BlueVoyant | Sector 17 1 TABLE OF CONTENTS Executive Summary 3 Key Findings 4 Part 1: Industry Overview 5 Part 2: Threat Landscape 7 Section 1: Criminal Pursuit of Sensitive Financial Information 7 Section 2: Extortion (Non-Ransomware) 9 Section 3: Ransomware 10 Section 4: Criminal Pursuit of PII 11 Section 5: Third-Party Risks 12 Section 6: Password Breaches and Leaks 14 Section 7: Hacktivism 16 Part 3: Dark Web Overview 18 Part 4: Industry Cybersecurity Review 24 Section 1: Legal Sector Overview – Global 24 Section 2: Legal Sector Overview – In Depth 25 Conclusion - Sector 17 28 Citations and Endnotes 29 Recommendations 30 BlueVoyant | Sector 17 2 EXECUTIVE SUMMARY In 2013, the Department of Homeland Security defined 16 sectors critical to securing national infrastructure, resources, and resiliency1. BlueVoyant, a company made up of seasoned cybersecurity experts, including former leaders in our intelligence and law enforcement communities, has identified one more: the legal sector. The integrity of U.S. and international law firms is indispensable ot the functioning of our economies and key public and private institutions. The legal sector ensures justice and order, as well as providing mechanisms that encourage and safeguard innovation and economic growth. The lawyers who help interpret, apply, and enforce the law necessarily become trusted advisors to individuals and corporations. Like healthcare institutions, law firms hold troves of personally identifiable information (PII); they also hold critical intellectual property (IP) and sensitive data for clients. Like banks and credit unions, law firms are critical to the proper functioning of our economy. And like no other sector, except perhaps government, law firms act as a major arbiter and safekeeper of public trust. Like many of these critical industries, the legal industry is under constant threat. Attacks on law firms have had some of the most devastating and wide-ranging effects of any cyber event in history. The 2016 ‘Panama Papers’ attack on Mossack Fonseca still affects international policy around tax havens and corporate responsibility; the 2017 ransomware attack on DLA Piper exposed the record-breaking financial and reputational costs associated with a successful cyber attack. This report outlines the state of cybersecurity in the legal sector as of the first quarter of 2020. BlueVoyant’s global analysis found an industry that is advanced: only slightly behind finance, which is historically top among private sector industries for cybersecurity. At the same time, BlueVoyant saw multifaceted, persistent, and aggressive threats, equal to or beyond the sector’s advanced cyber defense. And despite the evident best efforts of law firms both big and small, BlueVoyant observed evidence of compromise in law firms around the world – as described herein, more than half showed some sign of compromise. Our findings are designed to support and empower law firms globally. By recognizing the legal sector as critical to national and international defense and infrastructure, BlueVoyant aims to put a spotlight on measuring and improving cybersecurity across the legal sector. All evidence shows that law firms are rising to meet the threats in front of them. BlueVoyant is committed to supporting law firms globally. We believe they are members of a critical sector and, as our report will reveal, we will support them by plainly identifying risks, and by monitoring and stopping threat actors as they emerge. BlueVoyant | Sector 17 3 KEY FINDINGS Law firms are a critical industry that possess high-value information. Law firms today make up an $800B industry, and a surge in investment into legal platforms and technology ensures it will only get bigger. Not only are law firms a massive and important line of business, but they also provide services essential for any nation to function: maintaining justice and economic order. At the same time, given their systems house stockpiles of PII, as well as sensitive corporate and political data, law firms are very attractive targets for nation-state actors and advanced cybercriminal networks motivated by geopolitical and financial ends. Collectively, law firms make up one of the most advanced and proactive sectors when it comes to the strength of cybersecurity. As compared to the first 16 sectors, the legal sector earned a risk rating close to sectors like finance and energy: sectors typically considered the most advanced and sophisticated in terms of cyber defense. Benchmarks consistently revealed above-average defensive postures, as well as excellent cybersecurity practices and configurations. In spite of these positive findings, threat targeting against law firms globally is aggressive, constant, and multifaceted. While legal cyberdefenses are generally robust, so too are the motivations of their adversaries and the attacks waged against them. Using both unique visibility into global internet traffic and deep and dark web surveillance, BlueVoyant observed millions of threats targeting the legal sector. These threats were not only high-volume and constant, amounting to hundreds of thousands of attempted attacks against law firms daily; they were also highly targeted, as evidenced by numerous engagements with threat actors on the deep and dark web. Threat actors steal and abuse credentials; probe for network vulnerabilities; use anonymizing tools and proxies; and make use of persistent, advanced tactics in order to ‘crack’ law firms around the world. Despite the best efforts of law firms globally, BlueVoyant analysis discovered non- trivial evidence of compromise – from the largest, most sophisticated global firms to mid-tier and boutique practices. Our global survey of internet traffic showed evidence of possible compromise originating from law firms around the world. More concerning, an in-depth analysis of 20 representative law firms showed that 3 out of 20 showed strong evidence of compromise - a total of 15% - while a further 9 firms had evidence of suspicious traffic. BlueVoyant | Sector 17 4 Part 1: Industry Overview Law is big business, and getting bigger. Law firms made up a US $800 billion industry in 20182. And Forbes pointed out that that was just the start: over the course of 2018 alone, the legal industry saw an astonishing 718% increase in investment3. This makes law firms ripe targets for financially-motivated attacks, such as ransomware, blackmail, and fraud schemes. The Shape of Risk Across the board, however, whether a top 50 global firm or a regional market player, cybersecurity threats to law firms have grown rapidly. In a 2017 survey, one in five law firms reported breaches4. By 2019, that number grew to 26%5. According to the 2019 PwC Law Firms’ survey, 100% of Top 100 law firms experienced some cyber event6. Law firms are specifically targeted because they hold sensitive corporate or geopolitical data on their clients. Desire to obtain this information has driven many of the major law firm attacks over the last decade – attacks that have embarrassed the industry and put tremendous pressure on firms to avoid being the next Mossack Fonseca or DLA Piper. Examples of highly publicized breaches since 2012: • 2012: Wiley Rein is hacked by a Chinese nation-state APT for IP related to a client developing solar panels • 2014: Thirty-Nine Essex Street (UK) is hacked by a Russian APT linked to economic espionage • 2016: The Mossack Fonseca ‘Panama Papers’ breach, exposes 11.5 million documents linked to tax avoidance and tax evasion, leading to one of the most significant data leaks ever • 2017: DLA Piper is hit with the NotPetya ransomware, which rapidly spreads throughout firm servers and nearly shuts down the business - causing enormous damages in direct and indirect costs • 2019: The ‘9/11 Papers’ attack executed by a hacking group known as The Dark Overlord successfully steals data from several law firms and threatens to release it, citing embarrassing information about planning projects after 9/11 • 2020: The ‘Luanda Leaks’, a data trove incriminating the former President of Angola - the result of an attack by a Portuguese hacker on several banks and law firms These attacks, motivated variously by financial gain (as in the case of DLA Piper), or espionage (as in the case of Wiley Rein), or hacktivism (as in the 9/11 Papers), all hold two things in common: they all achieved national or international notoriety; and they all caused extreme damage or closure to the law firms affected. BlueVoyant | Sector 17 5 Part 1: Industry Overview Improvements in Cybersecurity Practice Thankfully, the increase in cyber events has led to a corresponding improvement in practice: in 2017 many law firms didn’t employ a dedicated Chief Information Security Officer (CISO)7, whereas today the practice is nearly universal. These changes in cybersecurity management are driven by cost, and by the public nature of many major breaches8, but they are also driven by pressure from clients. One CISO from a top-20 law firm told us, “One of the reasons that we have good policies and procedures in place is because they are driven by financial institutions. They audit us to make sure that we meet their own internal standards, or better.” The advanced cyber hygiene displayed by most global law firms is also a by-product of a rapidly- changing regulatory and litigation landscape. Historically, lawyers were only bound by broad ethical edicts, such as the ABA’s Model Rules of Professional Conduct – in particular 1.1 (and 1.6c): “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” More recently, such rules have expanded – for example the ABA Standing Committee on Ethics and Professional Responsibility9 has issued guidance and issued formal opinions, especially Formal Opinion 483 which addresses the obligations after a cyber attack10. Increasingly, however, codes of conduct are giving way to legislation defining proper data privacy and stringent breach disclosure requirements.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages31 Page
-
File Size-