No stranger to volatility, Bitcoin lost $50B in market cap last week because of a false message from the SEC’s X (formerly Twitter) account that had been compromised. It followed closely on the heels of the compromise of Mandiant’s X account by cryptocurrency thieves. Following investigations, Both X and Mandiant issued statements that in both cases, the recommendation of two factor authentication (2FA) was not being followed at the time of compromise.

The situation would seem cut and dry, except for a number of factors regarding the security dynamics at X – from whistleblower accusations to changes in security options and policies – since its acquisition by Elon Musk. Even Mandiant’s statement includes a vague reference that, “...due to some team transitions and a change in X's 2FA policy, we were not adequately protected…"

While many are debating the imperative for, and implementation of 2FA we thought we’d take a step back and ask our Red Team Practice Director Trevin Edgeworth how Red Teamers view security programs in flux. Whether intentional changes such as M&A or leadership transition, to general uncertainty and confusion brought on by technology failures or adjacent breaches, how could an attacker prey on the confusion, miscommunication, or general lack of clarity. Additionally, where are the weakest points in the shared security responsibility between service providers and customers that need to be addressed?

Session Summary

In this timely analysis, Bishop Fox's Red Team Practice Director Trevin Edgeworth examines how organizational changes create security vulnerabilities that sophisticated attackers readily exploit. Drawing from recent incidents including the SEC's X account compromise and Bitcoin-related breaches, Edgeworth demonstrates that security incidents often correlate with periods of significant organizational or technological transition.The presentation highlights three critical scenarios where organizations become particularly vulnerable: mergers and acquisitions, organizational restructuring, and major technology migrations. During these periods, security personnel are frequently diverted to transition-related tasks while maintaining their regular responsibilities, creating attention gaps that attackers can exploit. Communication channels become flooded with unfamiliar requests and new contacts, making social engineering attacks significantly more effective. Edgeworth shares a compelling example from a recent engagement where his team successfully compromised a merging organization by impersonating IT staff conducting migration-related activities.Perhaps most concerning is how attackers gather intelligence about organizational changes through publicly available information. Job postings revealing technology migrations, press releases announcing mergers, and leadership changes all provide attackers with valuable context for crafting believable pretexts. Edgeworth concludes with practical recommendations for maintaining security during periods of change: increasing security awareness communications during transitions, factoring temporary security gaps into risk management decisions, and being more strategic about public disclosures of organizational and technological changes. By understanding how attackers exploit these windows of opportunity, security teams can better prepare for and mitigate these heightened risks during periods of transformation.

Key Takeaways

1. Organizational change creates security blind spots - Mergers, acquisitions, technology migrations, and leadership transitions all create periods of increased vulnerability that attackers actively target.
2. Social engineering thrives during transitions - During periods of change, employees are more likely to accept unusual requests or unfamiliar contacts, making social engineering attacks significantly more effective.
3. Standard security controls may be bypassed during transitions - Authentication procedures, access reviews, and security monitoring often operate irregularly during organizational changes, creating opportunities for attackers.
4. Public information telegraphs vulnerability - Job postings, press releases, and social media announcements about organizational changes provide attackers with valuable intelligence for crafting targeted attacks.
5. Communication gaps between service providers and customers create risk - The shared security responsibility model becomes particularly vulnerable during transitions when assumptions about who manages specific controls may be incorrect.
6. Security awareness needs heightened emphasis during changes - Organizations should increase security communications during transitions to counterbalance the natural tendency toward reduced vigilance during periods of flux.

Who Should Watch

This video is essential viewing for:

• Security leaders and executives responsible for maintaining security posture during organizational transitions
• Social media and communications teams managing accounts with significant business impact
• IT and security professionals implementing authentication policies across multiple platforms
• Merger and acquisition integration teams working to harmonize security practices
• Risk management professionals assessing how organizational change affects security posture
• Incident response teams preparing for scenarios that exploit transitional vulnerabilities

The session is particularly valuable for organizations experiencing or planning significant changes—whether technology migrations, leadership transitions, acquisitions, or restructuring—as these periods create unique security vulnerabilities that sophisticated attackers actively target.