threat hunting for cybersecurity m&a due diligence...2020/03/06 · •while there practically...
TRANSCRIPT
Threat Hunting For Cybersecurity M&A Due Diligence
Jake Williams (@MalwareJake)
Rendition Infosec
www.rsec.us
@RenditionSec
2
• Founder and President of Rendition Infosec
• IANS Faculty
• Former SANS Instructor
• Endorsed by the Shadow Brokers
• Former NSA hacker, Master CNE operator, recipient of the DoD Exception Civilian Service Medal
• Dislikes: those who call themselves “thought leaders,” “crypto bros,” and anyone who needlessly adds blockchain to a software solution
$whoami
3
• Why cybersecurity due diligence matters
• Techniques for cybersecurity M&A
• Cybersecurity M&A challenges
• Wrapping it up
Agenda
(C) 2020 Rendition Infosec - Jake Williams
Why cybersecurity due diligence matters
How much liability are you taking on with those assets?
5
• When an organization is acquired, all the assets are transferred
– So are the liabilities
• No M&A would be complete without investigating the state of the org’s physical assets
– e.g. are the factories in good shape or do they need massive upgrades
• Yet for some reason, the state of the org’s cybersecurity posture is not given the same level of attention…
Cybersecurity Due Diligence – It Matters
(C) 2020 Rendition Infosec - Jake Williams
6
• Almost every M&A in the last two decades has involved heterogenous technologies
– Which AD version are you on?
– Which Linux builds?
– Windows workstation versions?
– Legacy Unix versions?
– VPN and remote access technologies?
• What often isn’t considered (pre-acquisition) is how the newly acquired network will be secured and monitored
Heterogeneous Networks
(C) 2020 Rendition Infosec - Jake Williams
Techniques for cybersecurity M&A
Obviously this is a problem – how do we correct it?
8
• Traditional threat hunting uses IOCs and baseline deviations
• Use of IOCs to hunt on endpoints requires the deployment of software, usually employing endpoint agents
– And a central server with firewall rules to allow communications
• Baselining takes time and isn’t easy
– Ever tried to deploy UEBA software with minimal false positives?
– Baselines are hard to generate under the best of circumstances…
– If baselines were trivial, this would be a different conversation…
Traditional Threat Hunting
(C) 2020 Rendition Infosec - Jake Williams
9
• Unfortunately most networks for M&A we threat hunt in lack:
– Baselines of standard network and endpoint activity
– Systems for hunting IOCs on endpoints
• IOC scanning systems are usually not trivial to deploy
• While we could build baselines, this is cost prohibitive
– Most M&A jobs we do are pre-purchase investigations
– There’s little interest in undertaking huge cybersecurity projects just to determine valuation
Threat Hunting M&A
(C) 2020 Rendition Infosec - Jake Williams
10
• The best IOCs are industry/vertical specific
• In some cases, an M&A threat hunt can use the same IOCs that are used in the (future) parent organization
– This gets more complicated when it comes to holding companies
– The new organization may not be part of an ISAC, limiting access to vertical specific IOCs
• Have a plan in place for finding vertical specific CTI information
A Quick Word On IOCs
(C) 2020 Rendition Infosec - Jake Williams
11
• You can’t count on organizations having their own tooling
– Network taps, EDR, netflow, SIEM
• Most products are not designed or licensed for quick one-off deployments and this can make costs prohibitive
– Getting buy-in for installing Agent-based products is problematic
• Dedicated tooling or extremely flexible licensing plans are a requirement for M&A threat hunting
– How you operationalize IOCs depends entirely on your tooling
Tooling for Threat Hunting M&A
(C) 2020 Rendition Infosec - Jake Williams
12
• While there practically endless considerations for M&A due diligence, we will focus on the following for maximum ROI:
– Review security practices
– Network traffic capture and IDS
– Vulnerability scanning
– Triple Threat Hunting™
– Evaluation of residual risk from previous breaches
• Let’s investigate each of these in some more detail
M&A Threat Hunting Techniques
(C) 2020 Rendition Infosec - Jake Williams
13
• Start by reviewing:
– Network architecture and segmentation
– Group memberships in Active Directory
– Antivirus and security tools
– Is there a SIEM? If not, how are logs monitored?
• What logs are being fed into the SIEM?
– Ask administrators about technical debt
– Inventory legacy systems (and document why they still exist)
• Many security agents don’t run on legacy systems and attackers know this -spend time hunting there
– Oddball Unix distros (AIX, SCO, HP-UX, etc.)
Review Security Practices
(C) 2020 Rendition Infosec - Jake Williams
14
• Install network taps at egress points, collect network traffic, and run an IDS
– Ideally, the IDS sensors will cover both east/west traffic into and out of the datacenter, but north/south is better than nothing
• Pro tip: Check your taps to make sure you’re really getting full duplex traffic
– Without full duplex, many IDS sensors fail spectacularly
Network traffic capture and IDS
(C) 2020 Rendition Infosec - Jake Williams
15
• Network traffic capture is used to identify unmanaged endpoints in the environment
– We regularly find servers not in asset management (shadow IT) and services not previously declared by IT
• B2B VPNs are a huge source of risk for organizations and most lack the same monitoring present on the normal egress points
– With good network monitoring of egress points, it becomes easy to identify VPNs
– Most customers we work with initially lack knowledge of 25%+ of their B2B VPNs
Network traffic capture and IDS (2)
(C) 2020 Rendition Infosec - Jake Williams
16
• Vulnerability scanning should go obviously be going on prior to any M&A consideration
• Look for is whether patches have only recently been applied or whether patching has been an ongoing operation
– Digital forensic techniques including registry and filesystem timestamps are a huge enabler here
• Results here are a mixed bag - some try to put on a new coat of paint, others lack the foresight/resources to even try
Vulnerability Scanning
(C) 2020 Rendition Infosec - Jake Williams
17
• Threat hunting is easiest to start on the network
• Some number of endpoints need should also be examined using a host-based EDR tool
• Memory resident threats may escape detection without the application of targeted memory forensics
Triple Threat Hunting™
(C) 2020 Rendition Infosec - Jake Williams
MemoryForensics
Endpoint Data Collection and Analysis
Network Threat Hunting
18
• Threat hunting begins on the network and continues up the stack
• While network threat hunting will occur everywhere, only a small number of endpoints receive deep dive analysis
– Of those, a small number will be selected for full memory analysis
– Selection is usually based on asset risk and index of suspicion
Triple Threat Hunting™ (2)
(C) 2020 Rendition Infosec - Jake Williams
MemoryForensics
Endpoint Data Collection and Analysis
Network Threat Hunting
19
• A large percentage of breaches are not completely remediated
• Threat hunting can help identify residual malware, but a breach is about more than just malware
– Attackers may leave behind backdoor accesses/accounts/etc.
– Don’t forget regulatory liability of improperly reported breaches
• Frequently, we find that IT operates outside of change management procedures while remediating a breach
– This opens the possibility of an insecure misconfiguration
Residual risk from breaches
(C) 2020 Rendition Infosec - Jake Williams
Cybersecurity M&A challenges
Nothing worth doing is ever easy…
21
• The organization under evaluation has an incentive to be less than completely forthcoming with their cyber hygiene
– This isn’t necessarily being done with malicious intent
• In many (most??) orgs, leadership does not have the same view of cybersecurity posture as IT practitioners
– We believe that most apparent “deceit” is just an extension of existing communication problems between line workers and management
Challenges in M&A cybersecurity assessment
(C) 2020 Rendition Infosec - Jake Williams
22
• To make themselves more attractive for an M&A, many organizations considering a buyout will try to make themselves more attractive by cutting costs
• Infosec and IT are cost centers, not profit centers
– It is not unusual to see IT and infosec staff trimmed to achieve a better P&L sheet and attract a buyer
– The results are predictable…
Reducing Costs Prior to M&A
(C) 2020 Rendition Infosec - Jake Williams
23
• We always ask teams their relative strength vs. 24 months ago
• During interviews, ask staff what they aren’t doing now that they have fewer resources
– In most cases, something got dropped
– You want to know where the bodies are buried
• Note: not all staff reductions are problematic for M&A risk
Reducing Costs Prior to M&A (2)
(C) 2020 Rendition Infosec - Jake Williams
24
• Almost all organizations have issues with asset inventory
• A critical step in assessing M&A risk is to determine what isn’t being tracked in the asset inventory
• Under no circumstances should you simply scan the endpoints and subnets identified by IT
– The juiciest stuff we find was never on the asset inventory in the first place…
Poor asset inventory
(C) 2020 Rendition Infosec - Jake Williams
25
• Many organizations lack good network visibility
– This problem is exacerbated in many orgs undergoing M&A due to pre-M&A cost cutting
– Generally the organization being acquired is less mature in their IT and infosec posture
• Many of these orgs lack:
– SIEM
– EDR
– Netflow
– Centralized AV management
Poor Visibility
(C) 2020 Rendition Infosec - Jake Williams
War Stories
Because infosec needs more Michael Bay moments!
27
• It’s okay – everyone forgets about a few virtual machines…
– Oh, you meant VMS (the legacy OS you’re still using in production)
• Because our scanning scope was limited due to ICS devices, we only found this due to onsite interviews and datacenter visits
• The organization had tried repeatedly to move off the legacy VMS servers, but failed each time
– To the tune of $7 million over three failed attempts…
Case study #1: we forgot about the VMS
(C) 2020 Rendition Infosec - Jake Williams
28
• During the initial intake, we were told there were no B2B VPNs
• Network monitoring quickly uncovered five always-on VPNs
– Eventually, at least a dozen more on-demand VPNs were discovered
• Once we put monitoring on the VPN connections, it was clear that confidential data was being systematically siphoned from the org’s ERP system from a remote site
– Threat hunting alone would likely not have discovered this
Case study #2: What B2B VPNs?
(C) 2020 Rendition Infosec - Jake Williams
29
• During intake, the org said they had experienced one major incident (ransomware) in the previous 36 months
• On-site interviews with staff revealed two more incidents, one of which appeared to be an APT intrusion
• We deployed our on-demand EDR, scanned the network, and found dozens of servers where the attacker just swapped out their malware
– Remediation failed…
Case study #3: Sure, we remediated…
(C) 2020 Rendition Infosec - Jake Williams
30
• Reviewing incident reports, it was clear that the client suffered a breach event that they had not properly reported to regulators
• The SmallCo was advised by another third-party firm that they did not need to disclose and took that advice at face value
• The BigCo devalued SmallCo, but more importantly they could file disclosures under the SmallCo name instead of their own after the acquisition
Case study #4: Sure we had an incident response!
(C) 2020 Rendition Infosec - Jake Williams
31
• The acquiring organization was told there was an absolute clean bill of health
– The acquired organization was directly involved in contracts selling technology to the Chinese government
– The justification for “clean bill of health” was “we haven’t had any alarms that antivirus didn’t clean”
• Within two hours of installing network taps, we discovered two different groups operating in the network
– There was no reason for them to be stealthy
– We didn’t broadcast that we were threat hunting (CI)
Case study #5: Don’t worry, we have AV!
(C) 2020 Rendition Infosec - Jake Williams
Closing Thoughts
Let’s wrap this up
33
Every M&A has cybersecurity risks that extend to ALL parties involved
Identifying cybersecurity risks can help adjust the valuation of the acquisition
Orgs that grow through M&A without systematically evaluating cybersecurity risks are giving a toddler a hand grenade…
Conclusion
(C) 2020 Rendition Infosec - Jake Williams
@MalwareJake
@RenditionSec
www.rsec.us