Breaking the Perimeter: How a Mid‑Size Law Firm Rebuilt Trust from the Ashes of Its Network

Chapter 1 — The Headline Nobody Wanted

It started as small anomalies: a late‑night spike in outbound connections, a printer that stopped printing, a paralegal's laptop that crawled. Within two days billing files appeared on unfamiliar cloud hosts. The chief information officer faced a grim realization: this was not an incident that money or a single product could fix. Over ten months the firm executed a deliberate reset — ripping out risky assumptions and rebuilding on a zero‑trust foundation that assumes every user, device and connection is untrusted until proven safe.

This is a forensic account of that rebuild — candid about failures, practical about trade‑offs, and focused on the technical and organizational measures that prevented client secrets from becoming public. It’s intended to alarm organizations that still rely on a hardened perimeter, and to provide a clear, actionable roadmap to recover and harden.

Chapter 2 — Discovery: The Forensics That Tipped the Scale

The first signal was behavioral rather than an alarm: EDR detected suspicious SMB activity; Windows Security](https://steelefortress.com/fortress-feed/what-hipaa-lawyers-and-hospital-cisos-quietly-do-to-make-network-segmentation-bulletproof)](https://steelefortress.com/fortress-feed/stop-pretending-deletion-is-protection-an-incident-shattered-three-dangerous-assumptions)](https://steelefortress.com/fortress-feed/boardroom-lockdown-vs-devops-speed-which-strategy-stops-a-fortune-500-supply-chain-hack-before-it-goes-nuclear) and Sysmon showed privilege elevations; NetFlow revealed persistent connections to a foreign cloud provider. The first 72 hours followed a disciplined investigative playbook with tactics you can use immediately:

- Live triage and containment: use EDR to isolate suspected endpoints and move them to a forensics VLAN or segmented quarantine. Make isolation reversible and logged so business impact is minimized while preserving evidence.

• Volatile evidence capture: collect memory images with signed tools (e.g., DumpIt/WinPmem) and log tool versions and hashes; prioritize memory before restarting or powering down.
• Disk imaging: create bit‑for‑bit images (E01/RAW) using write‑blocking hardware when possible; generate SHA‑256 hashes and document the collection metadata (operator, timestamp, host image ID).
• Network capture: collect PCAPs via span/mirror ports or network TAPs for affected subnets; capture NetFlow/sFlow for historical lateral movement and outbound patterns; ensure PCAPs are time‑synced (NTP) and stored with encryption and indexed metadata for search.
• Log aggregation: collect Windows Event, Sysmon, Azure AD/Okta auth logs, VPN and ZTNA logs, NAS and DMS audit trails into a central SIEM or log lake; preserve raw logs for legal review with immutable storage.
• Timeline reconstruction and enrichment: correlate host, identity and network timestamps, enrich with threat intel and internal IOCs, and produce a minute‑by‑minute chronology that supports containment and regulatory reporting.
• IOC and ATT&CK mapping: map observed behaviors to MITRE ATT&CK tactics and techniques to prioritize mitigations (e.g., disable exposed vectors for credential reuse, harden RDP/Jumphosts).

The root cause was blunt: stale service accounts, credential reuse, and insufficient telemetry. Attackers exploited long‑lived tokens and legacy service principals that had never been rotated.

Background and Context

"We found remote RDP sessions originating from a compromised partner PC using a cached service token that had never been rotated in four years." — internal forensic brief

Chapter 3 — The Uncomfortable Truths

Law firms hold privileged material, which makes them high‑value targets — not exceptions to the rules. The forensic review surfaced structural weaknesses that many organizations share:

- Credential dominance: over 80% of compromises began with credentials — phishing, reused passwords, or legacy service accounts. Active Directory contained service principals and scheduled tasks created before current governance standards.

• Telemetry gaps: logs were siloed. Printers, copiers, NAS devices and some appliances never forwarded logs, creating blind spots during detection and response.
• Backup fragility: backups existed but lacked immutability, air‑gapped copies, and verified restores. A full ransomware event would have required months of restoration, risking ethical breaches.
• Organizational friction: partners viewed security as friction on billing operations; delays in adoption and resistance to controls prolonged exposure and increased legal risk.

Fixing these required more than technology — it required executive sponsorship, budget reallocation, and a phased plan that balanced legal obligations, billable work, and security goals.

Chapter 4 — The Zero‑Trust Build: Technical Moves That Mattered

Zero trust became the organizing principle: never trust, always verify. The firm stitched together identity, device posture, microsegmentation, and continuous monitoring with concrete controls and measurable outcomes.

Key Considerations

Identity first

• Canonical identity store: consolidated identity into a single authoritative IdP (Azure AD as primary, Okta in federation for select SaaS). Mapped every principal (human, machine, service) and enforced certificate‑bound device registration (MDM enrollment + device certificate).
• Conditional access: implemented policies that require compliant device posture, MFA, region and risk factors. Example rule: block access from unmanaged devices unless using a secure app and conditional access grant with MFA.
• Strong MFA: deployed FIDO2 hardware keys for executives and Privileged Access accounts; enforced adaptive MFA for all users. Retired SMS/voice OTPs and limited TOTP where hardware keys unavailable.
• Privileged Access Workstations (PAWs): provided hardened, locked‑down VMs for legal and privileged tasks. PAWs prohibit web & email to reduce exposure and are managed with immutable images and least‑privilege tooling.

Device posture and EDR

• EDR coverage firm‑wide: deployed a single EDR stack tuned for detection of living‑off‑the‑land techniques, credential dumping, and suspicious lateral movement. Configure automated isolation on high‑confidence detections and make isolation playbooks clear to IT and business owners.
• Health attestations: require disk encryption (BitLocker/FileVault), secure boot, current OS/patch level, and active AV signatures before granting network access or ZTNA sessions. Use MDM (Intune/MDM) to remediate noncompliant devices automatically.
• Runtime protections: enable application allow‑listing for critical hosts, block unsigned PowerShell, and turn on AMSI/Antimalware Scan Interface checks for script execution.

Network microsegmentation and ZTNA

• Microsegmentation design: map flows (who talks to what) and segment by practice area and data classification. Use host‑based firewalls, VLANs, and software‑defined segmentation (e.g., NSX, VLAN + NAC, or cloud security groups) to enforce east‑west controls.
• Replace legacy VPNs: phase out broad network VPNs in favor of ZTNA (per‑application access brokers) that evaluate user identity + device posture before granting a session. Configure per‑application least‑privilege and short session durations.
• Access jump hosts: centralize RDP/SSH access through hardened jump hosts with session recording and MFA; block direct RDP from the internet and disable RDP where not needed.
• Limit protocols: block SMB over WAN, restrict Kerberos/LDAP to required hosts and require LDAPS; disable NTLM where feasible and enable LDAP signing and channel binding.

Data protection and controls

• Data classification and DLP: implement a metadata‑based tagging scheme (sensitivity labels: Public/Internal/Confidential/Attorney‑Client) applied at source (DMS, Office clients, mail). DLP engines enforce policy by blocking, quarantining, or requiring justification on movement of classified files.
• Endpoint and Cloud DLP: use fingerprinting for identified documents, pattern detection for PII/financial data, and machine learning for anomalous exfiltration attempts. Enforce encryption and restrict copy/paste/upload actions based on label and device posture.
• Encryption and key management: full disk encryption and TLS 1.3 for transport; keys stored in an HSM-backed service (Azure Key Vault Managed HSM or equivalent) with role‑based access and regular key rotation scripts and logging.
• Just‑in‑time and least privilege: implement JIT/PAM (Azure PIM or similar) for admin elevation with time‑bounded approvals and recorded sessions. Remove standing admin rights and require approval workflows for sensitive actions.

Logging, hunting and IR

• Central SIEM and retention: centralize EDR telemetry, IdP logs, ZTNA logs, network flow and device posture into a scalable SIEM/log lake. Define retention: raw logs 1 year, enriched logs 3 years for investigations; immutable snapshot copies for legal hold.
• Threat hunting cadence: schedule weekly focused hunts (e.g., look for abnormal RDP/SMB auths, golden ticket indicators, atypical token lifetimes). Use queries that combine identity and endpoint context (e.g., anomalous token grants + process spawning patterns).
• Playbooks and exercises: codify IR playbooks (containment, communication, legal notification, forensic collection) and run quarterly tabletop exercises with partners, legal and PR. Maintain an IR retainer for surge forensic support and courtroom readiness.

Chapter 5 — Evidence Collection: Methods the Firm Now Swears By

Practical Implementation

For legal defensibility, evidence handling and reproducible collection are as critical as prevention. The firm implemented strict controls and checklists to protect admissibility and client privilege:

- Forensic imaging: use hardware write‑blockers where possible. Document collection details (tool, version, operator, host, start/stop times) and generate SHA‑256 hashes for original images. Keep originals in secure, access‑controlled storage.

• Memory capture: capture RAM early with versioned tools, log pre/post‑capture hashes, and preserve the capture environment (process lists, open network connections) in the evidence folder.
• Network evidence: archive PCAPs to encrypted cold storage with searchable indices (timestamp, src/dst IP, ports, correlation IDs). Keep metadata for chain‑of‑custody and to accelerate future hunts.
• Chain of custody: every handoff must be documented — who accessed what, when and why. Use digital signatures for logs and maintain a sealed evidence repository for original media.
• Legal coordination: engage counsel and records counsel before deep scans of client repositories; implement privilege filters and search warrant protocols when required. Maintain a preserved snapshot of affected legal matters and custodians to reduce exposure during investigation.

Chapter 6 — The Roadmap: What You Can Do Right Now

Do not be complacent. If you run an organization that values secrets — a law firm, medical practice, or private company — begin with these prioritized, actionable steps you can implement in weeks to months:

1. Inventory everything. Discover all devices, user accounts, service principals, printers and NAS boxes using automated discovery tools (e.g., AD discovery scripts, network scanners, MDM/EDR asset lists). Tag each asset with owner and business purpose.

1. Enforce MFA on every account. No exceptions. Prefer hardware FIDO2 keys for privileged accounts and enable adaptive MFA via conditional access policies that consider device posture and geolocation.
2. Deploy EDR firm‑wide and configure automatic isolation for high‑confidence alerts. Tune detection rules for your environment, create suppression lists for known benign behaviors, and document the isolation playbook.
3. Centralize logs into a SIEM/log lake and retain at least 1 year of raw telemetry; ensure printers, copiers, and appliances forward logs or are included in discovery inventories. Implement immutable storage for legal holds.
4. Implement least privilege and JIT/JEA for all administrative functions. Use PAM tools (Azure PIM, CyberArk, BeyondTrust) and enforce approval workflows and session recording for elevated actions.
5. Segment your network by trust level and application. Map actual flows, design microsegments for critical servers (DMS, mail, e‑discovery), and eliminate flat networks; enforce host‑based firewall rules as a last line of defense.
6. Harden backups with immutability, offline copies and documented restore tests. Store at least one air‑gapped copy and run quarterly restore rehearsals to validate procedures.
7. Run monthly tabletop exercises, update playbooks, and maintain an IR retainer. Include legal, HR and partners to align notification, privilege and client communications.
8. Rotate credentials and remove stale service accounts immediately. Replace legacy service accounts with managed identities or certificates; script rotation and set expirations. Block legacy auth (NTLM) where possible and require modern protocols.
9. Start threat hunting now: create queries for abnormal RDP, SMB, Kerberos anomalies, and suspicious authentication patterns. If you lack in‑house expertise, engage external hunters for a 30‑60 day campaign to baseline normal and find active reconnaissance.

"Trust is a liability until you can prove it. Zero trust is not a toolset — it’s an operational commitment." — redacted incident lead

We rebuilt this firm’s defenses not because of shiny tools, but because leaders accepted hard tradeoffs: convenience for protection, rapid response for business continuity, and discomfort for long‑term resilience. The perimeter is gone — if you ignore this, you gamble with client confidentiality and livelihoods.

Start with inventory, enforce MFA, contain and isolate when needed, centralize logs, and test recovery. Prioritize identity and telemetry first; everything else follows. Take action now so your organization becomes the recovery example, not the cautionary tale.

---

Related Articles

• Zero Trust: Stop Trusting, Start Verifying - A Modern Take on Network Security
• Cybersecurity Analysis: Best practices for implementing zero-trust security in law firms
• Cybersecurity Analysis: How a medium-sized law firm implemented zero-trust architecture