Malicious actors are consistently and persistently looking for new avenues to compromise sensitive data and they’ve found one such entry through legal firms.

Legal firms play a unique role within the economy by being at the center of personal and business-related transactions. Legal firms are involved with large enterprises, governments, small businesses and individual cases. The data maintained by legal firms is both sensitive and valuable and attackers have taken notice. Legal firms are under a barrage of attacks due to the data and relationships they maintain. Many of these firms are focusing on user endpoints when it comes to reducing their risk.

Law Firms Are the Easier Target

Law firms are the lynch pin to many of the largest deals in the world (e.g., mergers and acquisitions). Yet, since law firms are currently an unregulated industry, some suffer from a lack of cybersecurity resources when it comes to fully getting the attention needed to fulfill the concerns they’re facing. These factors offer attackers an opportunity to compromise sensitive data by attacking law firms, knowing that they will likely encounter weaker security controls than if they go after other parties in the targeted business transaction. Attackers will gladly attack a law firm over a financial institute (historically regulated for security)—as a less abrasive barrier of entry—if they know both are working with the same data.

The desire and opportunity to compromise law firms opens the flood gates for attackers to start creating dedicated malware to compromise and steal data for financial gain. It also creates a very attractive scenario for attackers when focusing ransomware campaigns towards law firms. This data is the lifeblood and reputation for law firms and if it’s compromised in any way it leaves the door open for lawsuits against law firms from their clients due to lax data security practices. As ironic as this sounds, law firms don’t want to be involved with lawsuits when the complaint is filed against them. We’ve seen similar complaints filed against law firms from their clients, because the client felt that the law firm put their case at risk due to a security breach.

Law professionals live in email, documents and high-pressure situations, so it’s no surprise attackers are using these three areas to their advantage. The number one attack on firms today is phishing with some type of a weaponized document. Humans are social creatures and when phishing messages are crafted with familiarity at the right time we will continue to fall for their games. This is especially true in the legal industry, where associate lawyers act with speed and conformity when handling a request, they believe originated from a managing partner. This behavioral aspect of the law office hierarchy is preyed upon by attackers looking to have their malware introduced into law firms and gain a foothold into their environment.

The Trend to Strengthen Law Firms’ Cybersecurity Posture

The American Bar Association (ABA) has model rules when it comes to understanding how to use technology ethically, confidentially and securely. The ABA Cybersecurity Legal Taskforce has released guidance for lawyers and firms on how to act both individually and when contracting vendors. This is a good start, but without a dedicated regulation these are just that, guidelines.

There are law firms that take security very seriously and this is based off a top down approach where we see upper management truly embrace security for the protection of their clients and revenue streams. What we’re seeing take place now is that large clients of law firms, (e.g, banks, hospitals, etc) are requesting that their third parties (law firm) follow the same level of security that they’re mandated to adhere to. This is forcing law firms to raise their security posture due do the increased pressure and risk of losing large clients based off their third parties’ regulations.

This is a good first step but doesn’t fully embrace the security mindset and many times can lead to a compliance checkbox culture. Law firms must take stronger steps to safeguard their own and their clients’ data from attackers who have both the desire and the opportunity to compromise it.

Attackers are heavily using evasive malware against law firms that bypass many of today’s traditional and next-generation anti-malware solutions. They’ve seen what we’ve done right, especially with machine learning, and pivoted their attacks towards areas that the industry needs to catch up on. A few examples of this are how they’ve moved more malware to run as “fileless” or utilize scripts or built-in trusted tools to bypass many controls in place.

Attackers are looking to monetize a law firm’s data, either on the endpoint with ransomware, or from a competitive advantage by gaining insider information. It’s because of this threat to their client’s sensitive information that law firms should pay close attention to their endpoints and document management systems (DMS). This is where attackers are focusing their efforts because it’s where the critical data lives on their networks.

By utilizing a supplementary endpoint security tool, such as Minerva Labs’ solution, law firms are able to defend against many of the evasive malware attempts attackers are utilizing today by using deceptive techniques to block malware trying to bypass their current controls.


Matt Pascucci is cyber security practice manager at CCSINET, an IT managed service provider for discovery, planning, design, implementation, & operational support services.