Cybersecurity is one of the most dynamic fields of law. Long gone are the days when organizations could rely entirely on defensive measures within their own environments for protection: effective threat intelligence and threat hunting programs can take the fight from behind the firewall directly to the adversaries themselves – with lawyers playing a crucial role on the front lines.
The use of threat intelligence (information gathered from external sources about active or emerging threats to an organization) and threat hunting (finding adversaries lurking within an organization) are quickly becoming cornerstones of effective cybersecurity programs, and this was a central theme discussed at the ACC Foundation’s recent Cybersecurity Summit. However, when actionable threat intelligence is combined with the skills and powers of technically sophisticated lawyers, that can be a force multiplier, pivoting an organization’s cybersecurity posture from being reactive and defensive to active and aggressive.
Threat intelligence and threat hunting rely on similar types of data, often referred to as indicators of attack or indicators of compromise. Those datasets include things such as the hashes (i.e., digital fingerprints) of malicious files, IP addresses, host names, and domain names, all of which are known to be part of an attacker’s arsenal.
On the purely defensive side, advanced warning of a forthcoming attack can be the difference between a successful defensive posture or a damaging and costly incident. With such intelligence in hand, organizations can craft rules on an email gateway or firewall to effectively prevent attackers’ phishing email from reaching employee inboxes or to block the ability of an employee to navigate to a malicious link.
Indeed, one of our attorney colleagues in New York used a bespoke threat intelligence system that he developed to identify and help to neutralize the domains that hosted a forthcoming cyberattack on the World Health Organization at the outset of the Coronavirus crisis in March 2020. That bespoke intelligence identified a domain and subdomain combination that allowed our colleague to (i) validate the data and establish that he had indeed identified an active threat to the WHO and (ii) communicate that data to trusted parties, including law enforcement, enabling defensive countermeasures to be put in place. This was a bright line example of how counsel can play a role in the critical day-to-day functions of security operations.
Going even further, lawyers can play an ever-increasingly important role in the context of threat intelligence – outside the usual mandate of negotiating contracts with threat intelligence vendors or establish agreement appendices that pertain to privacy rights or data breaches. They can, in parallel with cybersecurity practitioners, take affirmative steps to dismantle an advanced cyber adversary’s infrastructure before, or even during, a cyberattack.
For example: Examining the NS, MX, and Whois records of a suspicious domain name can yield data about the web host, mail server location, and registrar abuse contact information. Pivoting on that data can identify other indicators of attack, such as malicious subdomains or other domains hosted on the same IP subnet that could be used for impersonation or phishing. By way of carefully crafted takedown requests, lawyers can disable components of a cyber adversary’s attack chain, without which the attack will fail.
This type of aggressive approach to adversaries is peculiarly the province of lawyers in that most hosts, mail service providers, or registrars, will not react simply to a request for assistance in anticipation of a cyberattack. What those providers will ordinarily request is some form of evidence that an attack occurred, which essentially moots any preemptive moves an organization planned on taking.
In nearly all instances, however, in either the Terms of Use, Acceptable Use Policies, or other standard agreements, most service providers indicate that the infringement of a third party’s intellectual property rights can be grounds to terminate services. This crossover of intellectual property and cybersecurity is critical: being able to demonstrate that a domain or subdomain infringes on the trademark rights of an organization can be the difference between the service provider of a threat actor ignoring or complying with a takedown request.
If executed properly, these requests provide an adversary with notification that the organization they are attacking is onto them, is sophisticated, and therefore the adversary runs the risk of being detected. On that note, combining data preservation requests with takedown notices can be a powerful technique to protect evidence about an adversary from being destroyed.
We must point out, however, that even well-crafted takedown requests may fall on deaf ears if a service provider is located within a jurisdiction that often protects threat actors or holds itself out as a bulletproof host. Nonetheless, to avoid geography-based detection, advanced adversaries have more frequently been relying on infrastructure for their attacks located in the United Kingdom and United States. Those service providers on which cyber adversaries rely are all fertile sources of evidence and attribution that a savvy lawyer can obtain through the mechanisms of legal process.
As the fundamentals of cybersecurity evolve so does the role of the legal professional. The very concept of defense in depth of a cyber-mature organization should now involve the lawyers, both in-house and outside counsel, as key players and even intelligence collectors. Feeding back to an organization the intelligence that lawyers can extract may help with the perennial problem of attribution threat actors, could contribute to a better understanding of the motivation of an adversary, can decrease attack surface area or an organization; and this data can even form the basis of more fruitful partnerships with law enforcement or the basis of a criminal referral.