FireEye CEO Kevin Mandia speaks on cybersecurity last year at the US Naval Academy. Today’s special columnist, Rick Holland of Digital Shadows, offers some insight and actionable advice for security pros about how to respond to Mandia’s announcement yesterday that a nation-state actor had stolen red team tools from FireEye. (Credit: CC PDM 1.0)

Nearly three weeks after announcing a $400 million investment by Blackstone, CEO Kevin Mandia told the world yesterday that FireEye had suffered a breach by a nation with top-tier offensive capabilities.

Mandia said the attackers accessed certain Red Team assessment tools that FireEye uses to test its customers’ security. The tools mimic the behavior of many cyber threat actors and let FireEye deliver essential diagnostic security services to its customers.

The fact that a nation-state actor would target a cybersecurity company isn't novel, or even unprecedented. In 2011, RSA was targeted and compromised for its SecurID two-factor authentication. In 2013, Bit9 (now VMware Carbon Black) was compromised so that attackers could whitelist their malicious software.

We don’t know if the unidentified attackers plan to release the Mandiant tools into the wild, but this has been a dangerous trend. This year, Kaspersky has observed Italian Security firm Hacking Team’s surveillance software being used. In 2017, Shadow Brokers leaked the NSA's EternalBlue exploit, which was later used in WannaCry and NotPetya. Also in 2017, Joshua Adam Schulte allegedly leaked the CIA's hacking tools in the WikiLeaks Vault7 documents. If they get publicly released, it once again lowers the attackers’ barriers to entry, making the jobs of defenders that much more challenging.

So, what should enterprise defenders do in light of FireEye's intrusion?

  • First, take a breath and realize that if you have something a nation-state wants, they will gain access to your environment. This is the way. While not the comfort many would hope for, if a nation-state infiltrates your threat model, the question is how quickly you can detect and respond to the intrusion, not can you prevent it.
  • If you want to use a pop culture analogy, this theft isn't a Jake Paul/Nate Robinson knockout; it is more like a body blow. At this point, no zero days were taken in the breach, so the tools stolen aren’t on the EternalBlue level. The sky isn’t falling, and security pros should communicate that up the chain of command. Of course, as the Verizon Data Breach Investigations Report wrote many years ago, "would you fire a guided missile at an unlocked screen door?" It doesn’t take zero days to compromise targets; traditional phishing can do plenty of damage.
  • Incorporate the contents of FireEye's GitHub link into your detection engineering processes. FireEye provided Snort, Yara, ClamAV, and HXIOCs. Not mature enough to have a detection engineering capability? Push your security vendors to add these detections into your security monitoring controls. Kudos to FireEye for releasing these.
  • The investigation isn’t like an episode of CSI Cyber or Scorpion; it won’t get wrapped up in a single episode; it will take time to complete. The story will evolve, and more details will follow. I wonder if the tools were just a byproduct of the larger intrusion's objectives.
  • The Washington Post has reported APT29/Cozy Bear as being responsible for this intrusion. After the investigation has run its course, FireEye will release the relevant MITRE ATT&CK techniques and any software that the attackers leveraged. In the meantime, if APT29 is in your threat model, I suggest refreshing yourself on their techniques here.
  • There’s one specific piece of the FireEye blog that raises additional questions. Mandia wrote the tools “enable FireEye to provide essential diagnostic security services to our customers.” If I were a FireEye customer, I’d prioritize my detection efforts on these diagnostic services. I don't know how these services work, but they could be leveraged as a backdoor into your environment.

We will never prevent nation-state actors from compromising their targets. However, we can focus on areas that we control that do make their jobs harder. Make sure your teams have the training required to maximize the organization’s security controls. Make sure to implement the hardening guidelines specified by your vendors. Take a risk-based approach to patch management. Don’t deploy administrative consoles on public-facing networks. Enforce multi-factor authentication to prevent account takeovers. The basics aren't glamorous, and they aren’t always easy to roll out. Still, they make adversaries' operations more difficult—anything the security team can do to slow them down increases the organization’s ability to detect and respond. 

Rick Holland, chief information security officer, vice president strategy, Digital Shadows