Guess what? The bad guys read the papers too – If your org has been the target of reconnaissance efforts by a threat actor; the news of a new acquisition is music to their ears. Acquisition information adds a whole new vector to the Social Engineering aspect and the acquired org can quickly become the new target of compromise as a means to an end. More businesses need to take this into consideration prior to any public announcement.
First, let’s talk about the Social Engineering aspect. It’s not hard to determine the top Officers of any company. LinkedIn. Company’s own site. Easy recon that a 4th grader could do. The acquisition generates activity and communication which is outside of the normal flow or baseline of both organizations; which is why this is a perfect time for Social Engineering attacks. Theoretically, you could pretend to be [ pick your c-level exec ] at the larger org; then you call the CFO ( or Administrative Assistants! ) of the smaller org and ask them to email you [financials | trade secret | contact lists of more people | information about IT infrastructure | list goes on ]. Because of the divergence from normal activity; you could probably do that without hijacking a legit email; and just use whatever address ( “I am away from my desk, send it to me here, I need it fast! ” ). Social Engineering training needs to be a part of the initial pre-communication release process before two companies agree to publicly communicate their intention to merge.
Second, let’s talk about the patient threat actor. We have a treat actor who has been having a tough time gaining a foothold in your org; because of your well trained people and tight security posture, built from a well funded budget. The org your company is buying may not have the same security posture as you do; in fact the bad guys are counting on that. Day one of the announcement; the tactics switch and the acquired org is the new target. Once a foothold is gained; the attacker then just needs to back away from the keyboard and wait for the IT Teams to connect the two companies. With regards to new orgs coming into the fold, one of the largest blindspots I’ve seen in my own journey, is that the egress points of the new org are either unknown or undocumented. If the networks are connected before InfoSec Teams are 100% certain all egress points are accounted for ( and have the appropriate security hardware stack ), then the badguys have a great way to quietly exfiltrate your data. Two things here; First, both a billing and in-person inventory of all telecommunications lines at all sites needs to happen before ‘trust’ is established. Second, the acquired company’s systems need to go through a rigorous vetting process to determine the presence of an attacker before the networks are connected. Not just looking at end systems and data center systems, but monitoring network traffic, with emphasis on egress traffic and DNS records.
All of the above same logic applies to third party business partners (BPs); and my vary to the degree you let them into your network. Some BPs only access certain DMZs of yours, some have more access. Each BP connection is unique; and may require custom Security Policy / FW rules and vetting of systems. Really, the name of the game with BP’s is least access/least privilege – give them only what they need and nothing more. Period. All BP traffic should always pass through a L7 FW / IDS/IPS – Remember Target’s POS systems were compromised through their HVAC vendor. Think like an attacker!