On the ground with 18,000 people humming about at Consensus 2022, I met with Awa Sun Yin the dynamic leader of Anoma in the crypto space. She has been at several very high profile organizations like Chainalysis and Cosmos. Currently she is solving for developers issues around privacy and security leveraging blockchain. She is based in Switzerland.
Originally published in the Thomson Reuters Tax & Accounting Blog
By Joseph Raczynski
In our new world reality where cyberattacks are a daily occurrence and every organization must focus on critical infrastructure surrounding cybersecurity, businesses have begun to think like the military. How can we defend our enterprise? To that end, it’s not surprising that companies have adopted soldierly, combative mindsets and terminology.
The term “kill chain” originates from the armed forces and refers to the structure—or seven stages—of a cyberattack:
1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Action on Objectives
Now, many proactive institutions are attempting to “break” an opponent’s kill chain as a defense method or preemptive action. One of the leaders in this space adapting the concept for Information Security is Lockheed Martin.
Thinking Like a Hacker
A hacker typically has a creative, analytical mindset. These individuals search for paths toward a solution—often devising serpentine and circuitous routes to attain their goal. It’s this approach that we need to build awareness around if we are to thwart an onslaught of attacks.
As an example, let’s pretend that a hacker wants to get into your Tax Consultancy LLP organization to pilfer the Social Security numbers of your clients. This is how they may think at every stage of the kill chain. Your goal is to understand the steps and proactively counter each one to protect your network.
Stage 1: Reconnaissance
Hackers begin by researching your company online—gathering names, titles, and email addresses of people who work for the organization. They identify one person to target and then plan their avenue of attack. They may use e-mail attachments with viruses, port surf the company network, drop a memory card containing malicious code in the parking lot, or decrypt WiFi traffic. In this scenario, let’s say they choose e-mail as their method. An e-mail containing a link is sent to the selected individual, who, once they click on the link, inadvertently downloads the malware.
Stage 2: Weaponization
Hackers have libraries of code at their disposal that they use and tweak for their attacks. They consider the networks, operating systems, and software that Tax Consultancy LLP—and every company they target—may run. By identifying these components through research, the hackers can customize their code to work in those environments. One of the most common ways to compromise a computer or network is to attack unpatched software by companies such as Microsoft Cisco—applications that have known vulnerabilities, but ones that Tax Consultancy LLP may not have updated.
Stage 3: Delivery
In this instance, the hacker has decided to target the CFO of Tax Consultancy LLP. Through research, the hacker knows the name of the CFO, where she lives, works and even personal information gathered from the Web. He knows she coaches an eighth-grade softball team, enjoys camping, and shops at a local Safeway Food store she once complained about on Google reviews. Armed with this information, the hacker decides to lure the CFO with a spear phishing tactic.
Stage 4: Exploitation
The hacker crafts a perfectly feasible email to the CFO.
“Dear Jenny, it has been too long since we last spoke! I hope all is well. The last time we chatted we were at Safeway, complaining about their so called “fresh fish” section. One of these days they will have fresh shrimp, not just the frozen variety. The reason I am writing is that our daughters are in the same softball league. They have grown up so fast! I know you are busy, so you may not be aware, but they are hoping to go to Florida for a tournament in a few months. We are trying to raise some money for the kids who currently don’t have the means to get there, can you please help by donating say $20 to the cause? You can click here to donate.”
Stage 5: Installation
There is a 96 percent likelihood that the CFO will click on the link in the spear phishing e-mail. When she does, the malicious software takes root.
Stage 6: Command & Control
Once the malicious code has been installed, it phones home to the hacker. The hacker then has the ability to control it, let it sit for an extended period of time, automatically listen to packets across the network, or crawl through the network. All of this depends on what was deployed and what the hacker wants from the system. In our imaginary scenario, the hacker is after Social Security numbers, so he may attack the central database of Tax Consultancy LLP that houses all of their clients’ information, most likely found in an unencrypted DBA system, or perhaps Excel spreadsheets or other email accounts. The hacker is then able to harvest the information and send it out through the firm’s firewall to a remote server as a repository.
Stage 7: Action on Objectives
Finally, the hacker is able to extract whatever information they’ve been targeting. They can now easily gather Social Security numbers contained in the firm’s data. Of course, the options for exploiting this sort of information are many. The hacker may sell the numbers on the dark web, file fake tax returns, or use them to apply for credit or new identities.
Be Vigilant
All of this happened because the hacker was able to effectively use each stage of the kill chain to astutely identify the company’s possible vulnerabilities and leverage them. Today, all businesses should spend time walking through these stages, identify vulnerabilities, and shoring up their defenses to eliminate them. It’s not an easy task, but the more critically each of us look at these seven stages of the kill chain, the better we can prevent the next hack.
Originally published in the Legal Executive Institute.
By Joseph Raczynski, Gregg Wirth, and Gail Gottehrer
In a new two-part Thomson Reuters’ Legal Executive Institute podcast, Joe Raczynski, Legal Technologist and Futurist with Thomson Reuters Legal, discusses the hot topic of driverless car technology and its impact on the legal industry with attorney Gail Gottehrer, partner at Akerman LLP.
In part 2, (available below) Joe and Gail will discuss the opportunities for law firms in this evolving area. For example, law firms focusing on driverless cars can advise clients about various issues including: (i) changes in insurance coverage models; (ii) regulatory changes in affected industries, (iii) workforce/employment issues, (iv) data privacy and security issues, and (v) anticipating potential use of data in litigation.
By Joseph Raczynski
The latest video on Cybersecurity as it relates to the Legal industry. This was recorded for Thomson Reuters across all business units.
By Joseph Raczynski
The hacking of Panamanian law firm Mossack Fonseca last April resulted in 11.5 million leaked attorney-client privileged documents, exposing the widespread use of off-shore businesses by wealthy individuals and corporations around the world and highlighting the imperative need for proactive measures against corruption and other illicit financial activity.
But what it also revealed was just how vulnerable law firms can be to hackers and other cyber criminals.
Daniel Garrie is an arbitrator, forensic neutral and technical special master at JAMS, available in Los Angeles, New York and Seattle. He is executive managing partner of Law & Forensics LLC and head of the computer forensics and cybersecurity practice groups, with locations in the United States, India and Brazil. He is also a Partner at Zeichner Ellman & Krause LLP, where he heads their global cyber security practice, and an adjunct professor at Cardozo School of Law.
I recently spoke to Daniel Garrie, Global Head of eDiscovery, Forensics, and Cybersecurity Practices for Law & Forensics LLC, to get his insight into some of the cyber security issues facing law firms today:
Q. Daniel, why do hackers and other cyber criminals target law firms?
First, for information. All kinds of potentially valuable information: M&A information, IP information, real estate information, divorce information; information that can make people money or give them leverage. If you think about the law firms that just do mortgages, for example; getting a fully detailed mortgage package with social security numbers, bank account numbers, wiring information — that’s a pretty interesting piece of information.
Second, because in many cases, the law firm is the weakest link. Take the case of an M&A deal, for example. Why invest money and resources to hack the companies — which are more likely to have robust cyber security frameworks — when you can just hack the law firm, where cyber security resources are fewer and far more fragile?
Q. So law firms are not prepared to deal with these threats?
No, but not because they don’t want to be, but because of how law firms work as a partner profit-sharing entity. There has to be a reason to invest in measures to prevent them.
Q. And what are those reasons?
The consequences of unprotected and disclosed client data are two-fold. Not only do a law firm’s clients face potential reputational, financial, and legal risks when their private information is accessed and potentially distributed, the firm itself faces those same risks.
All law firms are competing for business and firms that don’t protect against cyber security threats run the risk of losing a substantial amount of business. Law firms are becoming acutely more aware of the fact that if they’re hacked, chances are, they’re no longer going to be a law firm.
Q. So what steps can law firms take to get prepared to deal with these threats?
First, focus on cyber hygiene. Do whatever it takes to put the right preventative measures in place in place:encryption, “least access necessary” policies, training and education for staff, etc. Second, find trusted partners.Do business only with those whom you can trust because if they are labeled as “hacked,” it could devastate your business, too.
Original post in AnswersOn
By Joseph Raczynski
Recorded at the University of Maryland, Baltimore during the “Cybersecruity and You” morning session. Discussed is the current landscape of cybersecurity at law firms and corporations, the primary issues these organizations are finding and general awareness of what is happening.
By Joseph Raczynski
BALTIMORE, Md. — “Three strikes and you are out of the firm.” This is the mantra of one law firm when dealing with employees who click on spear-phishing emails, according to Mounil Patel, Strategic Technology Consultant at Mimecast, an email and cloud security firm.
Patel’s comments came at the recent gathering of legal tech and cybersecurity officials, the LegalSEC Summit, presented last week by the International Legal Technology Association (ILTA) in Baltimore.
Simply stated, email is currently the largest hole in law firm and corporate security. Most other aspects of the firm have been shored up over the last several years, including firewall and antivirus protection, malware defenses, and monitoring of networks. However, as Patel pointed out, a law firm can have every monitoring and protection application in place, but email’s reliance on the human decision factor creates major headaches for the firm’s IT staff.
To illustrate, Patel described one incident where he received an email from someone with whom he had worked years ago at a previous company. The email was directed to him and clearly appeared to be from his old colleague’s email address. The cordial note brought up some of their old connections at the previous company and then asked if he would kindly review the attached resume to see if there might be a fit for him at his new company. Patel naturally opened the PDF and the virus payload was released. The point is, with today’s more sophisticated email attacks, there is almost no way for people to know what are genuine correspondences from friends or colleagues and what is a “virus bomb”.
Patel’s advice:
It is interesting to note that many law firms and corporations are internally testing their own employees with such targeted spear-phishing attacks similar to the one Patel received. A client of Patel’s ran one such email security campaign and when an attorney was caught opening the attached files or following the links, that person immediately received a pre-recorded message via voicemail from the entire executive partnership that such behavior was unacceptable.
The message went on to state if they were caught twice more they would be terminated — three strikes and they were out.
One best practice noted by one chief information officer at the Summit was that before you start your phishing campaign, let the firm know you are conducting this. She found that attorneys began sending IT suspicious emails proactively. In addition, reaffirm those who do not click the phishing emails, by not noting that they are doing good work.
Email will continue to dog corporations and law firms for the foreseeable future. Ultimately it comes down to humans making decision on what to open and click on. At this point in time, a well-crafted targeted email attack appeals to most people, unfortunately. (In fact, the likelihood of an executive clicking on one of these attacks is at a stunning 96%, according to McAfee.)
So, heeding some of Patel’s advice could save your organization the pains of another attack launched via email.
By Joseph Raczynski
The importance of law firms understanding the dark web
Your very sensitive private client data could be available for all to see on the Internet right now. Technically this data would be on the Dark Net or Dark Web. It is the portion of the World Wide Web that is hidden or inaccessible from normal browsers. As corporations and law firms grapple with larger and more profound attacks, I think it is important to be aware of how individuals access it and what occurs there to better safeguard your firm from what is happening now. At the cybersecurity LegalSEC Summit last week in Baltimore, Kevin Lancaster CEO of Winvale, Todd Nielson, President at Secuvant Cyber Security, and Will Nuland, Sr. Security Researcher at Dell SecureWorks, spoke about the nuances around the Dark Net.
The Dark Web, born from a United States government program had positive intent from the onset. It created a cyberspace where people in disaffected regions could anonymously visit and share ideas freely. North Koreans and Iranians use this to congregate and postulate new ways to live. They could then visit this space in the ether and share ideas freely without the fear that they would be persecuted for espousing ideas incongruous with their government point of view.
How to get there:
The following is not advised, but is here as an awareness of how people access the Dark Web.
Mozilla Firefox has a plugin (Tor Project), a simple free application run by a nonprofit organization which turns your normal browser into a Tor Onion enabled browser. What that means is that the plugin creates a tunneled Internet to a minimum of 100 other locations around the world. You are essentially establishing a proxy connection to other computers who are running the same Tor software. This establishes a very strong sense of anonymity and security that no one knows who you are or where you live (IP address). If I live in Washington, DC after running the plugin I may show up as living in Prague, but first being routed through 99 other cities.
Once the application is launched you would need to find an index page, like the Hidden Wiki, which gives users a general launching off point for perusing the Dark Web websites. It is not a pure search and find environment like Google, though some sites are indexed. Sites are not set up with URL structure like we have on the Open Web, http://www.thomsonreuters.com. In fact they appear to be hashed with letters and numbers in a random pattern. They also end in an .onion compared to the normal .com that we tend to see. So an example address might be: ijfije856ya5lo.onion.
Once there:
Unfortunately, once a user passes into this realm, there is a minefield awaiting. The Wiki page starts with the benign and dives headlong into the frightening and disturbing. You can buy $10,000 of fake US dollars for the equivalent of $5,000 in Bitcoin, the currency of choice. The cryptocurrency Bitcoin is also generally considered anonymous. Other possibilities include, hiring a hacker, buying prescription drugs, and buying illegal drugs, and acquiring arms or if you so desired, get involved in unregulated medical trials. On the darker side, you can even hire a hit man.
Law Firm Perspective on Dark Web:
The key important piece to this post is that law firms are now being brought into the dark side. Criminals are stealing IP information, M&A information and dropping off onto the Dark Web. Other groups are grabbing proprietary information or sensitive client information from law firm networks and saving it onto the Dark Net to either expose the firm, or to hold at ransom. Hackers for hire have been used to target corporations and law firms.
One of the subjects that was asked of the panel, how should firms handle the Dark Web? In my time consulting around this subject, I was curious about the response. The group was split. Some thought that companies should not use their own networks to access the environment, others stated that in a controlled access situation, they could monitor what is going on the Dark Web to protect their brand. In fact, it was stated that nearly two million people a day visit, but most are monitoring what is happening. Law firms and corporations should be looking for client names, login and passwords, email address of their respective company.
With the increase in cyber-attacks, all entities have to be aware of how the hackers operate. Understanding the Dark Web in the context of this is part of the due diligence for any corporation or law firm today. Fortunately a new wave of companies are surfacing which can monitor the Dark Net on behalf of your organization.
By Joseph Raczynski
Learning from colonial piracy about the war on cybersecurity
“It is a small world. It’s a fragile world. No one is safe until everyone is safe.” These are the cautionary words of Rod Beckstrom of The Rod Beckstrom Group, the keynote speaker at the cybersecurity LegalSEC Summit last week in Baltimore. With over 350 legal technology professionals leaning into his every word, he set the stage for where cybersecurity is headed with an advisory tale from history now repeating itself on the Internet. His intent, to arm the guardians overseeing 80-90% of the country’s IP information all sitting in the same room at that moment in time.
History of Pirates
In 1491, the “Erdapfel” of Martin Beheim was created. It is the oldest surviving terrestrial globe – excluding the Americas. This sphere was cutting edge technology of the day. Like any technology its uses can be for the betterment of humanity or its decline. Not surprisingly, around the release of the globe, piracy began to flourish. Seafaring scoundrels viewed the world anew with this technology and seized upon its bounty.
These salty scofflaws took four unique forms in their day. One group of pirates were sponsored by the Dutch, Spanish, and British empires respectively. Another group realized they could band together using their private ships to attack on the high seas for gems and precious metals. The third formed a coalition around pirating for a cause. The last group were one-off ships that would attack others for jewels or money. These four pirating entities have a present day adaptation. They translate to State Actors (e.g. China, Iran, North Korea), Organized Crime (e.g. in Russia or Estonia), Hacktivist (e.g. Anonymous) and Lone Hackers (e.g. anyone and everyone). One new addition, in the Cyber Age there is also the internal threat to organizations known as “Insider Joe” attacks which are very prevalent.
Present and Future
As Beckstrom described in this presentation, the wars over the years require time for forces to align. During the Nuclear era, once the major powers acquired these arms, everyone realized it was in the best interest of each country not to use them, i.e. mutually assured destruction. This is ongoing right now with Cyberwar. He said that China or Russia could hobble the infrastructure of the United States tomorrow, but they realize that if they did that, the US would do the same to them, therefore no one conducts this sort of cyber-attack.
Law firms are not a sovereign territory so all aforementioned groups are threats and in turn are seeking them out. These groups have tools which are sold on the Dark Web as out of the box solutions and can wreak havoc for firms in very little time. In the graphic below Beckstrom outlines an ecosystem where various parties work together but in isolation to earn money or take down a company. The scripts are created by people and sold to criminals. While another sets of criminals have harvested millions of credentials. In conjunction the Criminal Operator uses both to target a law firm or corporation. Those proceeds or goods are then routed through Mules. These are everyday people who simply accept packages and send them along to someone else which keeps the money flowing. In most of the law firm attacks, mules are not used, instead data is either released or held at random by the Criminal Operator.
The only way to combat this said Beckstrom will be a new world of robots fighting robots (computer bots), which is now occurring. This next era defense is sifting through huge amounts of data and applying cognitive computing and artificial intelligence with a layer of deep learning on top. In this light he underscored the importance of preparedness. One of the world’s largest banks, JPMorgan, has decided to pledge a half billion dollars toward the fight on cybersecurity.
Beckstrom closed with the warning to each firm CIO that the time is now to invest heavily in cybersecurity. Every one of the attacker profiles mentioned are attempting to break in and get access to law firm and corporate information. Prepare now because time is short – we are not safe until everyone is safe – by taking the responsibility to invest.
By Joseph Raczynski
Joe Raczynski Technologist 