Law Firm Cyberattack Exposes Tens of Thousands of Patient Records
… manage their client data. Although some law firms will justify the investment in internal cybersecurity protocols, for many firms the simpler path will be partnering with firms that have expertise and maturity in a highly secure environment.
CF: What can MSSPs and other cybersecurity providers do help stop law firm cyberattacks?
AA: Ultimately, cybersecurity can only do so much in helping law firms minimize their risk of data breaches. No matter how secure the locks on your door are, eventually, bad actors are going to get in. Law firms, as well as enterprises, have to have a robust understanding of what types of sensitive information they collect, where they are and what this information is being used for. Traditionally, this has been a huge ask because the volume of data firms collect has exploded exponentially. Nowadays, enterprises and law firms are increasingly turning to [artificial intelligence] technology companies to illuminate the areas of risk and sensitivity in their unstructured and structured data.
SolarWinds Hack: Many Detections ‘Largely Ignored’
A new report by ExtraHop shows the Sunburst exploit behind the massive SolarWinds hack went largely ignored for several months.
ExtraHop also released an expanded list of 1,700 Sunburst indicators of compromise (IOCs) it observed across affected environments protected by its Reveal(x).
The SolarWinds espionage campaign has heavily impacted the federal government and cybersecurity industry. Russian hackers reportedly carried out the attack. In a 60 Minutes interview, Microsoft president Brad Smith said more than 1,000 engineers likely worked on these attacks.
Sri Sundaralingam is vice president of security at ExtraHop.
“In looking back at the SolarWinds attack, the biggest surprise wasn’t who was behind it, or the method they used to gain entry,” he said. “It wasn’t even the amount of time they were able to fly under the radar. The biggest surprise for us was the fact that patterns of malicious activity stemming from Sunburst were, in fact, detected on the network. We saw a major spike in detections between March and October.”
Between late March and early October, detections increased 150%. That showed a “significant and suspicious change” in behavior on the network.
SolarWinds is trusted on the network, Sundaralingam said. Moreover, many traditional methods of detection weren’t picking up the activity.
Because of that, “these detections went largely ignored,” he said.
Sunburst was purpose-built to evade tools like endpoint detection and response (EDR) and antivirus, he said.
“Before resorting to unnecessary finger pointing, it’s important to remember that this was an incredibly sophisticated attack that would have been extremely difficult to prevent,” Sundaralingam said. “And secondly, it’s worth considering the challenging circumstances under which most security professionals are working. A busy SOC analyst often has to make a series of rapid decisions about what’s real, what isn’t, what deserves investigation and what doesn’t.”
Further complicating matters is SolarWinds is notoriously noisy on the network. Therefore, it frequently triggers alerts, including many that are false alarms.
The SolarWinds attack illustrates the vast attack surface of the ever-growing software supply chain, he said.
This event proves cybersecurity must be a top priority in national security, he said. These attacks have impacted the economy, government, citizens and critical infrastructure. Furthermore, there’s been relative impunity thus far for the attackers.
More attacks are coming if government and private organizations don’t improve their cybersecurity, Sundaralingam said.
There are a few takeaways from Sunburst for MSSPs and other cybersecurity providers, he said. First, advanced threats evade tried-and-true security tools.
“You can’t just rely on preventive-based security controls approach anymore,” Sundaralingam said. “Organizations around the world need best-of-breed detection and response solutions that don’t rely on any single vendor.”
Second, nation-state cybercriminals know how to disable agents, Sundaralingam said. Moreover, they know how to erase logs. When they can’t, they find other ways in.
But they can’t evade network-based detection. That’s because …