chevron-down Created with Sketch Beta.
January 01, 2019

The Anatomy of a Data Breach

An overview of the actors, roles and impacts of a cybersecurity breach.

Sharon D. Nelson and John W. Simek
I could have evaded the FBI a lot longer if I had been able to control my passion for hacking. —Kevin Mitnick, the first hacker to make the FBI’s 10 Most Wanted Fugitives List

Hacking can indeed be a passion, proving that you can outfox governments and big league corporations. The thrill of the chase can be addictive—and the monies to be made fuel the addiction.

Breaches come in many variants, far too many to cover in a single article. But there is a general flow to a breach. Since we make a living investigating breaches and remediating the vulnerabilities that caused them, let us take you on an anatomical tour of the common elements of a typical breach.

To make the reading more fun, we have offered up “quotes” from the players typically involved in a breach. Many are taken from real life incidents.

Hackers: ‘Let’s Plan Our Attack.’

Whether there are massive attacks of automated bots looking for vulnerabilities and exploiting them or spear-phishing attacks (i.e., tailoring a phishing email to a specific target), there is planning. When state-sponsored hackers from China attack governmental facilities in the U.S., the planning is intense—and highly coordinated. These hackers are often working in government buildings. Other hackers, primarily cybercriminals, belong to loosely affiliated groups—they are often working together in the ether, not in a physical location.

Many cybercriminals are looking for a known vulnerability to exploit. If hackers want to, they can go on the dark web and buy a vulnerability. Some hackers will pay big money for a “zero-day” piece of malware, that is, one that has never been used and therefore no specific defenses exist against it. Some will pony up a lot of cash for a previously undisclosed vulnerability, again with a high probability of success.

Do they want to attack through the weak security of “internet-of-things” devices? Do they want to exploit all the entities, including law firms, that have moved to Office 365 without properly securing it? There are many decisions to make. If they are crafting phishing emails, the more sophisticated hackers will hire native English speakers to help them, which means that poor grammar and wrong word forms will not give them away.

Like the old-time grifters used to say, there’s no con without a plan. And part of the plan is not getting caught, right? So hackers use sleight of hand. If they’re Russian and they want to hide the source of the attack, they do some technical magic and now it looks like the attack came from China. Hackers are all about smoke and mirrors.

Hackers: ‘3-2-1, Fire!’

When it is time to push the button, the hackers involved are watching their attack proliferate across the globe; if they are spear phishing, they are watching for a response to their bogus or spoofed email, or waiting for an unthinking employee to click on an attachment or link to a website containing malware.

Some results are fast, some less so. But the watchers are riveted, monitoring the results of their handiwork. The truly sophisticated don’t even watch. They have automated systems that notify them when a target has been breached.

Hackers: ‘We’re Inside. Let’s Pwn Everything We Can!’

If the point of the breach is to purloin data, hackers will use their malware to move laterally across your network and “pwn”—hackerspeak for “own”—everything they can. Imagine the value of data in a mergers and acquisition law firm. The hackers could sell the data to others or use it themselves to get rich in the stock market. State-sponsored hackers can give their countries a competitive advantage against the U.S.

The longer a hacker is inside the network, the more the hacker learns about the network and its users. That knowledge can be a springboard for figuring ways to compromise more user accounts and gain access to more data. One primary objective is to keep the attack hidden.

Discovering data breaches is slow. According to IBM/Ponemon’s 2018 Cost of a Data Breach Study, it takes an average of more than six months to discover a data breach—and the mean time to contain the breach is 69 days. This gives hackers a lot of time to gather your data.

Law Firm Managing Partner: ‘Oh, Crap, We’ve Been Breached.’

“Crap” may or may not be the exact word choice, and such utterances are generally made in a nervous, sometimes hysterical, voice. The stress of addressing a data breach is immediate and runs throughout the investigation and remediation. It’s worse if the breach becomes public.

If the law firm has an Incident Response Plan, it’s the first resource for those in charge of handling the breach. They begin by picking up the phone to call the regional office of the FBI; then their insurance company, data breach lawyer, digital forensics company and bank; and the list goes on. All 50 states have data breach notification laws, so carefully determine if a report (or reports) must be filed, and by when.

Rarely, if ever, does a law firm notify clients at this early juncture. In most breaches, it isn’t immediately known what data was compromised, and there is natural reluctance to tell clients anything until the investigation is well underway. When the breach goes public, however, there’s little choice but to talk to clients.

Law Firm Receptionist: ‘The FBI Agents Are Here.’

There is something about the arrival of FBI agents that unnerves those meeting with them. We find the agents are polite but somewhat humorless; it is a Joe Friday “just-the-facts-ma’am” kind of meeting.

If it makes you feel better, the agents do not arrive in marked vehicles and do not wear emblazoned FBI jackets. They are also not loose-lipped—you will not find an account of their meeting with you leaked to the press. They are in the secrets business.

But it isn’t their place to do the actual investigation and remediation of the breach—that job belongs to private digital forensics investigators. This may disappoint some law firm leaders who hope the FBI can “fix the problem.” FBI agents are there to gather data that may help everyone, for instance, by sharing information about hacking methods, tools, groups, etc., through such vehicles as the FBI’s InfraGard program.

If there are national security implications to the breach, the FBI may bring in colleagues from other agencies, notably the Department of Homeland Security. At that point they may go beyond information gathering and take actions—but that is the exception, not the rule.

Digital Forensics Investigator: ‘Yeah, We Know How They Got in. You Pretty Much Sent Them an Engraved “Hack Me” Invitation.’

Okay, the investigators will probably be more diplomatic than that. But this is often the conclusion they reach—that the client’s security was sloppy. It is rare for qualified, highly certified digital forensics investigators not to find the cause of the breach. As noted above, the average time to contain breaches is 69 days—days of long, hard, excruciatingly detailed work, with every step carefully recorded.

Progress reports will be given regularly to law firm management. Once investigators know how the hackers got in, management will be informed. Remediation steps and costs will be presented for approval. Given the breach, there’s usually little deliberation about spending the monies.

Typically, breaches are traced to a long list of possible causes (the engraved “hack me” invitation), including users clicking on a link in or attachment to an email, sharing log-in credentials, reusing passwords, weak passwords, failure to update/patch software, lost or stolen devices, privilege misuse, insecure websites, malicious insiders, social engineering, etc. But, ultimately, there is generally some kind of malware that must be rooted out of the network, and this process can be time-consuming and complicated.

Long-term recommendations usually include employee training, phishing tests (with consequences for multiple failures, up to and including termination), regular security assessments and penetration testing, in which the security company acts as an attacker.

Law Firm Insurance Company: ‘We Don’t Cover “Stupid.”’

The cyber insurance world remains the Wild, Wild West. With an absence of historical data to guide the industry, even Warren Buffett, CEO of insurer Berkshire Hathaway, is skeptical. He said in May 2018, “Cyber is uncharted territory. It’s going to get worse, not better. There’s a very material risk which didn't exist 10 or 15 years ago and will be much more intense as the years go along.” He continues, “We don’t want to be a pioneer on this. ... I think anybody that tells you now they think they know in some actuarial way either what [the] general experience is like in the future, or what the worst case can be, is kidding themselves.” We agree.

Buffett’s views are reflected in more and more cyber insurance policies, which often include requirements for security audits and include language about conforming to industry cybersecurity standards. The quintessential “we don’t cover stupid” case is Columbia Casualty Co. v. Cottage Health System. There are now more cases where insurers are saying that the insured did not take the reasonable security steps required by the policy.

Law Firm Client (Whose Data Was Compromised): ‘We Need to Re-evaluate Our Association With Your Firm.’

The sound of clients beating a path to the exit door is a scary thought but, in light of the law firm data breaches that have become public, we know that where cybersecurity is lacking more clients are not taking even long-term relationships with law firms as a continued certainty.

Ten years ago, only a handful of clients seemed deadly serious about demanding that their law firms demonstrate that they were serious about cybersecurity. That has changed. Clients are demanding that law firms fill out security questionnaires and sometimes demanding a third-party audit certifying that any critical vulnerabilities are remediated.

In 2017 the Association of Corporate Counsel upped the ante releasing Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information. The gauntlet was thrown down, identifying the standards outside counsel are expected to meet, with a hint of “or else.”

Law Firm Management Meeting: ‘Anyone Think We Need to Spend More Money on Cybersecurity Now?’

From our foxhole, there is a bit of “we told you so” when law firms reject a well-thought-out proposal and then suffer a breach because of the very vulnerabilities addressed by the proposal. From our colleagues in the cybersecurity industry, we understand that this happens regularly. It is frustrating. It often has to do with spending money or a wrong-headed belief that “it can’t happen here.”

Final Thoughts

At the end of the day, hackers want your data, your money or both. Their motivations are not complex. You may remember the movie Bonnie and Clyde and the scene where Clyde proudly announces to strangers, “We rob banks!” Hackers, who are also criminals, are generally equally enthused about their work.

When you are up against an expert hacker with a wide array of hacking tools and sufficient funding, you don’t have much of a chance. Your best defense is being prepared and making cybersecurity a priority. The hacking community is gunning for you—of that, you can be quite sure.

Sharon D. Nelson

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar and the co-author of 16 books published by the ABA. Email her.

John W. Simek

John W. Simek is vice president of Sensei Enterprises Inc. He is a Certified Information Systems Security Professional and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics from their Fairfax, Virginia, firm. Email him.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.