The breach experienced by Mossack Fonseca did more than expose sensitive tax documents for global figures in politics and business. It's also a warning sign for any company that manages large amounts of financial and transaction data.
In order for these attacks to become less common, organizations need to have cyber security programs that allow them to predict, prevent, detect and respond to these attacks.
What can companies do to prevent such as a breach?
The first step is to understand on what systems sensitive data is held and who has access to these systems. This needs to include systems that may not be immediately obvious such as backup systems. If possible, the number of systems the data is stored on should be decreased to help reduce the attack surface.
The remaining systems should then be hardened and user access reduced as much as possible, both to the systems themselves and to the data within those systems, whilst still allowing the business to operate efficiently. This can be a very tricky balance to reach. One thing that can be done is to archive data, which is no longer regularly accessed, onto offline backup drives or air-gapped systems. In the case of Mossack Fonseca, archiving their data in this manner could have reduced the data leaked to recent years and active clients only.
Another thing to take into account is how attackers can exfiltrate data once they obtain access. Depending on the sophistication of the preventative and detective capabilities of Mossack Fonseca, exfiltration could have been as simple as copying the data onto a USB hard drive, or as complicated as slowly exfiltrating data out of the network in small amounts for months or even years through stealthier methods such as DNS tunnelling.
There are a number of controls that can be implemented to try and prevent exfiltration from being possible. Restricting users from being able to use physical media such as USB and DVD/CD and blacklisting online file storage facilities. However, these controls can cause an unacceptable impact on business productivity and will likely not be 100% effective.
It is therefore important to look at how data exfiltration could be detected. Looking for large spikes in data being transferred out of the network or between systems internally is an obvious thing to look for. DLP solutions can also be used to look for and raise alerts when keywords, such as client names or protective markings, are identified in data leaving the organization. Honey files, which have no legitimate use but contain a signature, could also be placed on systems alongside legitimate data. If these files are being transferred on the network or present on employee’s systems then it could be a sign of exfiltration.
However, it is important to understand that exfiltration is the last stage in a breach, and to focus on it alone would be to focus on a small part of the problem.
Zak Maples is a senior security consultant for MWR InfoSecurity