The FireEye Breach: A body blow…but not a knockout | SC Media

The FireEye Breach: A body blow…but not a knockout

December 9, 2020
FireEye CEO Kevin Mandia speaks on cybersecurity last year at the US Naval Academy. Today’s special columnist, Rick Holland of Digital Shadows, offers some insight and actionable advice for security pros about how to respond to Mandia’s announcement yesterday that a nation-state actor had stolen red team tools from FireEye. (Credit: CC PDM 1.0)
  • First, take a breath and realize that if you have something a nation-state wants, they will gain access to your environment. This is the way. While not the comfort many would hope for, if a nation-state infiltrates your threat model, the question is how quickly you can detect and respond to the intrusion, not can you prevent it.
  • If you want to use a pop culture analogy, this theft isn't a Jake Paul/Nate Robinson knockout; it is more like a body blow. At this point, no zero days were taken in the breach, so the tools stolen aren’t on the EternalBlue level. The sky isn’t falling, and security pros should communicate that up the chain of command. Of course, as the Verizon Data Breach Investigations Report wrote many years ago, "would you fire a guided missile at an unlocked screen door?" It doesn’t take zero days to compromise targets; traditional phishing can do plenty of damage.
  • Incorporate the contents of FireEye's GitHub link into your detection engineering processes. FireEye provided Snort, Yara, ClamAV, and HXIOCs. Not mature enough to have a detection engineering capability? Push your security vendors to add these detections into your security monitoring controls. Kudos to FireEye for releasing these.
  • The investigation isn’t like an episode of CSI Cyber or Scorpion; it won’t get wrapped up in a single episode; it will take time to complete. The story will evolve, and more details will follow. I wonder if the tools were just a byproduct of the larger intrusion's objectives.
  • The Washington Post has reported APT29/Cozy Bear as being responsible for this intrusion. After the investigation has run its course, FireEye will release the relevant MITRE ATT&CK techniques and any software that the attackers leveraged. In the meantime, if APT29 is in your threat model, I suggest refreshing yourself on their techniques here.
  • There’s one specific piece of the FireEye blog that raises additional questions. Mandia wrote the tools “enable FireEye to provide essential diagnostic security services to our customers.” If I were a FireEye customer, I’d prioritize my detection efforts on these diagnostic services. I don't know how these services work, but they could be leveraged as a backdoor into your environment.
prestitial ad