The recent ransomware attacks on organizations with SonicWall SSL VPNs may teach more lessons than just the need for patch management and identity and access control. Some of the victim firms had vulnerable SonicWall devices on their IT networks as legacies of past mergers or acquisitions, suggesting infosec leaders need to be more involved in preparing for M&A deals or risk their organizations being stung by hackers.
That’s the conclusion from a report this week by researchers at ReliaQuest.
They looked at a series of attacks between June and October using the Akira ransomware strain to target SonicWall SSL VPNs, and found a link: In almost every incident, hackers gained a foothold on an enterprise network by compromising a SonicWall device inherited from a smaller acquired business.
When asked, ReliaQuest wouldn’t say how many incidents it had investigated. But the report does say that in each case, IT wasn’t aware the devices were currently in their environment.
“Standard M&A due diligence is not enough,” says the report. “Security teams must proactively secure inherited technologies, prioritizing early visibility into new environments, like remote access tools, to address risky configurations and outdated credentials before attackers exploit them.”
The warning isn’t new. Experts have been saying for years that examining a potential acquisition’s finances isn’t enough. Scrutinizing its IT assets also has to be involved, so boards understand both the financial and the cyber risks of a deal.
Exhibit A: The discovery in 2018 by Marriott that data on hundreds of millions of guests from the reservation system of its Starwood chain of hotels had been stolen. Marriott bought Starwood in 2016. Its network had been infiltrated two years earlier, and the breach was undetected for four years, even after the Marriott acquisition.
“Security leaders do need to be involved in the M&A process,” said Fred Chagnon, a principal research director at Info-Tech Research, which did a case study on the Marriott-Starwood incident.
One reason why CSOs/CIOs and their equivalents aren’t brought in, he said, is that cyber risk is invisible compared to the hard numbers that can be found in financial records. As a result, “we’ve had difficulty in this industry in communicating cyber risks as financial liabilities” to CEOs and boards.
IT leaders have to push the message that security risk is enterprise risk, he said.
Ultimately, he added, the board has to be reminded that it is responsible for assessing the cyber as well as the financial risks of a deal.
Related content: Why, and when, CIOs deserve a seat at the M&A negotiating table
Should infosec leaders be asked to be part of an M&A team, the actual assessment of the potential acquisition should be contracted to a third party expert, Chagnon added. That’s because the security team won’t have time to do it themselves, and the other side will likely be more willing to divulge sensitive IT information to a third party than to a competitor.
The majority of M&A activities still follow a security checklist approach, noted Ed Dubrovski, chief operating officer of incident response firm Cypfer, “which essentially is really a glorified third party vendor assessment. Such activities meet the check-in-the-box requirements but do nothing really to address the real core of the issue: lack of current and relevant information about possible risks.”
Those doing cybersecurity assessments of a potential acquisition should start with an inventory or list of IT assets before asking if the organization has an information security policy and underlying policies, he added.
After an acquisition, CSOs should treat the new network as a third party connection request and keep it segmented until the core risks have been quantified before attempting to integrate environments, he added.
“The reality is that the combined risk posture is [only] as good as the riskiest party,” he said.
The cybersecurity posture of an acquisition should be a high priority for inspection during the due diligence period, agreed Fernando Montenegro, vice president and cybersecurity practice lead at advisory firm Futurum, regardless of the size of the business being acquired.
The security team must be properly connected to the rest of the organization, including the corporate development (corpdev) group that typically spearheads mergers and acquisitions, he said.
“The challenge here is that security teams should work with corpdev to have the right framework to analyze these deals, including interviews with key executives at the target company, access to any audit/compliance documentation, and a thorough look at the digital footprint and internal state of the acquired company.
Ideally, he added, the program includes both ‘outside-in’ and ‘inside-out’ perspectives on the potential acquisition, a thorough review of their security program, history of any security incidents, key third-party relationships they may have, and more.
On top of that, there will be numerous considerations about what the IT integration will look like, including network connectivity and business application connectivity.
In its report, ReliaQuest notes that SonicWall devices are often used by small and mid-sized firms, which are often M&A targets of larger companies. However, it said, it can’t be sure firms were targeted by Akira operators because they’d swallowed organizations that had SonicWall devices.
It did say that in the incidents examined, once inside the victims’ networks, the attackers immediately looked for privileged accounts, such as those originating from old managed service provider (MSP) or administrator logins, that had been transferred over during the M&A process. “Crucially, these credentials were often unknown to the acquiring company, and left unmonitored and unrotated post-acquisition,” the report says.
We asked ReliaQuest how often vulnerabilities in technology acquired from an M&A cause later breaches of security controls. In response, a spokesperson said, “the fact that we’ve seen consecutive breaches of Akira targeting smaller organizations where they are leveraging vulnerabilities means that larger organizations should address the risks during onboarding and understand the scope before purchasing.”
No Responses