Case Study

Butler Snow Protects Its Brand and Clients With Intelligence from Recorded Future

Butler-Snow-Logo.png

National leader in law services relies on Recorded Future intelligence to mitigate risk, make informed security decisions, and streamline the security workflow.

The legal industry has long been a target for cyber attackers, with its troves of confidential client information — intellectual property, trade secrets, personally identifiable information (PII), corporate financials, and more. As a full-service law firm with nearly 400 attorneys supporting more than 50 practice areas and clients in all 50 states, the District of Columbia, and 20 countries, Butler Snow LLP is acutely aware of the heightened risk of cyber-attacks.

“Part of our nationally recognized excellence in client service and satisfaction is our commitment to protect confidential client information from cybercriminals,” says Trey Thompson, data security analyst at Butler Snow. “The goal that guides all of our efforts is to prevent a successful attack by staying one step ahead of the adversary.”

That’s why Butler Snow turned to Recorded Future to fill a critical gap in the firm’s security strategy. “Before leveraging Recorded Future’s intelligence, we relied on publicly available information about vulnerabilities and threats,” says Thompson. “When we saw Recorded Future in action, we knew it would provide the single source of extensive, accurate intelligence we need to mitigate risk, make informed decisions, and streamline our security workflows. Recorded Future provided intelligence far beyond what we were able to dig up on our own, especially as a team managing many priorities.”

When we saw Recorded Future in action, we knew it would provide the single source of extensive, accurate intelligence we need to mitigate risk, make informed decisions, and streamline our security workflows. Recorded Future provided intelligence far beyond what we were able to dig up on our own, especially as a team managing many priorities."

Proving Immediate Value For the security team at Butler Snow, their strategy is to add as many layers of security as possible without impeding the productivity of the firm’s approximately 800 employees, spread across a growing contingent of 25 offices around the globe. However, with a small IT organization and an even smaller security team, fulfilling these goals requires tools that can supercharge efficiency to help the team accomplish more.

Any intelligence solution would need to not only improve the firm’s visibility into the most pressing threats, but also surface intelligence in such a way that facilitates maximum efficiency and speedy responses by the Butler Snow team. Recorded Future seemed to fulfill all Butler Snow’s needs so the security team decided to put it to a test.

“We conducted a proof of concept with Recorded Future and within hours, it was already demonstrating value for our firm by identifying at least one typosquat domain,” says Thompson. “Based on the excellent results, we were able to secure budget and move forward with Recorded Future.” The firm now relies on the Recorded Future Intelligence Platform, including Brand Intelligence, SecOps Intelligence, Vulnerability Intelligence, Threat Intelligence, and Third-Party Intelligence modules.

Protecting the Brand and Clients Against Opportunistic Adversaries

The security team at Butler Snow uses Recorded Future to help it protect brand value and perception, as well as protect clients and employees from hacker methods such as typosquatting, false login pages, stolen credentials, and more.

Recently, a client of Butler Snow received an email that appeared to be from a Butler Snow employee, which contained a change to wiring instructions for the client to send payment to Butler Snow. When the email was brought to the attention of the employee who was being impersonated, she had no prior knowledge of it, and contacted the Butler Snow security team about her email password potentially being compromised.

With Brand Intelligence from Recorded Future, Butler Snow quickly identified the source of the email as being from a typosquatted domain. The team also used Recorded Future to find leaked credentials from several of the client’s accounts, including the person who received the email purportedly from Butler Snow. Further forensic work by the client uncovered evidence of Microsoft Office 365 logins from other countries into the client’s user account.

Hackers had been viewing the client’s emails and when they saw an invoice from Butler Snow, they created a typosquatted domain and sent an email with the fake wiring instructions. The hackers even manipulated the amount being requested, which was already substantial, to be double the actual invoice. “Recorded Future helped us save our client from losing a large amount of money to a hacker scheme,” says Thompson. Thompson and his team not only saved Butler Snow’s client from falling victim to this attack, he also protected his brand perception with Brand Intelligence.

Prioritizing Vulnerabilities and Patching Efforts

Vulnerability management can be time consuming for any size IT organization. For lean teams, being able to prioritize which vulnerabilities are most important to focus on first is essential to accurately allocating limited resources to protect against serious threats.

The Butler Snow security team uses Recorded Future Vulnerability Intelligence to gather context on vulnerabilities, giving the IT organization confidence that they are prioritizing the highest risks and dedicating resources where most needed.

“The intelligence we get from Recorded Future is particularly valuable when a patch is released for a high impact system such as Microsoft Exchange,” says Thompson. “We use Vulnerability Intelligence from Recorded Future to evaluate whether a vulnerability is being exploited in the wild. Actionable information helps us drive and validate our group’s decision on how to prioritize patching critical systems.”

Thompson shares a recent example where VMware issued patches that could potentially impact performance of the software. To understand whether it was imperative to apply the patches, Butler Snow used Recorded Future to identify that the risk of the vulnerability being exploited was indeed such that the firm needed to patch the software rather than waiting for a later version with less impact on performance.

Manually pulling firewall logs and reviewing and researching suspicious IPs was very time consuming before. Now, with Recorded Future, it’s an automated part of my regular workflow."

Saving Hours Per Week With a Proactive Intelligence Workflow

Before implementing Recorded Future, researching IPs being blocked by the firm’s firewall and deploying defensive mitigations took up large amounts of time and effort. “Manually pulling firewall logs and reviewing and researching suspicious IPs was very time consuming before,” Thompson says. “Now, with Recorded Future, it’s an automated part of my regular workflow.” Thompson uses Recorded Future’s browser extension to research the top ten IPs that tried to hit the firewall but were blocked. He builds context using intelligence from Recorded Future to determine if it’s something the firm should be worried about and take action to protect against. “Before, I relied on public information sources to find similar information, which was a manual process that took hours every week,” says Thompson. “Now, with Recorded Future, I get the information I need within one pane of glass.”

Before, I relied on public information sources to find similar information, which was a manual process that took hours every week. Now, with Recorded Future, I get the information I need within one pane of glass."

Extending the Reach of a Lean Security Team

For Butler Snow’s small security team, Recorded Future is like having another employee in terms of enabling the team to accomplish more. “The amount of intelligence and context that we can quickly pull from Recorded Future is probably the equivalent of having a full-time person doing the work of locating the information,” says Thompson.

Asked what advice he’d give other law firms, Thompson says, “Knowing is half the battle because you can’t defend against what you don’t know. It's important to not only understand what's out there, but what specific threats to the firm exist. Recorded Future is a great solution to protect our brand, employees, and clients with actionable intelligence.”

To see the full PDF, download here.

Related