Parents have an inherent predisposition to believe their children are absolutely beautiful. Even when their children aren’t much more than tiny blobs that eat, sleep and cry (read: newborns), parents will swear that their children are the most good-looking babies they’ve ever seen. That’s just what you do.

Some firms grow through merger and acquisition (M&A) activity. These are the acquirers — parents, if you will. They undertake a great deal of due diligence to determine whether a target firm (baby) is cute enough for them. Growth? Cute. Profitability? Cute. Leverage? Cute. Size, liquidity, valuation? All very cute! The deal is done, and congratulations on your cute new baby.

But what happens if the target isn’t that cute, after all? What if the network is already compromised outright?

While we at CrowdStrike^® would never call your baby ugly, we do want to help an acquiring firm achieve its goal — to be better off for having acquired its new bundle of joy. Security fundamentals, detection and prevention, a sound incident response strategy, and a clean environment — your acquisition should ideally have all these attributes.

This has all been discussed in a previous blog from CrowdStrike, explaining why hasty integration of a newly acquired business is risky. However, in enterprise cybersecurity, there is often a time lag between thought leadership and practice. Implementing change requires budget, planning, communications, etc., and often the cautions regarding risk are ignored, only to be validated later in the real world. Indeed, recent news is becoming increasingly littered with examples of compromises inherited through M&A.

In a recent engagement for a customer with an aggressive growth strategy through M&A activity, we discovered that the acquiring firm wasn’t assessing the cybersecurity posture of its targets in the same manner they looked at financials. They effectively accepted a significant risk with no visibility into the factors involved. We recommended thorough cybersecurity assessments prior to any deals in the future and they took us up on that recommendation, when the next one came along.

This is the story of how that turned out…

Initial Health Check (Maturity Assessment)

CrowdStrike performed a cybersecurity maturity assessment (CSMA) for the parent firm and provided a variety of recommendations, which included that they perform some analysis of the cybersecurity health of the company being acquired.

To determine if the target firm’s network was compromised, we needed full visibility into all system activity via a compromise assessment (CA). We deployed two tools — the CrowdStrike Falcon®^® platform and Falcon Forensic Collector (FFC) — on every system. The Falcon endpoint detection and response (EDR) technology gave us the ongoing, near real-time system visibility to detect potential attackers based on behavioral indicators of attack (IOAs), indicators of compromise (IOCs) and proactive threat hunting.

FFC looked backward, giving us a detailed and extensive view of the historical forensic data. This proprietary CrowdStrike tool implements data gathering modules and collects various types of incident response-relevant host artifacts. The tool places the data it collects into an analysis platform for CrowdStrike consultants to investigate at scale. CrowdStrike analysts looked through the forensic data for evidence of past or current compromise, such as program execution, persistence mechanisms, items that appear infrequently and other artifacts of malicious activity.

Parental Consultation (Recommendations)

While extensive due diligence occurs in any new deal, most interactions between acquiring firms and their targets happen through counsel, executives and various business analysts. The acquirer’s IT security personnel often know little about the target’s cybersecurity posture. The same was true for this deal. The acquired firm had no documentation regarding their IT infrastructure, and the acquirer’s IT staff hadn’t yet interacted with them.

In a typical CSMA, CrowdStrike consultants schedule several brief interviews across key cybersecurity and incident response areas. We speak separately with the leads from incident response (IR), infrastructure, legal, communications and so on. In this case, the target had no defined roles, processes or structure.

To focus our discussions — and break the collective ice between the acquirer and target — we broke from tradition and scheduled a day of roundtable discussions with relevant personnel from both parties.

We held these talks onsite, while our analysts dug through the forensic data. The technical findings informed our discussions, and in some cases opened up new lines of questions. This flow brought clarity to not only our line of questioning, but also to our client. By the end of the day, the client knew more about the target, and personnel from both parties established working relationships.

Lab Work & Diagnosis (Compromise Assessment)

As for the CA workstream, our analysts discovered positives and negatives about the target company’s security hygiene — some of which were already known to them. We found evidence that suggested the target firm may have suffered a recent compromise. We notified the client of this finding right away, and the client initiated an incident response.

Discharge (Business as Usual Resumption)

From a maturity standpoint, almost every security posture element at the target firm was piecemeal or non-existent. The acquirer’s integration strategies needed to address more than just whether it was safe to drop the acquired systems into their network.

For example, personnel decisions around reporting structure and hierarchy were required. Moving production systems behind existing controls required deliberation and testing. Indeed, shifting a new acquisition to a security-first mindset is no small feat.

By identifying the attacker activity and working with the acquirer to remediate the compromise, we helped the new parent company avert several potentially unwanted scenarios. With our deep knowledge of the acquirer’s personnel, processes, and tooling, we provided our recommendations for several short, intermediate and long-term goals. We look forward to working with them — and many other acquiring firms — to ensure that their future deals are made with peace of mind and sound expectations.

Additional Resources

• For more information on CrowdStrike’s Incident Response, Compromise Assessment or Threat Hunting offerings, visit the CrowdStrike Services page or please reach out to us via Services@crowdstrike.com
• Download the CrowdStrike 2020 Global Threat Report.
• Download the 2018 CrowdStrike Services Cyber Intrusion Casebook and read up on real-world attacks and incident response (IR) investigations, and recommendations that can help your organization be better prepared.
• Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.