BANKING & FINANCE CASE STUDY TM Major Bank Uses Infocyte’s Compromise Assessment in Acquisition Due Diligence ORGANIZATION The Company A major financial institution based in the US with over a trillion dollars in assets. The acquirer is a major financial institution based in the United States with over a trillion dollars in assets. The institution engages in multiple Mergers and Acquisitions (M&A) opportunities and transactions throughout the year. INDUSTRY The acquiree is a 50 employee wealth management firm in the US serving high net worth clients and managing over a Billion dollars in assets. Banking and Finance CHALLENGE As part of M&A due diligence the acquirer needed to independently verify the health of IT the aquiree’s IT systems and ensure no breaches had occurred. SOLUTION A Compromise Assessment using Infocyte HUNT™ RESULTS • • • • • Five days to scan, analyze and report on 54 workstations and servers active on the network Found machines that were not using corporate standard antivirus so that they could be remediated. Showed that the acquiree had strong technical controls, regular security hygiene (i.e. nightly reboots), and IT policies in place to protect the network. Provided a clean bill of health for the network. Ensured confidence that the acquiree’s systems and data were clean for the transaction to progress. The Growing Cyber Challenge M&A is a high risk operation where it is difficult to know everything the buyer is adopting ahead of time. In this instance, the acquirer was purchasing a business whose primary value was in the form of sensitive customer information and intellectual property (i.e. trading algorithms) which give them a competitive edge. The need to measure information risk and verify the confidentiality of this information was paramount to a successful transaction. Traditionally, M&A due diligence utilizes questionnaires, representations and warranties from the acquiree to measure IT and data protection risks. But in a world where the average security breach can go undetected for more than six months, and given the reduced regulatory requirements and resources of the acquiree compared to the acquirer, it was important to be able to independently verify the state of these systems. After being briefed on Infocyte’s technology and offering, the acquirer’s lead IT Risk manager involved in the transactions asked Infocyte to perform a Compromise Assessment during the due diligence phase to verify the health and confidentiality of the information and IT systems they were purchasing. Conducting a Compromise Assessment with Infocyte HUNT A new addition to the various network risk assessment services that are available, the compromise assessment is a breach discovery service that independently verifies whether a network has been breached or not. The assessment seeks to discover adversaries or malicious software currently in the environment or any activity in the recent past. The assessment leverages Infocyte HUNT malware hunting software built to conduct a compromise assessment effectively and rapidly. Infocyte HUNT enables a security practitioner to scan and validate the integrity of each device to include determining what is running on them and any indication that the system has been manipulated or infected by malware or an unauthorized party. The solution brings together proprietary and third party threat intelligence, multiple advanced threat detection engines, and automated static and dynamic malware analysis which enables the operator to find all known and even unknown variants of malware. The Process The acquiree provided Infocyte consultants with a Virtual Private Network connection and an Active Directory service account with local administrator access to each host (workstations and servers) throughout the network. The Infocyte HUNT software was then loaded on a virtual machine to remotely scan the environment. Infocyte enumerated and mapped 54 workstations and servers active on the network. These systems were then scanned by deploying a temporary dissolvable agent to collect a snapshot of each system. Primary scans took place several times to maximize coverage of active systems as the network had many transient laptops. Suspicious executables and artifacts were collected for deeper analysis as needed. Scans concluded at the end of day three successfully inspected 88% of all assets. As a premium service, a malware analysis and threat intelligence expert was on hand to identify and correlate any findings to organized threat groups, corporate espionage, or insider threats. Infocyte HUNT Compromise Assessment MAJOR FINDINGS None ANCILLARY FINDINGS System(s): Multiple (30) workstations and servers Detection: Legitimate but potentially unauthorized Remote Access Tools: Saazod” by Zenith Infotech Indicators: Running processes (no stealth) Description: Saazod is used by foreign support technicians to remotely control another computer across the internet. Although not malicious, it can be misused and provides an attack vector into the organization if not controlled. The Results The final assessment provided a clean bill of health for the network and showed that the acquiree had strong technical controls, regular security hygiene (i.e. nightly reboots), and IT policies in place to protect the network. The acquiree outsourced network management and security to a third party, and the results confirmed they did an outstanding job of managing the network. This was demonstrated further by the fact that Infocyte HUNT found surprisingly few unwanted programs and no nuisances like adware and browser toolbars which are typical on many networks, even when serious threats are absent. Infocyte HUNT also reported that several (30) instances of legitimate Remote Access Tools were active on the network, specifically, a remote support suite called “Saazod” by Zenith Infotech (a company based out of Southeast Asia) which is used by foreign support technicians to remotely control computers across the internet. This program was confirmed authorized, though it is recommended such programs be highly controlled to reduce the external threat surface and risk of insider misuse. Finally, the network used Trend Micro Worry-Free Business Security (WFBS) suite as their managed anti-virus solution but as part of the analysis discovered that it was not installed on all of the systems within the network. A few outliers had consumer versions of anti-malware which, being unmanaged, would not report to network administrators had there been an attack. This was quickly remedied. In the end, the assessment lasted five days from the initial engagement to the final report. Infocyte was able to verify the integrity and confidentiality of the business’ information systems to the acquirer at an unprecedented level compared to traditional due diligence methods. Conclusion Without Infocyte’s compromise assessment using Infocyte HUNT, the acquirer would have taken on unknown risk which could have had significant repercussions had the network had an undetected or unreported security breach. As a result of the comprehensive Compromise Assessment using Infocyte HUNT technology, the acquirer was able to continue into the next phase of consolidating networks and finalizing the transaction with confidence. TM CORPORATE HEADQUARTERS 110 E. Houston St. Floor 7 San Antonio, TX 78205 + 1.844.INFOCYTE (844.463.6298) sales@infocyte.com www.infocyte.com @InfocyteInc © Copyright 2016 Infocyte All Rights Reserved. Infocyte and Infocyte HUNT are trademarks of Infocyte Inc. All other trademarks, servicemarks, registered trademarks, and registered servicemarks are the property of their respective owners.
