Law Firm Cybersecurity Breach

Helping a 50-Person Law Firm Recover from a Cybersecurity Breach

In times of geopolitical unrest, such as the conflict in Ukraine, cybersecurity risks often increase. Threat actors take advantage of newly developed tools and vulnerabilities, posing challenges for businesses and their defenders worldwide.

A 50-person law firm experienced this firsthand after their internal staff reconfiguring a firewall left a port open accidentally. The port was secured, normally this would have been a minor thing that was caught and remedied in short order, but in this case there was a vulnerability even the firewall manufacturer didn’t know about, and something got in!

—

Identifying the Issue

The firm’s AI-based endpoint security system, which we had implemented the year before as part of their cybersecurity strategy, detected unusual activity and appeared to have stopped the intrusion almost immediately.

At first blush this would seem like a quick win, the catch was that as we examined the payload which had been captured, we realized it was something brand new, and there was no way to tell if this had been the first and only activity, or if the attackers had already gained access to the network weeks or months before the detection and this was merely the first action to be “seen” by the security systems.

Erring on the side of caution, we had to treat the situation as if the entire system had been compromised, initiating a full investigation and containment effort.

—

Containment Efforts

The team acted swiftly to isolate the firm’s systems by disconnecting everything – even backup hosts. This step was crucial to prevent the potential spread of anything else that might be present and still active. Given that breaches can remain dormant for extended periods before activating, we approached the situation methodically to assess the full scope of the intrusion.

In parallel with the isolation effort, we confirmed with researchers that the threat had just been discovered elsewhere as well and work was already in progress to understand the capabilities. In the meantime though, the number one priority was mitigating production impact and restoring operations as quickly as possible.

—

Rebuilding Systems

To ensure the firm could continue its operations without delay, we had a new, temporary environment built from scratch within 24hrs. This included setting up clean servers, workstations, and essential software, and even network hardware, (embedded systems like switches and network printers are also vulnerable to bad actors and can host an infection completely undetected by many security systems).

Restoring data required additional caution. Since the status of the backups was uncertain, depending on the true time of infection, current data was brought over from isolation via portable storage to be scanned and validated in a separate quarantine environment before being moved to the new systems. This process was somewhat labor-intensive but ensured that the new environment was secure and uncompromised.

—

Final Analysis and Lessons Learned

During the restoration process, the research labs gathered enough information about the malware to let us confirm that this actually was the first action taken, and the AI-based security system had, in fact, successfully blocked the malware before it could cause any harm. This confirmation came as a relief to the firm, as it meant no client data was stolen, and they avoided the potential repercussions of a data breach. (Washington state requires notification of all victims in case of personal data loss, which would be a tremendous public relations mess for any firm!)

This incident highlighted the importance of a layered cybersecurity approach that combines robust technology with a proactive response plan. While no system can be completely immune to evolving threats, preparation and swift action can make a significant difference in minimizing the impact of an attack.