Threat Hunting For Cybersecurity M&A Due Diligence...2020/03/06 · •While there practically endless considerations for M&A due diligence, we will focus on the following for maximum

Threat Hunting For Cybersecurity M&A Due Diligence

Jake Williams (@MalwareJake)

Rendition Infosec

www.rsec.us

@RenditionSec

2

• Founder and President of Rendition Infosec

• IANS Faculty

• Former SANS Instructor

• Endorsed by the Shadow Brokers

• Former NSA hacker, Master CNE operator, recipient of the DoD Exception Civilian Service Medal

• Dislikes: those who call themselves “thought leaders,” “crypto bros,” and anyone who needlessly adds blockchain to a software solution

$whoami

3

• Why cybersecurity due diligence matters

• Techniques for cybersecurity M&A

• Cybersecurity M&A challenges

• Wrapping it up

Agenda

(C) 2020 Rendition Infosec - Jake Williams

Why cybersecurity due diligence matters

How much liability are you taking on with those assets?

5

• When an organization is acquired, all the assets are transferred

– So are the liabilities

• No M&A would be complete without investigating the state of the org’s physical assets

– e.g. are the factories in good shape or do they need massive upgrades

• Yet for some reason, the state of the org’s cybersecurity posture is not given the same level of attention…

Cybersecurity Due Diligence – It Matters


6

• Almost every M&A in the last two decades has involved heterogenous technologies

– Which AD version are you on?

– Which Linux builds?

– Windows workstation versions?

– Legacy Unix versions?

– VPN and remote access technologies?

• What often isn’t considered (pre-acquisition) is how the newly acquired network will be secured and monitored

Heterogeneous Networks


Techniques for cybersecurity M&A

Obviously this is a problem – how do we correct it?

8

• Traditional threat hunting uses IOCs and baseline deviations

• Use of IOCs to hunt on endpoints requires the deployment of software, usually employing endpoint agents

– And a central server with firewall rules to allow communications

• Baselining takes time and isn’t easy

– Ever tried to deploy UEBA software with minimal false positives?

– Baselines are hard to generate under the best of circumstances…

– If baselines were trivial, this would be a different conversation…

Traditional Threat Hunting


9

• Unfortunately most networks for M&A we threat hunt in lack:

– Baselines of standard network and endpoint activity

– Systems for hunting IOCs on endpoints

• IOC scanning systems are usually not trivial to deploy

• While we could build baselines, this is cost prohibitive

– Most M&A jobs we do are pre-purchase investigations

– There’s little interest in undertaking huge cybersecurity projects just to determine valuation

Threat Hunting M&A


10

• The best IOCs are industry/vertical specific

• In some cases, an M&A threat hunt can use the same IOCs that are used in the (future) parent organization

– This gets more complicated when it comes to holding companies

– The new organization may not be part of an ISAC, limiting access to vertical specific IOCs

• Have a plan in place for finding vertical specific CTI information

A Quick Word On IOCs


11

• You can’t count on organizations having their own tooling

– Network taps, EDR, netflow, SIEM

• Most products are not designed or licensed for quick one-off deployments and this can make costs prohibitive

– Getting buy-in for installing Agent-based products is problematic

• Dedicated tooling or extremely flexible licensing plans are a requirement for M&A threat hunting

– How you operationalize IOCs depends entirely on your tooling

Tooling for Threat Hunting M&A


12

• While there practically endless considerations for M&A due diligence, we will focus on the following for maximum ROI:

– Review security practices

– Network traffic capture and IDS

– Vulnerability scanning

– Triple Threat Hunting™

– Evaluation of residual risk from previous breaches

• Let’s investigate each of these in some more detail

M&A Threat Hunting Techniques


13

• Start by reviewing:

– Network architecture and segmentation

– Group memberships in Active Directory

– Antivirus and security tools

– Is there a SIEM? If not, how are logs monitored?

• What logs are being fed into the SIEM?

– Ask administrators about technical debt

– Inventory legacy systems (and document why they still exist)

• Many security agents don’t run on legacy systems and attackers know this -spend time hunting there

– Oddball Unix distros (AIX, SCO, HP-UX, etc.)

Review Security Practices


14

• Install network taps at egress points, collect network traffic, and run an IDS

– Ideally, the IDS sensors will cover both east/west traffic into and out of the datacenter, but north/south is better than nothing

• Pro tip: Check your taps to make sure you’re really getting full duplex traffic

– Without full duplex, many IDS sensors fail spectacularly

Network traffic capture and IDS


15

• Network traffic capture is used to identify unmanaged endpoints in the environment

– We regularly find servers not in asset management (shadow IT) and services not previously declared by IT

• B2B VPNs are a huge source of risk for organizations and most lack the same monitoring present on the normal egress points

– With good network monitoring of egress points, it becomes easy to identify VPNs

– Most customers we work with initially lack knowledge of 25%+ of their B2B VPNs

Network traffic capture and IDS (2)


16

• Vulnerability scanning should go obviously be going on prior to any M&A consideration

• Look for is whether patches have only recently been applied or whether patching has been an ongoing operation

– Digital forensic techniques including registry and filesystem timestamps are a huge enabler here

• Results here are a mixed bag - some try to put on a new coat of paint, others lack the foresight/resources to even try

Vulnerability Scanning


17

• Threat hunting is easiest to start on the network

• Some number of endpoints need should also be examined using a host-based EDR tool

• Memory resident threats may escape detection without the application of targeted memory forensics

Triple Threat Hunting™


MemoryForensics

Endpoint Data Collection and Analysis

Network Threat Hunting

18

• Threat hunting begins on the network and continues up the stack

• While network threat hunting will occur everywhere, only a small number of endpoints receive deep dive analysis

– Of those, a small number will be selected for full memory analysis

– Selection is usually based on asset risk and index of suspicion

Triple Threat Hunting™ (2)


MemoryForensics

Endpoint Data Collection and Analysis

Network Threat Hunting

19

• A large percentage of breaches are not completely remediated

• Threat hunting can help identify residual malware, but a breach is about more than just malware

– Attackers may leave behind backdoor accesses/accounts/etc.

– Don’t forget regulatory liability of improperly reported breaches

• Frequently, we find that IT operates outside of change management procedures while remediating a breach

– This opens the possibility of an insecure misconfiguration

Residual risk from breaches


Cybersecurity M&A challenges

Nothing worth doing is ever easy…

21

• The organization under evaluation has an incentive to be less than completely forthcoming with their cyber hygiene

– This isn’t necessarily being done with malicious intent

• In many (most??) orgs, leadership does not have the same view of cybersecurity posture as IT practitioners

– We believe that most apparent “deceit” is just an extension of existing communication problems between line workers and management

Challenges in M&A cybersecurity assessment


22

• To make themselves more attractive for an M&A, many organizations considering a buyout will try to make themselves more attractive by cutting costs

• Infosec and IT are cost centers, not profit centers

– It is not unusual to see IT and infosec staff trimmed to achieve a better P&L sheet and attract a buyer

– The results are predictable…

Reducing Costs Prior to M&A


23

• We always ask teams their relative strength vs. 24 months ago

• During interviews, ask staff what they aren’t doing now that they have fewer resources

– In most cases, something got dropped

– You want to know where the bodies are buried

• Note: not all staff reductions are problematic for M&A risk

Reducing Costs Prior to M&A (2)


24

• Almost all organizations have issues with asset inventory

• A critical step in assessing M&A risk is to determine what isn’t being tracked in the asset inventory

• Under no circumstances should you simply scan the endpoints and subnets identified by IT

– The juiciest stuff we find was never on the asset inventory in the first place…

Poor asset inventory


25

• Many organizations lack good network visibility

– This problem is exacerbated in many orgs undergoing M&A due to pre-M&A cost cutting

– Generally the organization being acquired is less mature in their IT and infosec posture

• Many of these orgs lack:

– SIEM

– EDR

– Netflow

– Centralized AV management

Poor Visibility


War Stories

Because infosec needs more Michael Bay moments!

27

• It’s okay – everyone forgets about a few virtual machines…

– Oh, you meant VMS (the legacy OS you’re still using in production)

• Because our scanning scope was limited due to ICS devices, we only found this due to onsite interviews and datacenter visits

• The organization had tried repeatedly to move off the legacy VMS servers, but failed each time

– To the tune of $7 million over three failed attempts…

Case study #1: we forgot about the VMS


28

• During the initial intake, we were told there were no B2B VPNs

• Network monitoring quickly uncovered five always-on VPNs

– Eventually, at least a dozen more on-demand VPNs were discovered

• Once we put monitoring on the VPN connections, it was clear that confidential data was being systematically siphoned from the org’s ERP system from a remote site

– Threat hunting alone would likely not have discovered this

Case study #2: What B2B VPNs?


29

• During intake, the org said they had experienced one major incident (ransomware) in the previous 36 months

• On-site interviews with staff revealed two more incidents, one of which appeared to be an APT intrusion

• We deployed our on-demand EDR, scanned the network, and found dozens of servers where the attacker just swapped out their malware

– Remediation failed…

Case study #3: Sure, we remediated…


30

• Reviewing incident reports, it was clear that the client suffered a breach event that they had not properly reported to regulators

• The SmallCo was advised by another third-party firm that they did not need to disclose and took that advice at face value

• The BigCo devalued SmallCo, but more importantly they could file disclosures under the SmallCo name instead of their own after the acquisition

Case study #4: Sure we had an incident response!


31

• The acquiring organization was told there was an absolute clean bill of health

– The acquired organization was directly involved in contracts selling technology to the Chinese government

– The justification for “clean bill of health” was “we haven’t had any alarms that antivirus didn’t clean”

• Within two hours of installing network taps, we discovered two different groups operating in the network

– There was no reason for them to be stealthy

– We didn’t broadcast that we were threat hunting (CI)

Case study #5: Don’t worry, we have AV!


Closing Thoughts

Let’s wrap this up

33

Every M&A has cybersecurity risks that extend to ALL parties involved

Identifying cybersecurity risks can help adjust the valuation of the acquisition

Orgs that grow through M&A without systematically evaluating cybersecurity risks are giving a toddler a hand grenade…

Conclusion


@MalwareJake

@RenditionSec

www.rsec.us

Documents

Threat Hunting For Cybersecurity M&A Due Diligence...2020/03/06 · •While there practically endless considerations for M&A due diligence, we will focus on the following for maximum