While mergers and acquisitions (M&A) are generally known for bringing economic growth and opportunity, people are beginning to realize that the process also brings serious cybersecurity risks. For example, along with the acquired company’s valuable assets, buyers also inherit all previous and current vulnerabilities and breach history. But there are also risks that exist for buyers before they sign on the dotted line or take action to merge technologies, processes and resources – during the M&A process, an organization is vulnerable from the moment they set out to do online research.
If done without caution, just the act of online fact-finding and information gathering on target companies poses risks to potential buyers. Aside from the potential security risks that may be introduced, the acquiring company faces the risk of tipping its hat or showing its hand. If the target or the acquisition learns of the buyer’s intent and desires, it may help their negotiating position. The target could open up parallel discussions, initiate their own research and monitoring activities, and take other steps that may result in a higher cost of acquisition or even derail the opportunity. The acquisition process requires substantial time and energy that could end up being wasted if the process of preliminary due diligence is not protected. I began working on internet anonymity tools in 1992, and since then I have gained a unique and detailed understanding of the different approaches organizations can utilize to protect their anonymity while searching and investigating in the open internet. When taking the first exploratory steps of the M&A process, these web searches could very well expose M&A intentions.
M&A research leaves a very clear fingerprint. Visits to the target come from unusual sources like senior management, the company’s law firm, specialist consultants, and investment banks. The visits do not follow typical customer patterns, focusing on the management, public financials, and technical details. A company can easily detect this research through monitoring their own web logs. By obfuscating where searches are coming from and breaking the inquiries up across multiple companies, intentions will not look like a coordinated effort of due diligence. Rather, it will appear that 100 companies or individuals are each grabbing different tidbits of information from the acquisition target’s website. The activity will mimic normal web visits versus a coordinated due diligence effort.
Obfuscating the origin and identity of a search is not easy, there are several different ways to be tracked or identified online. As I discussed in a previous SecurityWeek article, the moment a search is initiated on the public internet, all interested parties can recognize and react to actions, behaviors and patterns. They can discern who initiated the search, from where it is being launched, and even the source of employment. This can tip them to promote false information or simply discover and react to intentions and likely next steps. Each browser has a unique fingerprint made up of all the software and plugin versions, configurations, fonts, and characteristics of the source computer. Together, this data is usually unique for each visitor to a given website. Even when obfuscating the IP address and all supercookies, interested parties can still learn the identify using the browser fingerprint.
A counter to this tactic would be to use a browser fingerprint that is shared by many. The most common browser fingerprint is a freshly installed operating system. From there, they diverge quickly. And by using a VM, the source system will always appear as operating a newly installed operating system. Managing these identifiers online will help investigative queries blend in with general internet users and will enable research to be conducted without drawing undo attention or tipping the hat of M&A intentions or interests.