BSidesATL 2020 - Detect: Threat Hunting for Cybersecurity Merger and Acquisition Due Diligence

I'm going to put this up and give them all the credit in the world because this would not be possible without them and so especially you know when we think about the fact that with less than two weeks notice we decided to go from from physical to to virtual and so I want to recognize all of our sponsors 100% of whom who stayed with us even after we decided to go virtual so with topple star I mean Warner media at the Gold level my home department in my home college my home department the Kennesaw State University Department of Information Systems that is in the Michael J Cole's College of Business have stayed with us and have been great

to work with additionally we have Bishop Fox coal fire genuine parts and NCR at the crystal level crystal crystal paths are critical paths and synopsis at the Silver level errands and you may have just heard from a couple of their employees maybe not I don't know I don't know if they were here in official capacity or not but allegedly they might know something about Aaron's next binary defense we also have Black Hills information security core alight and guide point security at the bronze level we want to thank NCC group for coming in to help us at that level I also want to acknowledge some in-kind sponsors ec-council ransom paid training force yesterday and some of you took advantage

of that and I've heard really good things about that yesterday also want to take a moment to acknowledge a secure code warrior they stood up and are conducting I think until four o'clock a CTF over in the CTF channel and so that's been going like gangbusters all day long a lot of traffic in the slack channel for that we'd also like to thank the following individuals and organizations we're contributing to our raffle prize effort I want to thank Mike Acosta with crosshair information technology we want to thank Joe gray we also want to thank the good folks at all sense of security and we also want to thank the pen tester lab for all of the

things that they contributed to allow us to have a great giveaway program that's going on all day if you haven't done it yet we are a virtual conference and for the first time ever for us and we have created a map that would allow you to drop a pen minute to let us know where you are and if you haven't done that already I've just posted a link to be able to do that in the channel please take a minute and drop a pen we are truly if that data that's in the map is accurate we are truly global I saw somebody check in from Australia I've seen some folks check in from Germany from the EU Greece

you know it's it's just amazing to see all these folks I also mentioned I did mention a minute ago that we've got those giveaways and prizes to check that out I'm posting the link to the channel they're here in our Channel you got to register to win and so for those of you who are privacy adverse if you want to win you got to give us real details unfortunately so we need a real email address a real telephone number real mailing ID just to make sure we can get you whatever it is you win so make sure that you give us everything there what somebody just put in Oh face it okay so you know we've had a lot of good talks

all day long today and some of you been asking well you know what if I miss one how can I go about finding it well we're recording all of them and we are having them processed by a by a post-production company and once they are all processed and chopped up in radio because we've been recording all day long and big blocks once they are chopped up and ready to go they will be posted in our YouTube channel and I am posting a link to the YouTube channel in our channel here if you would you'll give us a follow on YouTube because when we get to 100 or more followers we get to change to a fancy fancy vanity URL

which will be which would be good for us it is now a little after 3:30 sorry Jake I took two minutes of your time so I'm gonna stop yapping and please allow me to introduce Jake Williams our next speaker Jake will be talking about cybersecurity merger and acquisition due diligence so let me stop sharing my screen so that Jake can share his screen Jake it is all yours buddy take it away so um well go through over the next half an hour it's actually less than half an hour 25 minutes here we're gonna walk through basically what is cyber security emanate your diligence why do we do it how do we do it and give you a couple of case studies

and then we'll be a wee rock and roll and so that said let's get in Who am I I'm not going to belabor this too much either you know me or you don't and you can go back and find this anyway I work with renditions InfoSec out of Augusta Georgia right down the road from Atlanta although now that this is a virtual conference you know we're gonna wear a international firm we actually have people permanently in other countries and you know their countries outside of the US so boutique information security consulting firm do a lot of this merger and acquisition due diligence and want to basically want to share some of our experiences with that and why it's

important get your thinking about it as a possible activity that you may either want to engage in yourself or engaging yourselves or certainly at least think about bringing somebody in to do so agenda why it matters what are the techniques for it what are the challenges around it and Oh buddy are there some challenges and then we'll wrap it up basically wrap it up for the day so you know we talk about why does cybersecurity due-diligence matter and I'm not going to not gonna kick somebody while they're down certainly you know with the Cova 19 scare you know the hotel industry has been taking a beating and Marriott is definitely my case study here right you may remember last year

Marriott announced a breach and the breach itself came from Starwood Starwood is a Sheraton and a bunch of other brands that Marriott bought and they literally bought a breach that they brought on the liabilities with those assets right and so we talk about why does cybersecurity do the due diligence manner because when an organization's acquired all the assets get transferred but of course so do the liabilities and if you think about how normal due diligence works and normal M&A due diligence taking cybersecurity out of it nobody goes through and buys you don't like look at paper and they're like we attest that we have the following number of buildings and the following state of these buildings etc nobody does that

that's just ridiculous right and so when we step back I mean they always send auditors out to like look at the condition of the buildings to look at the physical stock if you're buying a I'm buying a warehouse for instance right what is the actual stock on hand right are the factories in shape if you're manufacturing massive upgrades and for some reason the state of organizations cyber security posture isn't given the same level of attention even though we know now as CCPA I'm the California consumer Privacy Act GDP are numerous regulate you know basically on numerous regulations around data and data security certainly has huge liabilities there not to mention the brand damage that can come from

literally buying a breach right so so this obviously matters a lot of it is really you know propping that bow or communicating that value proposition to chief council chief risk officers right typically the co-starring chief ops officer CEOs etc they listen to your chief risk officers which are typically attorneys typically lawyers right and those chief risk officers will absolutely tell you they don't want to be involved in something like this and they'll explain the risk very well it's a matter of you getting with a CRO to get it going so what's one of the big problems that run into heterogeneous networks every M&A almost every M&A last two decades has involved heterogeneous technologies what Active Directory

version are you want and if you can't answer this question by the way this is a big one right are you on a functional level 2008 r2 domain I can't tell you how often folks come back yeah our domain controllers are Server 2016 and I'm like that's not which ad version Your Honor I think you're telling me that the version of your server it's almost like saying which version SSH are you running right and you're like yeah I'm on RedHat right well those two things are both technical terms but they don't actually mean anything together in context right which linux builds do you have do you have a bunch of Engineers that know Ubuntu and the other organizations are

acquiring is all red hat which workstation versions right what about VPN and remote access technologies Oh buddy has this been an issue recently right and we have a lot of this stuff that isn't considered pre-acquisition and and we don't look at how is the newly acquired network going to be secured in moderate right you may not be able to and I'll give you a great example here I'm not pooping on any vendors I want to be super clear about that I absolutely not do it I mean maybe Oracle right but other than Oracle we're not gonna like beat up on any vendors right Oracle deserves it by the way but anyway let's say you've got CrowdStrike

right and CrowdStrike you know is you're chosen at big co-write the acquiring company or that's your chosen EDR right and crowd starts your josy CrowdStrike doesn't run on pretty Windows seven right because it relies on dotnet and if you've got a bunch of technologies legacy technologies in your to be acquired Network obviously we need to secure those and we need to monitor those and simultaneously my chosen tool right can't do it and so this obviously something I need to consider how I'm going to how I'm going to bring that together and how I'm gonna secure if we're on backdated active directory versions I can't just join our domains together right maybe there's a reason you're on functional level 2008 domain

even though ours is functional level 2016 I may not be it's not as trivial as as folks like to make it seem so techniques for cyber security M&A cyber security M&A do diligence how do we do it right obviously this is a problem I had everybody convinced here because it was easy this is what you do you do cyber security you don't want to see this you know see this all fall apart especially because it's gonna be your job to go clean it up right I don't remember who the actual live person is behind the df' our dfi our janitor account on twitter but i love a train dfi are being digital forensics and it's

a response and they refer themselves as a janitor and I absolutely love it because we are the ones that end up cleaning the pile poo when poop hits the fan all right so we want to make sure that this doesn't this isn't an issue that we run into now M&A threat hunting is different than traditional throughout hunting in literally every way traditional throw who uses AI season baseline deviations and my friends I am here to tell you that baselining takes time and it isn't easy and if you ever try to deploy UVA or you'ii be a software user environment baseline analytics or sorry behavior analytics with minimal false positives you know this can't be done right

there's no such thing as minimal false positives of this there's less false positives but was less mean right minimal okay right doesn't happen baselines are hard to generate under the best of circumstances but the reality is that when I'm hopping in to a network where I'm trying to temporarily monitor and temporarily threat hunt around this network it's just not gonna happen then I'm gonna be able to go generate these baselines or I would love to do it I just can't right secondarily I need in order to hunt I'm gonna usually need to go deploy software like endpoint agents sorry and then I need a central server or any firewall rules to allow these communications this is not something

that's trivial to accomplish right again super trivial when you build it out as part of a larger program I said super trivial then this thing is trivial threat hunting but it's easier when you build it as part of a larger program but doing it temporarily right for the purpose of evaluating risk in this network to be purchased maybe right it is a super difficult challenge right so again we lack baselines we lack systems for hunting iOS C's on endpoints IOC scanning systems aren't easy to deploy we could try to build baselines but that gets cost prohibitive these are pre-purchase investigations this is trying to determine do we actually want to complete the sale now usually they've

already determined a price or at least a tentative price but but again there's not a big interest undertaking huge cybersecurity projects just to determine whether or not that valuation that price of the organization holds and so what about tooling right you cannot count on the organization's having their own drawing typically M&A is you have a big Co trying to purchase small Co and and by the way there's another third party here called spin Co because very often when big Co by small Co they're buying it for a specific piece in spinning off the rest it is something that they have evaluated that is of interest to them and the rest of it Jenner interesting or

profitable to them the rest is generally not there to spin that off and so this is another place where I can't count on this smaller Co having its own cooling even then I may be asked to look at very specific areas of the network ideally remain code right so it's a small code the piece of it that's remaining versus pin code they don't really care so much about right because literally they're going to buy a either buy it and spin-off the chunk or only buy the chunk of it as it's being spa right getting buy-in for installing agent based products is problematic and honestly most vendors don't license their stuff for this anyway right so

even going to a lot of your vendors to be like hey I I need to buy ten thousand agents or a thousand agents and even for thirty days and don't look at you like you're nuts you're absent I'm buying it like that the vendors that will work with you typically it's cost prohibitive it's not very flexible right so this is this is very difficult it's gonna rely on my tooling because I can't count on I really can't count on the organization having their own so what do we do take nothing else away from this talk these are the techniques that we use right and at a very high level and I'm short on time so we're not gonna be able to dive

into each one of these in like super detail all right but I'll walk through and these slides are gonna be available afterwards and good right so we're gonna start by reviewing security practices I want to know at a minimum what do you have on paper how do you work is there a SEM and if not how our logs monitor if you tell me that your system admins are going to reviewing logs for security events I'm calling baloney the first thing I want to do ain't calling baloney depending where you come from north or south sometimes that's calling shenanigans whatever right bottom line I'm calling shenanigans I want to know how are your logs being monitored right and if you tell me your

system admins are tell me their system admins are monitoring those logs they were doing log review no problem right I pull a couple of system admins in the room do some interviews and I just asked what are you looking for in the logs and usually I hear words like hackers and I'm like what does a hacker look like I want you to tell it to me like you tell it to my mom all right my mom is horrible attacks you can bring a phone from 30 feet just by looking at it that's the level of explanation I want system admins generally can't provide it this is not a knock on them but it does help us evaluate the truth

of the statements right when they say yes we have a log review program I'm able to go back to my constituent and say this is what that really meant right we reviewed their log review program and Wow does it hurt right we want to know about oddball unit Cicero's because these are huge support issues if you've gots coordinate all right legacy systems again a lot of my security platforms cannot run on these legacy systems so simultaneously my most vulnerable the population right the most vulnerable things in the population unfortunately we can't get good monitoring across attackers know this they will spend their time embedding themselves there and as a result you need to spend time hunting their network

traffic after an IDs right you need to install Network apps and collect network traffic run an IDs done right I'm not gonna spend too much time on this because there's not that much about it but you're gonna have to bring your own taps period because almost nobody has them at these smaller company levels never traffic capture I don't wanna identify unmanaged endpoints the environment I want to look at business-to-business VPNs they are a huge source of risk for organizations the big takeaway here go grab Andy Andy Greenberg wrote a great book called sandworm go get a copy of it it's freaking awesome and he walks through the not Pecha attacks and sandworms and learns about a lot more

than not Pecha but it's outstanding outstanding talk there and he even touches on the business-to-business VPN side because that is a huge part of how not Pecha spread for those b2b VPNs then we do vulnerability scanning and i want to do some of my own bone scans right i want to see what's what we're looking at here what is the overall security posture of the network right now there's a lot of the there's a lot of extra stuff that we can do here there's a lot of additional things that we can do for instance looking to see even if something's fully patched today i can do some quick forensics and it's super quick forensics because they have the

tooling port on host to tell when did you get serious about patching because i want to know if you just threw a new coat of paint right or forgive the term here lipstick on a pig right i need to know that because that's gonna tell me i see a question the chat there it's andy greenberg sandworm is the name of the book hit it on amazon anyway we want to know if somebody just put lipstick on a pig and kept rolling right on so a triple threat hunting this is another thing that we do look i can't touch all the hosts here i don't have that kind of time it's not a regular threat hunting

ever and so threat honey is easiest to start with on the network and that's gonna help me vector into where to go collect endpoint data now there are some high-value targets we collect endpoint data from anyway memory forensics is the tip top end of that to go hunt down those memory residence rats alright so you can think about this like the base of a pyramid or network threat coming across everything we are then moving an endpoint data on a very limited number of hosts and then memory forensics on onesie twosie right bad that kind of thing so again start with a network move up the stack moving for residual risk from breaches a huge percent of breaches repeat after me

breaches are not completely remediated routinely horrible horrible horrible right so threat hunting what I want to look at here is one I want to identify residual malware but I also want to go in and look at the regulatory liability for improperly recorded breaches this is a huge one for us because we have seen repeatedly or an organization either out of ignorance or malice does not report a breach to the appropriate regulatory authorities and guess what when you buy that organization you bought that liability too and if they forgot to report or didn't report or whatever right you now are stuck with it you need to go review that yourself and determine with your chief counsel do you think

this needs to be done is this something that hadn't have been reported to the regulatory authority that's something it's absolutely critical to understand so Sakho an M&A challenges right look the organization under evaluation they have an incentive to be less than completely forthcoming about their cyber hygiene now by law they absolutely have to write in the agreements they absolutely have to communicate clearly with you but oh brother the people filling out those pay phone out that M&A paperwork they are being truthful to the best of their knowledge I'm air quoting here right I'll tell you that what appears to be deceived in most cases an extension of existing communication problems between line workers and management right if you go into any

organization today forget one that's under M&A any organization today and you ask management how their cybersecurity about good and then you go to your practitioners right how's your cyber skirt like horrible kind of thing right they know where the bodies are buried go talk to your text right I'll tell you another thing is that a lot of folks reduced prior to M&A they try to basically adjust their profit wash sheet and what they'll do here is I'll try to cut cost that comes in the form of software it comes to the form of services comes in the form of staff and again at the end of the day the results here are predictable InfoSec and ITR cost centers

not profit centers and you can run with technical debt for a while whatever a while is before it catches up to you you want to know if that's been done you want to understand the impact of that poor asset inventory another big issue here all organizations not just M&A have issues asset inventory but I will tell you this is a big one for us there's another reason that we bring in those Network caps and start looking east-west I don't just want to scan endpoints and subnets identified by IT I want to go find my own and we do a lot of router config review we do a lot of firewall configuration review this helps us find other subnets we do a lot of

passive traffic monitoring those network taps and again we have to bring our own now if you're thinking like hey this is an easy thing to get going I can tell you that we have in calculus of money a rendition tied up in property that is at different network caps and pivot boxes and servers that we can send you can't send somebody a half rack of equipment and be like hey find power space and cooling for this you have to find portable equipment as well as have your own taps and your software licenses and it is just maddening the amount of money you have to put into this on the front end so I just want to throw out here

like on the poor asset inventory side it is really hard to get this done in the best of times it is crazy hard to do this when you're trying to drop or perish it into an organization and do it for a very temporary time and then network visibility right again is huge for us we don't have you know a V or endpoint protection systems in some cases or it's just antivirus knows we don't have a good SEM with our net flow we got EDR this can be super super difficult to get over right again we need to come in and figure out how we can enable the organization or enable us in the context of the organization to

threat hunt around those merger and acquisition pieces right so again that the bad news my friends is you end up having to bring your own beer of the barbecue right this is a this really is if you want to do this right and you can do this without doing all right don't get me wrong you can still do a little bit of work but to get the best value out of this you're gonna have to bring your own tools and to bring your own licenses your hardware etc and there's a lot of considerations that are different again like I mentioned you know if I'm deploying to an organization normally I'm bringing a rack you know basically

rack mounting units here right I'm doing this I can't bring rack Mountain units right I have to bring things that are easy on power space and cooling I have to bring network apps you know again all kinds of stuff that you would think an organization might already have that they do not I just I'll just throw it out there you can't count on having it that that's probably the big one for us is achieving that visibility enough so that we can provide in the state of the network back to our constituent so war stories right let's get some war stories going here right Michael Bay moments for the win this one was awesome all right

this is that we forgot about the VMS right not the BMS I had multiple analysts correct me air quotes correct me on the report right where they're like hey if you could stop capitalizing S&V ends that would be awesome I'm like it would be but I'm not talking about VMs I'm talking about freaking VMs and if you don't know what VMs is you are in good company because a lot of analysts today don't either this is literally like backing up into the wayback machine right I see some comments there Lola Wolvie MS exactly right so our scanning scope is limited due to ICS devices this is a huge one this is a big ICS network we only found

this due to on-site interviews and data center business I literally walked into a data center and there were yes Andy we are absolutely officially old there is no question there no question right so I walk in and there's an alpha server actually to alpha servers sitting one of them has the lid off of it I'm sitting in the corner of this data center and I'm like oh hey guys you know not too good at taking the trash out they're like oh that's our parts server right parts server right and it used to be and I kid you not it used to be their staging server and now they only have a dev and a prod they

no longer have a staging server because they can't get parts for these and they literally have to pull the staging server out of production right so this is huge by the way right VMs does not run an emulator as a VM not not the way they needed to run my friend unfortunately right so the organization repeatedly tried to move off the legacy EMS servers they failed each time right this is actually in an alpha you talk about an emulator we're talking about alpha chip here right so this if you don't know what alpha is drop back it's Dec alpha they had failed multiple times here seven million dollar expense right over three failed attempts you'd better

believe a hundred percent this is a risk to the organization was not disclosed I'm just gonna tell you this is yeah somebody's like this YC nineties motherboard selling for dollars on eBay heck yes right absolutely saga the BBB VPNs initially I was told there were none none eventually we found or quickly found five always-on VPNs with no filtering wide-open right and I'm not gonna say target here but I am alright target you may remember right was a supply chain attack that the target compromised came in through the basic came in through an HVAC vendor huge problem here once but mara and his VPN connections it was clear the confidential data was being systematically siphoned from the

organization's ERP system from a remote site right this is a huge huge issue no threat hunting alone I want to be clear if I go to IOC sweeps I don't find this right we only found this because we're doing good network monitoring again I'm not saying that you only do threat honey or only do network monitoring this is a you have to do it all you have to bring a lot of stuff together here it's not easy it's not always cheap but man do we I can tell you consistently we save organizations more in there I will tell you consistently we save organizations way more their valuation than the cost of the actual assessment by the way the

cost of the assessment is borne by typically borne by the company to be acquired and if they have made material misrepresentations in their material misrepresentations in their basically their questionnaires and their disclosures typically you know there's no refund around if the organization decides to pull out so this is a no-brainer for big co if you structure this correctly it's free to you and only reduces the value right my final one here is the sure we were mediated very intake the org said they experienced one major instant ransomware in the previous 36 month 36 months and I went in and did on-site interviews the staff and by the way if you don't know how to interview

people slash interrogate take a class on this or find somebody from former who knows this and has been trained in this but I will tell you your best tactic in in you know basically doing these interrogations slash interviews is silence just go silent and they will review they will absolutely provide you data and it's awesome bottom line they fail to remediate we found about other apt intrusions and done so this is where I'm out as far as wrap it up these are my conclusion bullets I don't really have time for a lot of questions here because you know I'm running right up to the end of my time here but look seriously I want to thank you know thank everybody

here who helped put besides Atlanta together and everybody who attended thanks much I'll be posting a copy these slides hit me a malware Jake on Twitter and I'll post a I post a copy there as well as the link in the chat Thanks and Andy I'll kick it back over to you my friend