A walk-through of preventing a real breach

Court documents related to several breaches have recently become available, and one of those detailed is a law firm. You can view the documents here; the specific attack we’re focusing on starts on page 21, with a Washington DC-based law firm (victim 13 was a law firm as well and suffered a similar attack). We are going to walk through each step the attackers took, and what could have been done to prevent the breach. This should help illustrate real world improvements you can make to your firm’s security, and including some affordable/free steps you can take.

A malicious email is sent to an employee

An email was sent pretending to be a Quicken bill pay request, with a malicious link included. At CGP we leverage two different technologies to block emails like this. The first is a full suite of spam protection. Many services like Google and Office 365 include a built-in spam filter, but this is not always sufficient. A third party spam filter works in addition to the built in tech, successfully stopping the vast majority of spam. However, many spear phishing (i.e. attacks that are directly targeted at an individual) will get through these filters. 

That is where our AI-powered anti-phishing software comes in. It looks for suspicious patterns (such as an email from greg-story@gmail.com instead of his normal CGP address), and it’s able to pull emails out of your mailbox after identifying them. The system is continuously grows “smarter” as we give it feedback about what to look out for, as well.  

The user clicked the malicious link, which downloaded malware to their computer

User training is an incredibly important part of IT in modern times, especially when it comes to suspicious links. CGP regularly sends out testing emails to ensure users are being thoughtful about what they click on (sign up for a free test run of one of the most popular phishing test products here). Our help desk is available to immediately look over any emails and confirm if they are legitimate, so we encourage all of our clients to ask if they are even remotely suspicious. 

Solid security controls such as removing admin rights for users will keep malicious downloads from being able to take over the computer. Simple standardized settings like these are what many IT teams often struggle with the most, but their impact cannot be understated.  

Finally, having DNS filtering and antivirus installed on every workstation helps block the download if it does get clicked. DNS filtering checks the address to see if it points to a malicious server. Antivirus works the way it always does - tries to prevent viruses! Unfortunately with how fast hackers work these days, antivirus is one of the smallest parts of your security, but it is still important enough to be required.

The malware is now installed on the user’s computer

This is where advanced security measures can come into play. One big deficit in modern IT is that it focuses on preventing the breach, with minimal to no tools for detecting and remediating a breach once it happens. Clear Guidance deploys a tool called Huntress that is constantly scanning for hacker footholds in your network. Any suspicious activity is reviewed by their elite security team, and CGP’s team is able to lean on their expertise for tracing the attack and access. It’s like having our own personal team of white hat hackers! 

There are a great number of other tools you can leverage to minimize damage to your network. In this case the hackers were able to directly access a bank account, but in many cases they will impersonate your firm and attempt to redirect client payments. Those situations are why your firm needs a Wire Transfer Policy (WTP). This specifies that all requests or changes for payments must be authorized in two different ways, so that a single email cannot be used to divert money. 

Is your firm protected from this type of attack?

The majority of the tools we’ve described here can be purchased for only a few dollars per month per computer. There is some complexity involved their deployment, but implementing them all provides a very solid security foundation. Ideally though, your security measures shouldn’t stop there; these attacks occurred in 2015, and were relatively basic even then. Since then there have been many additional improvements to security products and policies, which Clear Guidance Partners is well versed on and ready to implement where needed.

Not everyone is equipped to defend their firm against these attacks and all the others - let us help.