Featured on Channel Futures | December 9, 2020
This week’s FireEye breach is distressing for the cybersecurity industry as a whole and could have wide-ranging impacts on providers.
That’s according to cybersecurity experts who weighed in on the FireEye breach. The attacker has stolen assessment tools used to test FireEye’s customers’ security.
Kevin Mandia, FireEye’s CEO, reported the attack, saying it’s by a “nation with top-tier offensive capabilities.”
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” he said. “The attackers tailored their world-class capabilities specifically to target and attack FireEye.”
The attackers are highly trained in operational security, and executed with discipline and focus, Mandia said. Moreover, they operated clandestinely, using methods that counter security tools and forensic examination.
“And they used a novel combination of techniques not witnessed by us or our partners in the past,” he added.
The FireEye breach is being investigated by the company in coordination with the FBI and other key partners, including Microsoft.
The attacker targeted and accessed certain Red Team assessment tools. These tools mimic the behavior of many cyber threat actors. They also provide diagnostic security services to FireEye’s customers.
None of the tools contain zero-day exploits. FireEye is releasing methods and means to detect the use of its stolen Red Team tools, Mandia said.
“We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them,” he said. “Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.”
There’s no evidence that any attacker has used the stolen Red Team tools, Mandia said.
“We, as well as others in the security community, will continue to monitor for any such activity,” he said. “At this time, we want to ensure that the entire security community is both aware and protected against the attempted use of these Red Team tools.”
Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers, Mandia said.
“While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems,” he said. “If we discover that customer information was taken, we will contact them directly.
Randy Watkins is CRITICALSTART‘s CTO. He said the FireEye breach highlights major concerns in the security industry.
“First, everyone is a target,” he said. “Attackers continue to leverage less secure third parties to access information that is interesting to them. Second, attackers are advancing. Even FireEye is vulnerable to well-orchestrated, well-funded and persistent attacks. Though the Red Team tools compromised do not contain any zero-days, many organizations lack proper patching protocols, and could likely be vulnerable to some of the attacks from older exploits.”
A third and final lesson learned is that security organizations, private industry and government agencies must work together and find a common enemy in the attackers to “create a country more resilient to cyberattacks,” Watkins said.
Mike Puglia is chief product officer at Kaseya. He said the FireEye breach is troubling for the security industry for two reasons: how the attacker accomplished it and what they obtained.
“This was a very customized, almost surgical strike by nation-state actors against a specific private entity that provides security for some of the world’s most sensitive information, including U.S. national defense assets,” he said. “This is a major escalation of the nation-state cybercrime crisis. And it indicates that this already pernicious problem is still ramping up. This breach also allowed bad actors to obtain extremely valuable, cutting-edge technologies used to stop cybercriminals and spies from accessing critical secure systems and data. Unfortunately, not only does snatching those tools give them the opportunity to learn precisely how to beat them, but it also gives them an advantage in beating future defensive solutions built with similar technology.”
Nation-state cybercrime has been a major cybersecurity topic in 2020, Puglia said. That’s because it’s consistently becoming more common and more dangerous.
“While insulating your business against this exact attack type isn’t feasible, there are several long-term and short-term precautions you can take to make your business safer against more common types of nation-state attacks,” he said. “Insist that all of your clients add a secure identity and access management solution that includes multi-factor authentication (MFA) to throw up a roadblock between hackers looking for a quick win and your client’s data and systems. Also, strongly suggest that your clients add both secure backup capability to make their data quickly restorable in the event of an incident and dark web monitoring to guard against dark web threats like nation-state hacking through credential compromise.” Kevin Beasley is CIO of VAI, a midmarket enterprise resource planning (ERP) software developer.
“This breach will probably have a significant impact on the security industry,” he said. “For how long is unknown. Hackers used novel methods unfamiliar to FireEye and many other companies. This presents a unique challenge as the security industry will have to innovate and develop new solutions and software to combat and prevent breaches as hackers are advancing their methods and as they’re utilizing FireEye stolen tools. Many security tools and software solutions monitor for suspicious activity. But if new techniques are being utilized that are not detected by the current security tools set in place, then IT teams won’t be notified and efforts to breach the system can go unnoticed until it’s too late.”
“The scariest part of the FireEye breach is that the hackers used FireEye-developed tools as a weapon,” Beasley said. “Cybersecurity providers must work hard to protect internally developed tools that could potentially later be compromised and used for harm rather than good.”
Additionally, providers should take note of FireEye’s response to the breach, Beasley said.
“Even though bringing the news to the public caused the company’s shares to drop, the disclosure of the event will help mend FireEye’s reputation going forward, and maintain public trust,” he said. “Also, the company releasing countermeasures is a huge testament to its determination to stop the hackers and prevent future breaches. In the unfortunate case that another company or business experiences a breach, responding to the event in a similar manner is a good route to take.”
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.