The ages-old adage may be “don’t kill the messenger” but sophisticated cyber-attackers have clearly ascertained that they can get their hands on some of the most closely-guarded electronic content they seek by targeting the trusted communications partners of the world’s most high-profile enterprise organizations and government agencies.
In a timely and enterprising piece of research analysis issued this week, the Associated Press published a story that reports a dramatic increase in the number of targeted cyber-attacks being experienced by the legal and public relations firms who work for those organizations with the most sought after electronic data, in the United States and the rest of the world.
The story – which directly quoted Bradford Bleier, unit chief with the FBI's cyber division, and my esteemed colleague Alan Paller, director of research at SANS Institute – detailed the reality that attackers have found that they can respond to increased efforts on the part of organizations to protect their data by going after these closely-held business partners who often times have the same information, or direct access to it, resident on their own IT systems.
This type of approach isn’t necessarily new, as we’ve seen the practice among attackers of attempting to infiltrate organizations’ sensitive environments by transporting through the IT systems of their many interconnected line-of-business partners for years (for example by targeting federal information repositories via hacking their way into the networks of large government and defense contractors).
However, now we’re seeing a direct shift toward law and PR firms being targeted via highly targeted spear phishing and Web-based attacks because they are among the most trusted advisors to Fortune 1000 firms and government agencies – and based on the fact these partners’ communications are implicitly trusted by their clients and can be used to attain strategic virtual beachheads by to transit into their clients’ systems.
In addition, law firms and PR firms are being attacked because they hold vast amounts of their clients’ most confidential information based on the nature of the services they provide and the reality that many of these companies have porous cyber-security operations making them the perfect hunting ground for data thieves. This condition is accentuated by the fact that no one has ever really made these types of companies such high-profile cyber-targets before and they subsequently have few industry regulations pushing them to do a better job of securing their customers’ data.
To illustrate that point, Paller notes in the AP story that a major law firm in New York was hacked into in early 2008 in an attack that originated in China. And while attribution of cyber-attacks is a very tricky and misleading process, based on the ability of assailants to distance themselves from their work using many layers of obfuscation, even the inference of such threats by respected experts is something that should open the eyes of IT leaders across the legal and PR industries.
As cyber-attacks have proliferated in the grid infrastructure environment, industry watchers including myself have repeatedly called for utilities and other providers to require that their own business partners begin pledging to maintain more aggressive security standards by writing requirements to do so directly into their service level agreements (SLAs).
It would seem that the time has come where large enterprises and government agencies need to begin doing the same when it comes to their business agreements and contracts with legal and PR firms, and potentially many other forms of service providers who could leave their electronics data and critical IT assets exposed to potential attacks.
I realize that taking this position may not exactly make me popular with those types of businesses.
But hey, don’t kill the messenger.
-Tom Kellermann, Vice President of Security Awareness