How Law Firms Can Prepare for Rising Nation-State Cyber Attacks
Ken Kulawiak & Jim Britt
In March 2021, Microsoft shared detailed information regarding a “state-sponsored threat actor” based in China that targeted a wide range of entities in the U.S. — including law firms. The highly sophisticated cyber attack used previously unknown exploits to infiltrate on-premise Microsoft Exchange Server software at tens of thousands of organizations across the U.S.
Microsoft quickly released a number of security updates to protect customers running the on-premise version of Exchange Server from the overseas actor, which became known as Hafnium, but warned customers that “many nation-state actors and criminal groups” are moving quickly to launch new cyber attacks anytime they perceive an opportunity. What makes these types of attacks especially worrisome is that there could be other unknown and unpatched vulnerabilities left behind that malicious actors are waiting for the right opportunity to exploit. Microsoft specifically noted that law firms are one of the types of businesses that are in the crosshairs of these sophisticated nation-state attacks.
This rise in cyber attacks by state-sponsored actors is ringing alarm bells throughout the public and private sectors and prompting all sorts of bold responses. The most recent example of this is at the federal law enforcement level, where the FBI obtained authorization from a Houston court to conduct an operation in which it intervened to remove “backdoors” from hundreds of privately owned Microsoft Exchange email servers that had been infected by the Hafnium attack.
The brazenness of this latest state-sponsored cyber attack and the aggressive FBI response mark a potential inflection point: data breaches by nation-states are being treated as national security incidents, even if they are targeted at the private sector. Consequently, it is time for law firms to assess the adequacy of their overall approach to data security and risk management.
The most important first step that legal IT professionals can take is to shift their mindset with respect to the likelihood that their firm will fall victim to an attack. It is no longer a matter of “if”; it is now a matter of “when” (and when you actually identify the attack).
What will set law firms apart is not the luck of not being targeted, but how they effectively remediate and manage risk when they are targeted. With that sobering context in mind, here are 10 key things that law firms should do right now to prepare for a nation-state attack:
- Set clear security policy - It is crucial for IT professionals to communicate routinely to law firm leadership about the heightened severity of threat posed by state-sponsored actors and to secure their full support to take all the necessary steps that must be taken. At a fundamental level, law firms need a clear security policy that identifies the rules and procedures for all individuals accessing and using the firm’s IT assets and resources.
- Review cybersecurity technology - Firms also need a layered cybersecurity tech stack configuration based on the firm’s IT infrastructure and its needs for risk and compliance management. This includes any necessary enhancements to monitoring systems already put in place to catch unusual behavior. Consider performing vulnerability scans on a monthly, or more frequent, basis.
- Establish security review cadence - Law firms should hold ongoing security and operational reviews at a regular and frequent cadence. Security reviews need to cover controls as well as vulnerability management and remediation efforts.
- Practice incident response - An incident is inevitable, and firms need to be ready to react when one is discovered. The executive team, legal, and other operations areas, along with the security and technology teams, all have vital roles to play. Organized responses with experts on retainer to assist with remediation efforts are essential to reducing the impact of the attack. Implement a “tabletop exercise” program to review, step by step, how the firm reacts to different attack scenarios.
- Plan for business continuity - Firms need a clear action plan to address business continuity and disaster response (BCDR) in the event of an attack. System backups and DNS servers are often the first to be attacked, especially by ransomware. Ensure that you have clean copies of these systems offline for use if necessary. Network segmentation is also important; the more segmentation, the less sprawl across the entire organization, limiting the effects of an attack.
- Conduct user awareness training - Law firms should provide ongoing user awareness training regarding user behavior and policy, as well as how to recognize adverse events and the appropriate notifications.
- Audit and automate where possible - Firms need a formal process and auditing for changes to ensure versioning and to determine exposure when notifications are issued. Implement automated change control and network management, where possible.
- Implement active patching - Patches are regularly announced and available as vulnerabilities are found. It is important to have processes in place for triaging critical patches and applying them as soon as possible. This is a program, not a reaction. Active patching interfaces with change control and, ideally, is also automated where possible.
- Remediate quickly - Remediate any active concerns. If you have them, fix them.
- Secure the cloud - The Hafnium attack targeted the on-premise version of Microsoft Exchange email servers, but regardless of whether a law firm is operating with on-premise or cloud-based software solutions, the risk of a breach is real and it is increasing. Revisit your data security protocols with your cloud vendor or managed services provider in the context of an inevitable sophisticated nation-state attack.
Of course, many U.S. law firms have already focused significant IT resources on these elements. But the current rise in cyber attacks should give pause to every legal IT professional and send all of us back to the basics. We must remain constantly vigilant in our data security efforts in order to fend off the inevitable attacks and prepare for a swift recovery from any successful infiltrations.
is HBR Consulting
’s vice president of information technology & security. Ken leads strategic enterprise-wide security planning to achieve business goals by prioritizing defense initiatives, coordinating technical initiatives, and managing current and future security technologies. His areas of expertise include enterprise wide data security, data governance, third party risk management, incident response, and business continuity. Additionally, he is knowledgeable in compliance regulations such as GDPR, NYDFS, and GLBA. Jim Britt
serves as a senior director in the IT Strategy practice at HBR and has over 25 years’ experience in technology strategy creation and planning, organizational modeling, team building, software development, IT security, and change management. Jim has held senior IT and administrative roles at several Am Law 100 and 200 law firms and has served as interim CIO at several law firms, assisting them in times of transition.