Few organizations venturing into a merger or acquisition intend on the transaction being, in reality, the acquisition of a catastrophic breach.
But that’s a reality that even some of the largest companies in the world have confronted. Buyers not only grow their business and expand into new markets and regions via M&A, but also acquire technology assets, and along with them, security weaknesses.
Resilient companies have learned from these harsh lessons. They rely on stringent cyber due diligence to avoid absorbing legacy security issues. They appreciate the perils of failing to understand an acquisition target’s breach history, response capabilities, and looming remediation costs.
Cyber Due Diligence at the Fore
Merging with- or acquiring another firm is an expensive, exhausting process. It requires the acquiring company to identify and account for every last detail of their target's operations. Today, cyber security must be at the forefront of the acquirer’s due diligence, right alongside a thorough understanding of the company’s corporate structure, intellectual property, assets, contracts, and much more.
Any technology risks must be bubbled to the surface at the outset because they could materially affect valuation. Failure to conduct a thorough risk assessment could obscure security issues that could have long-standing financial and compliance implications.
In order to preserve their ability to maintain business continuity and withstand adverse cyber events, a company must quantify technology risks and understand the target’s commitment to- and funding of its cyber program. They need to know whether senior executives may have given the board an overly optimistic view of cyber and risk.
Technical debt—the accumulated burden of hasty, or sub-optimal technology design decisions—can also be costly to a software development operation. As a result, vulnerabilities lurking in legacy applications can quickly pile up and increase a company’s exposure to external attackers.
Subsidiary Hits and Misses
There is plenty of evidence to support the link between due diligence failures during M&A activity, and cyber incidents. Marriott International and FedEx are global giants in their respective industries, yet the after-effects of two massive acquisitions tested their resiliency in ways that even the most-resourced of their peers had to take notice.
Both acquired subsidiaries with security baggage that not only put their M&A due diligence under a microscope, but also illustrated how much threat actors covet dwell time and target core identity infrastructure such as Active Directory.
Marriott, for starters, brought Starwood Hotels under its umbrella in 2015, paying $13 billion for its subsidiaries including Westin, Sheraton, and more than a dozen others. Some malicious entity, however, had already been on the Starwood network for at least a year and by the time Marriott’s security systems detected the breach in 2018, more than 500 million customer records had been siphoned off the network.
The breach was rivaled only by Yahoo’s loss of three billion accounts in breaches starting in 2013. CEO Arne Sorenstam last year testified before Congress that administrative credentials had been stolen and used to make database queries. A forensics team also uncovered that Mimikatz had been used during the attack to steal credentials.
Active Directory attacks have gone mainstream because of post-exploitation tools such as Mimikatz that can be used to obtain AD credentials and launch Golden Ticket and Silver Ticket attacks that enable lateral movement on enterprise networks. From there, attackers can execute ransomware attacks or drop malware such as remote access Trojans (RATs)—as in the case of Marriott—to steal customer data, intellectual property, and other sensitive information.
The NotPetya global wiper malware attack in 2017 also bundled Mimikatz to extract Active Directory credentials, enable lateral movement inside networks and continue its spread to vulnerable business and government networks worldwide. FedEx’s $4.8 billion Dutch subsidiary TNT Express was one of NotPetya’s high-profile victims, and thrust the company’s M&A cyber due diligence into the headlines.
Like all of NotPetya’s victims, TNT Express failed to deploy a patch for a critical Windows SMB v1 vulnerability that had been available from Microsoft for months. FedEx had assumed its subsidiary’s technical debt—in this case the outdated SMB v1 deployment—and missed a critical software vulnerability that shuttered the company’s domestic and international freight operations for weeks. The expenses climbed above $300 million in cleanup costs, and untold damage to FedEx’s reputation as the parent company.
Resilience Rests on Risk Assessments
M&A cyber due diligence forces acquirers to evaluate threats to a target, shedding light on business risks and exposures that acquirers could insist be addressed before affecting the value of a deal.
A 2018 PwC publication points out that cyber due diligence should expose critical issues requiring remediation, and also cost and a resolution timeline. Security controls for protection and detection, such as Active Directory and identity infrastructure, are one of six areas PwC that must be assessed. The others are: the overall cybersecurity program, third-party security risk management, data privacy, controls around regulated and sensitive data, and security and privacy controls applied to products and services.
Boards of directors, meanwhile, no longer just pay lip service to cybersecurity. Most are well aware of the risks posed by ransomware, as one example, and how many of these attacks involve complete ownership of the Active Directory infrastructure as a necessary step for the attackers to persist on a network and continue to access resources.
These can be devastating and stealthy attacks, which if surfaced, could impact the M&A process to where deal values are renegotiated, or in extreme cases, the acquiring party walks away altogether.
How QOMPLX Can Help
QOMPLX’s technology, such as its Identity Assurance platform, can help harden Active Directory against attack by maintaining a stateful ledger of valid Kerberos tickets and interactions across domain controllers, Kerberos-enabled services, and clients. IA helps businesses cope with increasing focus on Active Directory as a primary infrastructure target by validating the Kerberos protocol and assuring that traffic is legitimate.
In addition, QOMPLX’s Privilege Assurance tool helps identify weaknesses in your Active Directory environment, spotlight accounts that pose a risk to your organization, and identify concentrated pockets of privileges that malicious actors will seek to exploit.