Levin advocates high-stakes law firms shake up their security status quo and put in place more aggressive security protocols. For starters, Levin said, companies need to boost employee awareness, training and adopt robust damage control programs that can limit the inevitable fallout from breaches.
According to this article from Threatpost, attackers have been targeting and successfully breaching a number of well-known law firms in New York City. The article mentions two specific firms by name and notes that one responded to requests for comment and one did not. The comments provided by the responding firm were that the breach was limited, they are working with law enforcement and an outside security firm to further investigate the issue and the firm is not aware of any of the information stolen being used improperly. Some take-aways from the article (in no particular order).
In just the past few weeks, we’ve written about security events at hospitals, hotels, credit card processors, cancer treatment centers and even high end network management and security companies. In almost every case, the attackers weren’t targeting a specific organization or vertical but a means to an end, a target. On engagements, we call this the ‘golden egg’ or ‘secret sauce’, what does that organization have that an attacker would want? Sometimes it’s money (ransomware), sometimes it’s to make a political statement and sometimes it’s to gain a foothold on a bigger target. The attackers goal is to identify that golden egg and then find vulnerabilities in the defenses around it to exploit. The organizations goal and our goal is to identify that golden egg and then find the vulnerabilities in the defenses around it to mitigate or eliminate first.
There is no mention in the article of the nature of the attacks but, based on the targets (all of the ones mentioned were law firms), recent trends (phishing + malicious attachments) and the note in the article “For starters, Levin said, companies need to boost employee awareness…“, I suspect this was the result of a phishing campaign. That said though, this is a good opportunity to note that we still see things like Remote Desktop Protocol / Terminal Services and VNC completely exposed to the Internet. Regardless of how many times we say advanced persistent threat, the reality is that we still see a lot of success with things like phishing campaigns, brute force attacks against remote desktop servers or simply logging into an unsecured VNC server.
Sometimes the vulnerability is the result of poorly deployed good intentions, like an administrator making Remote Desktop available so that an employee (or the CEx) can work from home. Sometimes it’s an oversight, like an equipment installer leaving remote VNC access to a medical device or CCTV security system open to the Internet. Sometimes it’s just a mistake made in haste when someone clicks a malicious link in an email. Knowing what the golden egg is (privileged client data, private health data, payment information, etc.) and how it’s protected (firewall, VPN, access control, etc.) are important. Knowing where it’s vulnerable though is critical, and the best way to get this information is to test the defenses from an attacker’s perspective. Build an internal red team or build a relationship with a trusted third party experienced in offensive security. Identify those weaknesses and then implement controls to mitigate or eliminate the risks that