Mike OrtliebHardly any merger or acquisition (M&A) transaction takes place without proper due diligence; so much so that the importance and challenge of this practice in organizational risk management can be taken for granted. Conducting due diligence is a well-established and understood practice that occurs, not only as part of M&A, but also when engaging new critical vendors, service providers and establishing new partnerships. While conducting security due diligence reviews is a relatively consistent practice, the methodology leveraged for these reviews has often not been adapted to keep up with the changing threat and vulnerability landscape.
To better understand the security risk profile of the acquisition target or a potential partner, organizations generally follow a variety of approaches based on the perceived risk, cost of the review, contractual limitations and time available for security due diligence within the constraints of the decision-making timeline for the transaction. With these limitations in mind, some companies choose to rely on a review of internal and external audit reports for insights into the security posture. Others choose to conduct detailed evaluations of specific risk and control areas. Most end up somewhere in the middle with a combination of review of audit reports, security questionnaires and controls testing in specific areas where the perceived risk is highest.
Acquiring or acquired: addressing the risk
One often-overlooked practice in security due diligence reviews is performing threat hunting and compromise assessments for the target environment. This can be a costly mistake. In a worst-case scenario, the result can be a cybersecurity breach caused by integrating the network of an acquired organization or partner that already had an attacker with established persistence on the network. Other instances are less extreme and involve externally facing vulnerable systems or infected endpoints introduced into the environment that increase overall risk.
The acquiring and acquired organizations may have different perspectives, priorities and processes for addressing cybersecurity risk. Ultimately, the two organizations will have to align risk management approaches with the eventual goal of integrating systems, data and applications with the acquired entity. Security due diligence is not only the evaluation of the immediate risks inherent in the target entity but an opportunity for the acquirer to start planning the approach to integration and potential remediation steps, if required. Let’s examine some of the key security due diligence activities that will help identify risks more effectively, help inform an appropriate integration strategy and potentially save an organization from a cybersecurity breach.
Threat landscape analysis:
The acquired entity may differ from the acquiring entity in terms of business and risk profile due to different customer types, geographies in which it operates, technologies employed and other environmental factors. As such, the newly acquired entity may be subject to different threats than those considered in the past by the acquirer. A threat landscape analysis will help shine the light on these differences, which may require adjustment to the organization’s cybersecurity strategy. For example, expanding into a new geopolitical region may attract new threat actor groups with different tactics, techniques and procedures (TTPs). These may need to be accounted for in configurations of preventative and detective controls, incident response playbooks and respective processes.
Dark Web searches:
Threat actor groups often specialize in different aspects of their trade, creating a vibrant marketplace of tools, data and services on the Dark Web. Some focus on the creation of different malware or ransomware and others on monetizing stolen data sets. Other groups focus on obtaining access to organizations and gaining initial footholds that they subsequently sell to attackers looking to exploit them. These transactions take place on certain forums on the Dark Web, Telegram, Discord and other communications platforms. If a concerned organization is able to gain access to these platforms, they may be able to identify instances of access to an environment or set of company data under due diligence review that is being bought or sold, thereby indicating there may be compromised systems. Furthermore, these platforms are also used by threat actor groups to plan or execute campaigns, which if detected timely, can help defenders in circumventing attacks.
Inventory compromised credentials:
One of the most common components of breaches is the use of compromised credentials obtained through various methods (phishing, social engineering, password stuffing, password spraying attacks, etc.). Credentials from prior breaches are harvested and placed in collections for use by threat actors in attacks. Re-use of known compromised credentials provides threat actors a simple method of gaining access to the enterprise. By taking an inventory of compromised credentials available for a due diligence target, an organization can validate or request confirmation that an account for which a credential has been compromised has either rotated its respective password or has otherwise been deactivated. As an added security measure, all authentication methods should be enhanced with multifactor authentication (especially those which have been previously compromised).
Threat hunting:
The threat prevention and detection capabilities of the acquired entity may be different or less effective than those of the acquiring entity. The target entity may have suffered an undetected breach in the past or may be actively compromised by a threat actor at the time of acquisition. Conducting threat-hunting activities as part of due diligence may help identify the compromise and prevent it from impacting the environment of the acquiring organization. Threat hunting presumes that the environment is compromised and involves performing targeted searches for indicators of compromise (IoCs) and reviewing relevant logs and network communications in an attempt to detect malicious artifacts or activity. Not only can focused threat hunting identify current or prior compromises, it can also point out gaps or weaknesses in the detection strategies of the organization and improve an understanding of the overall security posture.
Any organization considering an acquisition should ask:
- Do we know if this environment has experienced a security breach in the past or is currently compromised by a threat actor?
- Is this organization being discussed or targeted by threat actor groups?
- How does this acquisition shift our organization’s threat landscape?
- What new elements are we integrating into our environment that we have not accounted for in our risk or threat assessments?
- Do any publicly available compromised credentials provide access to the environment? Has access to this environment been sold on the dark web?
Acquisitions are challenging and stressful in the best of circumstances, but these steps may be able to assist in mitigating the security risk of incorporating new business operations into the environment.
How Protiviti can help
Protiviti has assisted numerous organizations with security due diligence reviews in support of M&A transactions and third-party security and risk assessments, as well as the design and implementation of remediation strategies for identified security weaknesses. We provide a full range of assessment and remediation support services from recommending and designing an assessment approach to conducting detailed assessments of controls, targeted Dark Web searches, threat-hunting exercises, and penetration tests. Our experienced incident response team can assist in instances when compromises are suspected or identified. Our security team is global and can support an organization’s needs regardless of the scale or geographical spread of its enterprise.
To learn more about our cybersecurity consulting solutions, contact us.
Kim Bozzella
Juli Ochs
Varun Ravi
