The Hafnium Cyber Attack: A Wake-Up Call for Law Firms

Jim Britt | March 25, 2021

Did the recent Hafnium cyber attack scare you? It should have. It is the latest and broadest attack to hit law firms.

The nation-state sponsored attack targeted on-premise Microsoft Exchange Server software and affected more than 30,000 organizations across the U.S. Microsoft has specifically warned that law firms are among those targeted. The coordinated event is particularly frightening because the attackers have placed an unknown number of latent back doors that, even after patching, will lie dormant until a future date when the payoff will be even greater.

The Hafnium attack illustrates the transition we are experiencing from one-and-done active threats to passive latent threats that can be much more dangerous because of the indeterminate amount of related risk. These unknown attack vectors make it absolutely necessary for firms to double down on their overall approach to data security and risk management. More than security preparedness, this is operational preparedness. Reacting and patching are not enough.


Prepare for the Inevitable

To be clear, we need to take the viewpoint that our industry is no longer in a position of “if,” but rather “when.” What will set firms apart is not the luck of not being targeted, but how they effectively remediate and manage risk when they are targeted.

At a minimum, firms should conduct a thorough analysis of their existing security posture including policy, technology, organization, and physical security capabilities. These are table stakes. Additional operational areas also need to be included to limit risk and detect behavior that could represent latent threats.

  1. Table Stakes
    1. Security policy. At a fundamental level, firms need a clear security policy that identifies the rules and procedures for all individuals accessing and using the firm’s IT assets and resources.
    2. Security technology. Firms also need a layered cybersecurity tech stack configuration based on the firm’s IT infrastructure and its needs for risk and compliance management.
    3. Security review cadence. Firms should hold ongoing security and operational reviews at a regular and frequent cadence. Security reviews need to cover controls as well as vulnerability management and remediation efforts.
    4. Incident response. An incident is inevitable, and firms need to be ready to react when one is discovered. The executive team, legal, and other operation areas, along with the security and technology teams, all have vital roles to play. Organized responses with experts on retainer to assist with remediation efforts are essential to timely reduction of the incident’s effect.
  2. Additional Technology Considerations
    1. Network segmentation. A segmented network reduces sprawl and provides barriers to the propagation of malicious activity, reducing overall risk.
    2. DNS encryption. This is important because DNS-masked threats can embed their activities with DNS traffic.
    3. Monitoring. Latent threats can look like a user or network resource, but unusual traffic or user behavior can potentially flag them, provided there is a baseline of user behavior.

  3. Additional Operational Considerations
    1. Business continuity and disaster response. Firms need a clear action plan to address business continuity and disaster response in the event of an attack. Accessible BCDR solutions and data are often the first to be attacked, especially by ransomware. Additional considerations and structure are often needed to allow firms some form of offline access.
    2. Change management. Firms should provide ongoing user awareness training regarding user behavior and policy, as well as how to notice adverse events.
    3. Change control. Firms need a formal process and auditing for changes to ensure versioning and to determine exposure when notifications are issued. Implement automated change control and network management, where possible.
    4. Active patching. Patches are regularly announced and available as vulnerabilities are found. It is important to have processes in place for triaging critical patches and applying them as soon as possible.


What to Do Now

Many firms have some of the above elements in place. But the present situation reminds us that we cannot remain stagnant but must constantly be vigilant in our security efforts and should routinely reevaluate or security programs. Here are a few steps to consider now:

  • Remediate active concerns. If you have them, fix them.
  • Enhance monitoring. Improve monitoring to catch unusual behavior.
  • Ensure active patching. This is a program, not a reaction. Active patching interfaces with change control and, ideally, is automated where possible.
  • Review and update operational processes. Change management, change control, and BCDR all need ongoing review through a latent security lens.
  • Implement a “tabletop exercise” program. Practice, figure out what is missing, then do it again. Regularly.

This is not a full list of activities, and every firm’s technology infrastructure is different. Risks are also different, but they are very real. The threats, too, are quite real, and they are increasing. At HBR, we have ongoing conversations with many firms about their security risks, mitigations, and related issues. If you’d like to talk with us, please talk with me, Jim Britt, or one of our colleagues in our IT strategy advisory group.