Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
By now you've likely read the headlines about the recent attacks on various Asian banks, resulting in cyber losses reported in the tens of billions. And if you're really paying attention, you probably know these attacks have been linked to the Lazarus cybercrime organization, which has suspected ties to the North Korean government. Earlier this year, the Lazarus Group was also identified as the likely culprit behind the brazen attacks on Sony back in 2014. In all likelihood, you read the headlines, and then you moved on to read the latest sports scores. Why? Because it doesn't relate to you. Or does it?
I often use this analogy when speaking with law firms about cyber risks: If I told you that thieves broke into a major bank in your town and stole cash, you wouldn't care. If I told you that the same thieves broke into your neighbor's house, you'd rush out and sign up for an alarm service and buy an intimidating watch dog. The point is, we only pay attention to that which we think relates to us.
And that's the general problem with a security industry obsessed with big retail and entertainment brands splashed across headlines, and a paparazzi-like zeal for mega data breach and the resulting class action suits. Much like my analogy, most mid-market firms ignore the lesson learned by the big game bagged by cybercriminals. Smaller firms write off the cyber risk as hyperbole or misguided panic. Smaller firms don't think they have anything worth stealing.
The criminal actors use this blind spot as a way to freely move throughout the networks of modest investment funds and laws firms. They use low tech to infiltrate their victims to steal information they can resell or use to front run trades on the open stock markets. It's a simple business model and it works: less hardened targets take less time and effort to attack, and often yield the same revenue as can be gained from larger victims.
So, let's return to my analogy. What if the same criminal organization that robbed that major factory in your town, also broke into your neighbor's house? They did. Lazarus, that bank swindling, Sony humiliating firm, has attacked a mid market U.S. financial company. Paying attention now?
The Enemy Is Inside the Wire
In August 2015, our Security Operations Center (SOC) detected suspicious activity originating from within a client's network. We blocked the network transactions and alerted our client to the action, and then applied a rule across our entire security base to protect all clients from further attacks. We then submitted our rule through public forums to the broader security community.
Months later, the spate of Asian bank hacks provided evidence implicating Lazarus as the perpetrator. Television programs leave us with an inflated sense of certainty when it comes to forensic evidence left by the perpetrator at the scene of a crime. Yet, like its physical corollary, electronic crime leaves a form of DNA. This forensic fingerprint can be used to piece together common factors associated with specific criminal organizations. Think modus operandi . In this case, the August attack carried distinctive markers linking the attack to the Lazarus Group. Yes, the same Lazarus group that has taken on the South Korean government, Sony Pictures and a significant collection of Asian Banks.
We published the timeline on our blog site and have subsequently briefed the FBI, U.S. District Attorney and the SEC to assist with ongoing investigations. Agencies of the U.S. government are concerned, so you should be, too.
Asset Management Funds and Law Firms: Small Companies with Big Company Problems
The client at the center of our Lazarus-based investigation is a New York-based asset management firm. The attackers didn't target a mega-corporation, national retailer or restaurant chain. They didn't target a prime broker or big investment bank. Instead, they focused on a mid-market company, which coincidentally offers the same profile as a law firm. And by profile, I mean that the firm holds high value assets, has a low tolerance to reputational risk and doesn't operate a IT department the size of a national corporation or bank. Another way to summarize is to say, the targeted asset management firm, like many law firms, is a small company with big company problems.
So how does a small firm tackle the security challenges like a large firm? The first thing I tell clients is to recognize themselves as a target. You are a lucrative and soft target to smash-and-grab criminals looking for a quick profit through compromised wire transfer accounts or fraudulent invoices, or the more sophisticated criminal organizations like Lazarus.
The second thing I advise is to join the Legal Services Information Sharing & Analysis Organization (LS-ISAO). Sharing threat intelligence is one of the best defenses against cyber threats and attacks. LS-ISAO offers real-time alerts and advisories on new vulnerabilities, exploits and active attacks. With the LS-ISAO, when threats like those executed by the Lazarus Group happen, you'll know about it. This actionable information is a critical element in your cyber defense posture, and should feed into your ongoing security awareness training.
And last, I tell clients to be vigilant. Start with a zero-trust model. Assume the bad guys are inside your network, and monitor traffic looking for indicators of compromise. When we think about the rash of mid-market bank hacks, third-party risk cannot be overlooked. It's easy to assume that vendors would value cybersecurity just as you do, however that's not always the case. In fact recognizing this, policy makers have placed heightened focus on third-party risk and cascading compliance requirements. Multiple banks affiliated with the string of Lazarus hacks suffered losses as a result of endpoint compromise related to their financial transaction vendor (namely SWIFT, which is a transaction vendor commonly used by financial institutions).
Conclusion
In an interconnected, cyber world, we need to abandon the false security based on the notion that we live in a safe neighborhood. Major organized hacks occur on native soil as frequently as they occur on the other side of the world. So, you can live in an affluent, gated community. Have no fear, the bad guys can trick you into a dark alley of their choosing. We all know that cyber threats aren't going to go away. Cybercriminals will continue to seek out gateways into your firm's network. With ever-increasing risk, industry borders are irrelevant. Law firms must pay attention to threats impacting all industries because while the cyberattackers may target the bank down the street this week, they could and likely will target your firm tomorrow.
Mark Sangster is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that law firms integrate cybersecurity into their day-to-day operations. In addition to Mark's role as VP and industry security strategist with managed cybersecurity services provider eSentire, he also serves as a member of the LegalSec Council with the International Legal Technology Association (ILTA). He is also a member of this newsletter's Board of Editors and may be reached at [email protected].
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.
During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.
The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.
As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.