This document outlines a rapid response framework for handling IT integration during a Merger & Acquisition (M&A). The guiding principle is to assume the acquired network is hostile until proven otherwise.
-
Isolate & Inventory:
- Action: Place the acquired network behind a firewall with strict ingress/egress filtering rules, logging everything. Block all traffic by default and only allow what is absolutely necessary for business continuity.
- Why: This creates a digital quarantine zone, preventing potential threats from spreading into the core network.
-
Enforce Universal Credential Reset:
- Action: Force a password reset for ALL user accounts from the acquired company. Immediately disable all privileged accounts (administrators, service accounts, MSP accounts) until each one is manually reviewed, documented, and has its password rotated.
- Why: Attackers leverage legacy and unknown admin accounts. This single act invalidates that entire attack vector.
-
Deploy Standard Endpoint Security (EDR):
- Action: Immediately deploy your company's standard Endpoint Detection and Response (EDR) solution to every server and workstation in the new environment.
- Why: Inconsistent or disabled endpoint protection is a common weakness. This provides immediate visibility and a consistent defense layer.
-
Scan the External Footprint:
- Action: Run an aggressive, continuous external vulnerability scan on all public-facing IP addresses belonging to the acquired company.
- Why: This identifies the "front doors" attackers might use, like unpatched VPNs.
-
Centralize Logging:
- Action: Immediately configure all critical devices (VPNs, domain controllers, firewalls) in the acquired network to forward logs to your central SIEM (Security Information and Event Management) system.
- Why: Centralized logging is essential for tracing an attack and detecting suspicious activity across both networks.
Actively look for signs of trouble before they become a full-blown incident.
- Hunt for Dormant Privileged Accounts: Find high-privilege accounts where the password hasn't been changed in over 90 days.
- Hunt for Default Configurations: Use network scanners to find devices with default credentials.
- Hunt for Predictable Naming Abuse: Create alerts for when an acquired company's user account logs into a high-value server (e.g.,
DC01,FS-PROD) for the first time. - Hunt for Lateral Movement Tools: Monitor for the execution of tools commonly used for lateral movement, such as
PsExecor malicious use of PowerShell.
Example using a VPN appliance:
- Access Control: Restrict the device's management interface to a handful of whitelisted security team IP addresses.
- Patch & Update: Apply all available vendor security patches immediately.
- Configuration Overhaul:
- Change all default passwords.
- Enforce strong, modern encryption ciphers.
- Enforce Multi-Factor Authentication (MFA) for all users.
- Logging & Alerting: Ensure logs are sent to the SIEM and that alerts are configured for suspicious activity.
- Plan for Replacement: If the device is end-of-life or doesn't support critical features like MFA, plan for its urgent replacement.
Scenario: Your EDR alerts on a machine from the acquired network communicating with a known ransomware C2 server.
-
Minutes 0-10: CONTAINMENT
- Isolate the endpoint from the network.
- Block the attacker's C2 IP address at the firewall.
- Notify key stakeholders (Legal, IT, Leadership).
-
Minutes 10-30: TRIAGE
- Disable the user account associated with the device.
- Analyze logs to determine the scope of the potential breach.
-
Minutes 30-60: INVESTIGATION
- Begin forensic analysis of the compromised machine.
- Initiate a network-wide threat hunt for similar indicators.
- Provide a factual, initial update to leadership.