The recent news of Nortel's prolonged theft of intellectual property broke just after the release of M-Trends: An Evolving Threat. It served to underscore what we'd been observing (fellow M-Unition blogger Helena Brito wrote about our take on the news here).
M-Trend #4 states that: organizations are buying and selling compromise during merger & acquisition activity. We observed a significant percentage of incidents we responded to last year were discovered either (1) after the acquiring organization had integrated a smaller organization into its network or were (2) discovered during the due diligence process, before the organizations' networks were connected.
Since we published M-Trends: An Evolving Threat, I have received a lot of questions about how this early detection (prior to integration of networks) actually works. How is it that many companies do not know they themselves are breached, and yet the organization that is acquiring them can detect these advanced targeted threats when their networks are connected.
Although it is not fun, practice makes perfect. That is, the organizations who are finding compromise in acquisitions are those who have been at this the longest. That makes intuitive sense. However, there are a few things that every organization can do to improve its chances of detecting compromise during an M&A process.
One technique is integrating security checks into the due diligence process. As Richard Bejtlich, chief security officer at Mandiant, often says, we must make detection part of a business process, not a one-time event.There is a lot to say about this, and frankly it is an uphill battle for many information security teams to tell lawyers how to do M&A, so let us assume that you are dealing with networks that are already connected.
In this case, it's critical to get all traffic from the newly integrated organization flowing through designated, approved connection points, monitor each choke point, and apply good intelligence to the traffic you see. It is easier said than done, but monitoring such traffic and applying the latest intelligence to it is something that Mandiant's MCIRT Managed Defense Solution excels at.