritise actions for greatest risk reduction, embed security within IT Operations and develop a business understanding of security.
The law firm have also purchased Secrutiny’s Patrol Services to maintain continuous visibility of risk through monitoring of all aspects of IT and behaviour to inform of change and risk as it appears in the business.