Skip to main content

Pre-M&A Due Diligence - Organizational

Updated over 5 months ago

Service Overview

This service provides a sampling-based cybersecurity due diligence assessment designed to evaluate the current security maturity level of an organization targeted for acquisition or investment. The engagement includes two assessment use cases that simulate external and internal threat scenarios.

Methodology

This activity comprises two complementary use cases:

  • Use Case 1 – External “Black-Box” Assessment
    Simulates an external attacker attempting to gain initial access to the organizational network, and from there access to business-critical systems, crown jewels and identification of the weakest security points in the company’s IT infrastructure.

  • Use Case 2 – Internal “Grey-Box” Assessment
    Emulates the perspective of an employee or compromised employee to assess the internal threat. Specifically, the assessment will focus on the potential impact to business-critical systems, crown jewels and Identification of the weakest security points in the company’s IT and application infrastructure, based on the internal threat.

The assessment includes the following activities:

  • Offline information gathering

  • Threat modeling, including identification of critical assets and potential threats

  • Interviews with the technical team

  • Security operations review (monitoring, incident response, and crisis management)

  • Evaluation of IT infrastructure, network architecture and segmentation, and firewall rule base

  • Internet connectivity strategy, internet perimeter and exposed services assessment

  • Configuration and policy review for endpoints, mobile devices, servers, and network equipment

  • Sensitive data and privacy management

  • Identity management and remote access assessment

Deliverables

A summary report will be provided, containing:

  • Executive Summary

    • Overview of the activity and its results

    • Identified security strengths

    • Key areas for improvement

    • Attacker achievements

  • Methodology Overview

  • Results Summary

    • Main attack scenarios

    • Potential consequences and impacts

    • Detailed findings sorted by risk level

    • Initial recommendations for short- and long-term mitigation

Prerequisites

  • Signed proposal with appendix by an authorized company representative, indicating its acceptance of the proposal

  • Assigned point of contact to support the engagement and resolve any arising issues

  • Permission memo

Required technical information:

The following list contains data items that might help in focusing the attack efforts to the relevant organizational parts:

  • Crown jewels definition and corresponding IP addresses

  • Assessment restrictions (rules of engagement), e.g., don't work on business unit X, skip the IP range Y, under the radar work against a SOC or open communication etc.

  • Two sets of domain/user credentials, VPN or remote access, and organizational endpoint access for internal threat simulation

Relevant Standards

  • MITRE ATT&CK's knowledge base of adversary tactics and techniques.

  • NIST Cybersecurity Framework

  • Center for Internet Security (CIS) Critical Security Controls

Security Domains Covered

The following security domains are addressed in the assessment:

  • Cross-organization policies, procedures, and governance

  • Security operations, monitoring, and incident response

  • Network level security

  • Servers, network equipment, and endpoint security

  • Application-level security

  • Sensitive data and information management

  • Identity management and remote access

Related Articles
Risk Assessment
Pre-M&A Due Diligence - Threat Hunting
Pre-M&A Due Diligence - Product
Pre-M&A Due Diligence - Threat Intelligence Investigation
Post-M&A Integration Assessment
Did this answer your question?