With wave after wave of prominent cyberattacks, navigating the world of cybersecurity is now expected of businesses.
The advent of an information-based economy and the expansion and reliance upon internet connected devices have made cyber-crime one of the most lucrative sources of income for bad actors. Its cost to countries ranks it only behind government corruption and narcotics trafficking at an estimated $600 billion per year, based on a model used by CSIS and McAfee, or the rough equivalent of a nation somewhere between Saudi Arabia and Sweden in Gross Domestic Product.
According to Identity Theft Resource Center, within the five sectors it tracks there were 1,579 reported breaches in 2017, up 44.7% from the previous year, encompassing more than 178 million exposed records in the U.S. Of the total breaches only 59% were related to what the ITRC classifies as “hacking,” but the category accounted for the exposure of 167 million of the 178 million total records.
Specifically, within the legal industry, more than 23% of law firms with over 500 lawyers acknowledged experiencing some type of breach, as noted in the American Bar Association’s 2017 Legal Technology Survey Report, a number growing from 13% in 2013. Pacing this risk, 23% of those firms said clients or prospective clients requested third-party security assessments of their defenses. Interestingly, and of concern, from 2016 to 2017 there was also an increase from 25% to 35% in reported breaches for firms of 10-49 attorneys. As attacks become more successful, and clients increasingly take cybersecurity into account when determining who to work with, it becomes even more important for firms to be proactive.
Acknowledging the environment, many law firms are growing security staff, purchasing new vendor tools, and seeking new ways to protect their clients, themselves, and the vital data they possess. One method used by firms in the United States, United Kingdom, Canada, and Australia is to share cyber-intelligence and best practices within a community built around the trust that comes with common purpose, and NDAs and clear operating rules. Member-created and member-driven, the Legal Services Information Sharing and Analysis Organization (LS-ISAO) is a non-profit with a global footprint.
LS-ISAO works to facilitate mutual defense for the legal industry through the sharing of non-attributable but actionable intelligence on attacks, including filenames and sizes, URLs, domains, hashes, systems vulnerabilities, indicators of compromise, and technical details of malware. ISAO analysts process submissions and provide additional analysis to enrich the information before disseminating it to the rest of the community, but the greatest source of intelligence comes from firms’ own security teams.
In May 2017, the WannaCry ransomware campaign used an exploit to spread at a concerning rate. Member firms themselves band together during such crises to swap knowledge on attack vectors, actors, mitigation techniques and defensive measures, and exchange strategic information surrounding best practices.
One of the primary tools the community now uses to exchange threat information, like many intel sharing bodies, is its threat intelligence platform (TIP). The LS-ISAO TIP from Anomali offers the community analysts access to significant sources of data for enrichment of member submissions and other incoming information. It also directly allows members to:
- Leverage STIX/TAXII infrastructure to consume threat intelligence via automated feeds from multiple sources
- Submit and track data and intelligence
- View chained incidents and associated threat indicators
- View intelligence enriched with actor/campaign/tactics, techniques, and procedures (TTP)
- Leverage confidence ratings on the accuracy and severity of threat information
- Remove false positives
- Integrate with SIEMs and perimeter security platforms for context and priority
In addition to inter-community sharing, tools like the TIP allow LS-ISAO to efficiently share across industries and government. The LS-ISAO has close sharing ties to the financial services, utilities, and oil and gas sectors, and relationships with other industries from healthcare to retail. Just as intelligence sharing creates a defensive bubble for legal services, multi-industry sharing is particularly helpful against persistent, pervasive or severe attacks that are indiscriminate, or leverage sector relationships to backdoor into a different intended target.
Despite an acknowledged growth in ransomware families from 2016 to 2017, cybercriminals are increasingly turning to new tools like crypto mining malware. Bitdefender estimates crypto mining increased 130% from September 2017 to January 2018. This approach lets criminals continuously make money from victims by infecting them and then leveraging their computing power to mine bitcoin or other cryptocurrency, instead of asking for a one-time fee.
Recently, a well-crafted campaign was brought to the attention of analysts at LS-ISAO by a member firm. The campaign targeted legal teams with a link that redirected to a website containing malware.
Working together, LS-ISAO analysts and members analyzed the attempt, provided sandbox results on the malware, and notified the LS-ISAO community and its wider multi-industry sharing network. Members and other sectors were able to block this traffic or mitigate its impact because of LS-ISAO’s voluntary and trusted sharing architecture.
Having a central hub of information exchange empowers firms to collaborate in a way that advances their resilience. By engaging with peers in an anonymous and secure environment, reservations relating to reputation, competition, or sophistication give way to a group of security professionals defending their industry for their joint welfare.
As threats grow in number and complexity, so too must the industry’s security tools and cooperation.