Law and disorder: Firms in the firing line

Max Heinemeyer, Director of Threat Hunting | Thursday October 25, 2018

Since July 2018, Darktrace has identified an increasing number of cyber-attacks targeting law firms. Concerningly, the attacks are emerging not from opportunistic malware, like banking trojans, but threat actors who actively conduct cyber-intrusions, seeking to exfiltrate data from these organizations.

Perfect targets

Law firms are actively pursued because their systems contain the sensitive data of many other organizations. The essence of a lawyer’s work involves managing confidential client information. Firms are privy to a huge variety of valuable data, from tax affairs, to intellectual property. Consequently, law firms’ ability to protect highly-sensitive information is critical; a successful cyber-attack might cause reputational damage resulting in the diminishing of their most valuable asset – clients’ trust.

Further challenges

As an industry, law is structured around sharing revenues among a minimal number of highly qualified professionals. As such, they can rarely employ large IT teams – and even smaller IT security departments. With the increased number of attacks seen in recent years, as well as the added risks of the cloud, and the Internet of Things, security teams lack the capacity to defend their networks against the sophisticated, machine-speed attacks which characterize today’s threat landscape.

In addition, lawyers often have to research obscure or potentially illegal activities, while communicating and receiving files from third parties. This complicates any attempt to impose and regulate highly restrictive security policies, placing a significant burden on small, overstretched security teams.

Living off the land

Interestingly, the recent surge of targeted attacks against law firms is unified by the methods used. The attacks were all performed using publicly available tools, including: Mimikatz (for credentials dumping), Powershell Empire (for Command & Control communication), Dameware (additional C2/backdoor), and PsExec variants such as the Impacket Python variant of PsExec (for lateral movement).

Perhaps surprisingly, using generic methods against such high-level targets is actually beneficial to the attacker. Adopting mainly publicly available tools, rather than individually crafted malware, makes attribution much harder.

Although some of these tools, such as Mimikatz, have to be downloaded into the environment; the stealthiest, like Dameware or PsExec, are able to use the infrastructure within their environment. Known as ‘living off the land’, these tools are almost undetectable by traditional security approaches, as their malicious activity is designed to blend in with legitimate system administration work.

Case study

In July 2018, Darktrace discovered the illegitimate use of Powershell Empire – a code capable of ‘living off the land’. When monitored by human surveillance alone, this extremely stealthy tool would normally go undetected, camouflaged by system behavior.

Unlike traditional security approaches, Darktrace does not use rules and signatures. Instead, it learns about the activity of the network, itself. This meant Darktrace was able to observe the initial download of the malware, subsequent reconnaissance and ensuing C2 traffic.

Consequently, we were able to report that an incident had occurred involving a probable Trickbot banking trojan infection and new use of a Remote Access Tool.

This was accompanied by the following visuals:

Graph showing all breaching connections from the source device over time, with breaches shown as colored dots. This begins with the download of the masqueraded executable file, and goes up to the present time. The vast majority of these model breaches are likely related to the suspected malicious activity.

Darktrace’s AI capability meant that the Enterprise Immune System detected this sophisticated and subtle threat immediately – before it had time to do any damage.

An excerpt from the Event Log at the time of the first Dameware activity from this device, shortly after this incident began.

AI securing the law sector

As seen above, cyber-attackers are constantly discovering novel ways of evading rule-based security systems. Attackers ‘living off the land’ are generally too subtly anomalous for humans to identify. Darktrace’s machine learning has the unique ability to learn the ‘pattern of life’ of any network which means it is able to distinguish this behavior, as it is still unusual compared to legitimate administrative functions.

Darktrace AI secures law firms all over the world. For small security teams, AI is a game changer. Through the use of machine learning, Darktrace does the heavy lifting of separating interesting anomalies from ordinary noise. Many firms also use Darktrace Antigena as a ‘virtual analyst’ to supplement the work of their staff.

Antigena acts at machine speed, autonomously responding to threats as they emerge in real time, even after hours and on the weekends. Antigena slows down, or even stops, traffic to the affected parts of the network before any data can be compromised. This buys security teams crucial time to fix the issue – before it’s too late.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Troubled waters: Cyber-attacks on San Diego and Barcelona’s ports

Andrew Tsonchev, Director of Technology, Darktrace Industrial | Thursday October 4, 2018

Last summer’s wave of ransomware attacks compromised port terminals and disrupted global shipping. Since then, cyber security has quickly risen to the top of the agenda for the maritime sector. Earlier this year, another port was hit with ransomware, and then, last week, the ports of Barcelona and San Diego revealed that they had been the victims of further ransomware attacks.

Whilst the 2017 attacks were globally devastating, there was no evidence that they deliberately targeted particular sectors; port terminals were merely caught in the indiscriminate wave of attacks. However, the widespread disruption these attacks caused across industry – from shipping to manufacturing – drew attention to the risk of IT cyber-attacks propagating into the industrial sector’s critical control systems. Operational Technology within industrial environments had previously been kept relatively separate from IT systems, and, consequently, relatively immune from cyber-attack. These attacks showed that the recent trend in integrating and unifying IT and OT systems had now exposed these systems to such indiscriminate attacks. 

The increasing convergence of IT and OT systems shows no signs of slowing, however. Hyper-connected ‘smart’ ports are bringing efficiency and precision while cutting costs. Yet, the intertwining of the physical and digital across ports remains a significant challenge for the cyber security teams tasked with their defense. Without rushing to conclusions, it is perhaps no surprise that the Port of Barcelona is in the process of a “Digital Port project,” launched last year to promote the digitization of the port environment. 

Although specifics have not yet been revealed, the recent attacks in Barcelona and San Diego appear to be targeted. Perhaps the inadvertent success of last year’s ransomware campaign inspired attackers to pursue the maritime sector specifically. Disruptions to Operational Technology can be highly detrimental to the maritime sector – these systems oversee critical port and ship systems. Any compromise could inflict reputational harm, significant financial losses, and physical damage. That we would see ransomware attacks specifically targeting ports was foreseeable. Many in the industry have been expecting and preparing for such an eventuality over the last 12 months. Now that attackers are actively targeting them, the protection of OT systems has become critical.

Darktrace has deployed AI to a number of companies in the maritime sector to specifically mitigate and defend Operational Technology. These systems are highly customized and bespoke, and therefore unsuitable for the use of off-the-shelf IT solutions. Darktrace’s cyber AI is able to automatically tailor to OT environments and learn a unique sense of ‘self’, regardless of vendor or technology platform.

Our AI is actively defending ports across the world – such as Harwich Haven Authority and Belfast Harbour – and protecting them against both targeted and indiscriminate attacks on their OT and IT systems. Defending these environments requires the ability to protect all technology systems, from the oldest PLCs and SCADA systems, to the newest IoT devices. Whether in the cloud, on a vessel, or on the mainland, Darktrace is able to passively defend your systems and identify cyber-threats in real time, without any impact or disruption.

Andrew Tsonchev

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.