Please enjoy this blog post co-authored by Raenesia Jones, Cybersecurity Analyst II, Davis Wright Tremaine LLP and Kevin J. Foster, Sr., Director Cybersecurity Operations, White and Williams LLP. Reviewed by Crystal Little, Editor of Content and Publications, ILTA.
Threat hunting is no longer a luxury cybersecurity service reserved for large law firms—it’s a strategic necessity for law firms of any size dedicated to protecting sensitive client data and maintaining client trust. Threat hunting is the art of taking preventative action before an incident occurs, intending to stop it in its tracks or, in other words, strategic proactive measures focused on moving left of boom. While there are many reputable tools to help prevent cyberattacks, the practice of threat hunting can detect activity often missed by tools.
This guide offers scalable action steps to help build or strengthen your threat hunting capabilities, without breaking your budget.
For Small Firms
It’s easy to assume threat hunting is too resource-intensive for smaller firms. But even with limited staff and tools, you can build an effective program by making smart, intentional moves.
• Assign a Point Person: Designate a single person, full-time or part-time, to lead your threat hunting efforts. Even a few focused hours a week can make a measurable difference.
• Leverage External Partnerships: Join groups like LS-ISAO or ILTA. These organizations offer access to early threat intelligence, indicators of compromise (IOCs), and peer-shared insights that can guide your internal efforts.
• Start with IOC-Based Hunts: Use IOCs from trusted sources to hunt across your environment—endpoint logs, firewall logs, email, etc., for potential compromises.
• Authentication Logs: Look for unusual logins, failed login attempts, and access from unfamiliar locations.
• Email and Network Activity: Investigate abnormal traffic spikes, large data transfers, or new/unknown email forwarding rules.
• Turn Real Incidents into Lessons: Take incidents (internal or industry-wide) and fold them into your response playbooks. What was missed? What would’ve caught it sooner?
For Mid-Sized Firms
As your firm grows, so does your attack surface. Scaling threat hunting operations requires more than adding tools or expanding your team—it’s about maturing your processes and adapting them to your specific environment. At this stage, efficiency becomes crucial, and a tailored approach ensures that you’re focusing your efforts where they matter most.
• Scale with Strategy: Focus on the most significant risks to your firm. These are typically your most targeted assets, users, or business functions.
• Adopt a SIEM: A Security Information and Event Management (SIEM) platform helps consolidate logs, detect anomalies, and automate parts of the hunt. Even a basic implementation is a huge leap forward.
• Automate What You Can: Use built-in scripting or low-code tools to automate repetitive tasks.
• Explore MSSPs: Can’t hire a full-time threat hunter just yet? A Managed Security Service Provider (MSSP) can offer threat hunting at a fraction of the cost of building it all in-house.
Large Firms
Large law firms with developed security programs should use key metrics and assessments to measure the effectiveness of 3 key areas:
• Security Awareness Training
• Insider Risk Program
• Threat Hunting Program
Measuring Security Awareness Training Effectiveness
Law firms must ensure employees understand cyber threats, compliance requirements, and secure handling of client data. Here’s how they measure effectiveness:
• Phishing Simulation Success Rates: Measure the percentage of employees who click on simulated phishing emails.
• Training Completion Rates: Track how many employees complete mandatory cybersecurity training.
• Security Quiz Scores: Use periodic knowledge assessments to gauge improvement.
• Real-World Incident Reporting Rates: Monitor if employees report suspicious emails, unauthorized access attempts, or insider risks.
• Time to Report Suspicious Activity: Evaluate how quickly staff recognize and report security threats.
Best Practice: Large firms run quarterly phishing tests, mandatory training, and reward security-conscious behavior.
Measuring Insider Risk Program Effectiveness
The goal is to detect malicious insiders, accidental data leaks, and policy violations before they cause damage.
• User Behavior Anomaly Detection: Track unauthorized access attempts, large data downloads, or file transfers.
• Privileged Access Monitoring: Measure how many privileged users have access to sensitive legal files and how often they access them. Insider Threat Investigations – Track the number of insider threat alerts that were false positives vs. actual threats.
• Employee Sentiment and Surveys: Conduct anonymous surveys to gauge employee trust, stress levels, and risk awareness.
• Data Loss Prevention (DLP) Policy Violations: Monitor how often employees attempt to send sensitive files externally.
Best Practice: Large firms combine behavioral analytics with AI-driven anomaly detection for proactive insider threat
Measuring Threat Hunting Program Effectiveness
Threat hunting is about actively searching for hidden threats in a law firm’s network before they become full-scale incidents.
• Dwell Time Reduction: Measure how quickly the firm detects and removes threats (before attackers remain undetected for months).
• Threat Hunt Success Rate: Track how many threat-hunting investigations lead to confirmed security threats.
• False Positive vs. True Positive Ratio: Ensure hunters aren’t wasting time chasing false alarms.
• Time to Contain Threats: Evaluate how quickly security teams can contain and neutralize discovered threats.
• Incident Response Readiness: Run red-team exercises and measure how well the security team responds to simulated cyberattacks
• Dark Web and External Threat Intelligence Findings: Monitor if law firm credentials, case documents, or sensitive client data appear on dark web forums.
Best Practice for Large Firms: Mature law firms should strive to integrate AI-driven threat detection, conduct red team exercises, and monitor emerging attack vectors.
A well-established threat hunting plan involves proactively going the extra mile, stepping outside of the tools to analyze activity and find gaps that often go undetected by tools. It’s one of the most efficient ways a firm of any size can demonstrate to clients a willingness to safeguard data. Whether you’re a small, mid-sized, or large firm, threat hunting is within reach; all it takes is a mindset shift to start.
#Security
#RiskManagement
#Firm
#100Level
#200Level
#Cybersecurity