Client financial information. A treasure trove of potentially embarrassing info perfect for blackmail and extortion. Victims with deep pockets and a business model built on client trust and reputation. These are all reasons why law firms are very tempting targets for hackers.

Unfortunately, like many other organizations, law firms are generally low hanging fruit for cyberattackers. This is particularly true for very large firms with multiple, integrated, business-critical systems which find themselves caught in cyberwar crossfire.

From Russia with love

A salient example of this was last year’s attack on DLA Piper. A disk wiper disguised as the Petya ransomware was unleashed on Ukdrainian companies via the built-in update feature of an accounting software program required by the Ukrainian government for firms working with it. This supply-chain attack utilized the “Eternal Blue” exploit thought to have been created by the US National Security Agency and leaked by the “Shadow Brokers” hacker team.

DLA Piper wasn’t even the main target, the firm was collateral damage in a national-scale cyberattack half a world away which leveraged (and further weaponized) exploit code from the NSA. The law firm happened to have an office in Ukraine in which someone was using the accounting software.

Even so, once the data-destroying malware entered DLA Piper’s network through that overseas office, it moved at a blistering pace across the firm’s network. It took days to restore fundamental systems such as voice over internet (VOIP) telephone service, billing, payment, and email. Even a large firm like DLA Piper which had a cyber incident plan in place was caught off guard by the speed and extent of the damage. As Don Jaycox, the CIO of the Americas for DLA Piper put it, “What we hadn’t planned for – and in retrospect it sounds foolish – was the complete loss of everything”.

As we’ll see shortly, securing everything via micro-segmentation is a viable alternative to losing everything.

Survey says…law firms aren’t prepared

The DLA Piper attack illustrates just how destructive rapid and malicious lateral movement through a network can be. Even more worrisome is the fact that many more law firms are not even as prepared as DLA Piper was.

A recent survey showed that 40% of US law firms weren’t even aware they were breached. It gets worse: even though 63% of breaches involved third parties (e.g. the Ukranian accounting software company), 80% of those firms don’t audit or screen them. To top it off, 95% of the surveyed law firms didn’t comply with their own data governance policies.

Without fast incident discovery, limiting the damage and costs from a breach become almost impossible. If the full attack surface of an organization – whether it be a law firm or a lumber company – isn’t guarded and monitored, then supply chain attacks like the one that hit DLA Piper can occur. When stringent data controls aren’t used, mega-breaches are inevitable.

The cloud doesn’t provide enough cover

Although modern cloud-based legal document management systems (DMSs) do offer some protections for the data contained on them, DMSs like PracticePanther and more comprehensive solutions like Clio alone can’t solve law firms’ attack surface problem for several reasons:

  • The main security feature of these systems, automated backups (even of all versions of a document) do not protect against potentially damaging data exfiltration, which can – just ask Mossack Fonseca.
  • The data hosted on cloud-based platforms are only as secure as the endpoints used to access them are. Endpoint protection of the mobile devices, PCs, and Macs used to access them is still required and still the responsibility of the law firm. Ditto for strong perimeter defenses like firewalls.
  • Besides the individual devices, law firm networks need to be secured as well, especially large ones with infrastructure sprawled across a fast-evolving hybrid cloud environment present.
  • The other main selling point for these systems is their ability to integrate seamlessly with other productivity applications like Microsoft Sharepoint, Adobe Acrobat, and the Microsoft Office suite which are hosted not in the cloud, but on the firm’s own network infrastructure, either on bare metal servers or VMs. These integrations increase the usefulness of DMSs, but also their exposed attack surface, resulting in less security.

How micro-segmentation delivers macro-protection

Advanced micro-segmentation solutions can block malicious lateral network traffic by first identifying and visualizing all internal data flows, down to the process level. From there, a suggestion-based workflow can automate the crafting, implementation, and enforcement of traffic policy rules, locking down each part of even complex workflows like a sequestered jury. That way, when malicious internal traffic is attempted, say from a quickly advancing cyber weapon from Eastern Europe, it is instantly identified, flagged, and blocked.

Segmenting and monitoring lateral “East-West” network traffic has always been a challenge, even more so for heterogeneous environments. With robust micro-segmentation solutions, however law firms can protect themselves and their clients’ data with security tools that cover all possible entry points, keeping them out of the crossfire.