Much of the news surrounding the recent “hacking” of FireEye is at best misleading, but there are a number of reasons why this incident isn’t as dire as the headlines suggest.
The Cybersecurity Challenge. The theft of FireEye’s red teaming tools illustrates an uncomfortable truth about cybersecurity. There are no guarantees. One of the primary goals is certainly to prevent adversary intrusion into your networks, but – just as the Defense Science Board found in 2013 – there’s no way to ensure 100% protection against targeted, well-funded adversaries, even for a premier cybersecurity organization. What’s more important is how you set up your system to protect your data and assure your organization’s mission and how resilient you are to an incident when, not if, it happens.
What we understand from the information publicly released, FireEye has done everything right.
Definition of Cyber Resiliency. FireEye has been the quintessential example for cyber resiliency. This more mature approach for fighting through the type of advance threat scenario that has been reported was only recently published as a standard by the National Institute of Standards and Technology (NIST) in their Special Publication 800-160 Volume 2: Developing Cyber Resilient Systems. In it they define cyber resiliency as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
Anticipated and Limited Consequences. The tools stolen were red teaming tools – meaning they were used to emulate attackers to test the defenses of customers’ systems and find vulnerabilities. The concern is that the thieves can either use these tools or sell them to someone else who will use them against other organizations. But the key here is that FireEye had reduced the consequences of these tools in the wild. The tools contained only known vulnerabilities, vulnerabilities that have been catalogued and have an associated patch that can be implemented to prevent exploitation by an adversary. Furthermore, FireEye had already built ways to detect their tools and immediately made them less consequential by quickly and publicly releasing those signatures for everyone to use freely.
Segmentation Matters in Withstanding Events. From a resiliency perspective, where you put things on your networks matters. Red teaming tools are, by their nature, exposed because of how they are used. These aren’t the kind of things you put next to the data most critical to accomplishing your organization’s mission (i.e., your “crown jewels.”) And FireEye didn’t. To date, there is no indication that the intruders stole any information from FireEye’s primary networks, which house customer data and vital intelligence information.
Effectively Responding and Recovering. All indications are that this was a sophisticated threat that specifically targeted FireEye, and that what they walked away with was largely publicly available information and tools that will be relatively easy to defend against. It’s important to note that FireEye has already released information on how to defend against the tools it lost and have embedded those defenses into their own products. So, while the incident may be inconvenient and costly for FireEye because they’ll have to build new emulation tools, it is by no means a catastrophic loss for them or their customers.
Already Adapting their Intelligence-led Advantage. There is something to be gained from this incident. FireEye is known for its unmatched intelligence gathering that provides customers with crucial information about adversary tactics, techniques and procedures (TTPs) useful in detecting such activity on their networks. FireEye’s CEO Kevin Mandia described the nature of this incident as “different,” that it was conducted by sophisticated attackers who “used a novel combination of techniques not witnessed by us or our partners in the past.” They’re already releasing information about these new TTPs.
Increased attacker costs with limited defender losses. So not only did the perpetrator presumably spend considerable money and resources for a relatively small return in what they stole, but they also exposed previously unknown and sophisticated TTPs that we can use in the future to detect similar malicious activity.
Trust through Transparency. Additionally, FireEye has approached their investigation with a degree of openness and transparency not often exhibited by organizations in the wake of a cyber incident. They don’t yet know how the adversary got in – the investigation is still ongoing – but they continue to act in everyone else’s best interests of sharing information about the investigation and the attacker’s TTPs, which will help everyone better protect themselves.
FireEye is an even better cybersecurity partner today. No organization is invulnerable to cyber incidents, but they all have a tremendous amount of control over how they defend themselves and respond. FireEye’s handling of this incident shows them to be the premier cybersecurity and threat intelligence organization we have always believed them to be, and an example of leadership and best practices for the cyber community.
At Ardalyst, we are even more proud and thankful today to be a FireEye partner.
UPDATE 12/14/20:
The story surrounding the cyber incident affecting FireEye, Inc. last week continues to develop. FireEye initially detected an intrusion via a suspicious login to their virtual private network, or VPN. In the course of their ongoing investigation, FireEye has uncovered a global intrusion campaign through which threat actors gained access to multiple organizations, including FireEye and multiple U.S. government agencies, via malware distributed through a product by SolarWinds, Inc.
The campaign has been operating since spring of 2020, at least, and if FireEye hadn’t discovered it, it could very well have remained undetected indefinitely.
The malware (dubbed SUNBURST by FireEye) was distributed through a sophisticated supply chain attack leveraging updates for the widely-used SolarWinds Orion business software. It’s important to note that each individual attack attempt in this campaign required careful planning and execution, which means it’s unlikely every organization using this software has been affected.
FireEye continues to demonstrate solid assurance and resilience behaviors, sharing publicly the attacker’s post-compromise evasive techniques and releasing information and tools (i.e., signatures) to help others detect this threat actor operating on their systems.
Ardalyst CTO Josh O’Sullivan joined Vago Muradian, host of the Defense and Aerospace Report podcast, today to discuss the latest developments.