Concealing data breaches is not a zero risk strategy – how the hacking threat can be countered through collaboration

AlisterShepherdby Alister Shepherd, a security and investigations expert at Stroz Friedberg
Many law firms have put considerable resources into cyber security – sometimes in the wake of a breach – while others appear to remain unaware of the scale of the threat posed by attackers. However, the legal sector has a significant role to play in the wider fight against cyber crime, and a cohesive approach is needed to counter the threat.
Cyber attacks are the defining threat of the connected age, with lawyers facing heightened risk due to the treasure trove of information they hold. While hackers are working together to constantly adapt and develop new attack techniques, their victims often fail even to report attacks to authorities, believing this to be a lower risk strategy for their business. This collective failure of information sharing ensures that everyone remains vulnerable. If we want to create a properly protected digital environment, there needs to be a fundamental shift in our approach to cyber security threat intelligence, with governments, corporates and small businesses all playing their part. We need to learn from our attackers.
Among the factors helping cybercrime stay under the radar is the perception that it is highly technical, and not something with which non-IT staff need to engage. However, information technology is a pervasive and critical part of our professional lives, and all members of staff have a responsibility to understand the risks and to use valuable connectivity securely. A short awareness session of one to two hours should be sufficient for employees to understand the rudiments of cyber security, such as social engineering and phishing emails. Given these techniques have cost companies tens of millions of pounds, this is surely a reasonable investment.
Victims are also often reluctant to report cybercrime to authorities because they are concerned about the potential interruption and loss of control caused by an investigation, while there is little likelihood of recovering stolen assets; and they sometimes believe reputational damage can be minimised by restricting reporting to outside entities. A recent report from Citigroup suggests law firms are among the worst offenders for this – to the frustration of authorities and corporate clients alike.
The alternative is to risk much greater embarrassment when clients find out that a firm has been attempting to cover up a breach. The vast majority of victims of network intrusions are informed about their breach by an external entity, which means that attempting to conceal a breach long term is actually a risky strategy. Those trying to sweep incidents under the carpet may also fall foul of the authorities as a result. UK law firms were investigated 187 times by the Information Commissioner for possible breaches of the Data Protection Act last year, and almost a third (29%) were related to security breaches.
It is not just the issues around reputational damage that keep cyber attacks off the collective agenda. The visibility of cybercrime is also extremely poor. The recent Hatton Garden heist, which saw thieves tunnelling into the vault of Hatton Garden Safe Deposit in London’s jewellery quarter, netted the robbers an estimated £200 million in valuables. The incident garnered massive media attention, capturing the public imagination. Arrests were made six weeks after the theft. Compare that to Carbanak – a campaign by cyber criminals that reportedly earned the thieves an estimated $1 billion from around 100 banks worldwide. Also a highly sophisticated campaign, requiring a network of criminals with specialist skills, coverage of this attack has been extremely limited – and no arrests have yet been made.
Law firms may feel that they are not as vulnerable as banks, as it would rarely be possible for hackers to gain access to such large amounts of money. However, cybercriminals are targeting any sources of data that can be monetised, and their approach is growing ever more sophisticated. Details of intellectual property or corporate transactions can be highly lucrative, while medical records may fetch a higher price on the black market than credit card details. In large legal cases involving states or potentially unscrupulous corporations, hacking may be used to gain information on an opponent’s strategy or even to disrupt negotiations.
On the other side of the battlefield, cyber criminals are constantly evolving and, increasingly, cooperating. Nation states are co-opting hacktivist groups or utilising services and assets provided by organised criminals. Malware and infrastructure is shared, recycled and re-used at an alarming rate. Reviewing even the most sophisticated attacks, attributed to highly cyber-capable nation states, there is a pattern of the same malware (or ‘implants’ in government parlance) and command and control (C2) infrastructure being used against multiple victims, across various sectors, including finance, energy, telecoms and governmental institutions.
Some of this should make it easier to defend against attacks, except that defenders are not cooperating in the same way. Even the best efforts, such as the ISAC knowledge sharing system in the US, are stove-piped so that firms share within their industry but not with their own supply chains, a strategy that seems inexplicable from a risk management perspective.
Thanks to those that have reported their breaches, law enforcement agencies are gaining experience investigating cybercrime. This usually involves collaboration with commercial incident response companies, who are able to minimise disruption within the corporate estate. This model has much to recommend it and may help achieve the paradigm shift needed where it comes to sharing intelligence on cyber threats.
Cyber intelligence has a unique attribute, where its value increases the more widely it is shared. Of course attackers can change their C2 infrastructure or obfuscate their code, but no-one has limitless resources. Recent reporting on groups behind some of the more advanced persistent threats has shown that their operations can be severely damaged by sharing information on their tools and infrastructure.
No previous arms race has had the ability to neutralise the enemy by simply publicising its methods of attack, but real collaboration between the public and private sectors is required to make this work. While governments should lead the way, they are no longer the main owners of intelligence in this space. The private sector will commonly have defensive tools or capabilities that rival or exceed those in the public sector, while many organisations also have the capacity to share information and initiate investigations across international borders far more quickly than government agencies.
In this highly interconnected era, we all “need to know”, and the legal sector can lead the way in tackling and minimising this threat, both within the industry, and with the advice provided to clients who are the victims of a breach. Ironically, we need to take a lead from the hackers and work together, learning about their techniques and making their methods public, and raising the awareness outside of IT departments of the magnitude of the threat.
* Alister Shepherd is a security and investigations expert at Stroz Friedberg, an investigations, intelligence and risk management company.