FireEye—the huge security company, with revenues of $900 million and countless US federal agencies on its customer roll—confessed this week that it had been hacked. Its proprietary red-teaming tool set was stolen.
Officially, the firm’s not saying who perpetrated the intrusion. But secret-squirrel sources say it was Russia—APT29 to be precise.
It’s being seen as revenge for outing Russia as the culprit for other high-profile shenanigans. In this week’s Security Blogwatch, we pass the vodka.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: RC in PH.
Reds school the red team
What’s the craic? Dustin Volz and Robert McMillan report—FireEye Says It Was Breached by Nation-State Hackers:
FireEye is among the world’s largest cybersecurity companies, with more than a dozen offices around the world and thousands of employees. The company has been seen as an industry pioneer in detecting and responding to cyberattacks carried out by foreign governments.
…
FireEye declined to comment on who it believed was behind the breach of its hacking tools. [But] A person familiar with the matter said Russia is currently seen by investigators, including U.S. intelligence agencies, as the most likely culprit but stressed that the investigation was continuing.
…
There are a few reasons why FireEye would be an attractive target. [One] possible motive: payback. Russian intelligence operations have been documented and exposed in a number of FireEye reports over the years.
And Dan Goodin gets in—The FBI, normally mum on such matters, says it is investigating the hack:
With a market capitalization of $3.5 billion and a some of the most seasoned employees in the security industry, the company's defenses are formidable. Despite this, attackers were able to burrow into FireEye's heavily fortified network using techniques no one in the company had ever seen before [and are] now in possession of proprietary attack tools, [which] could make the hackers an even greater threat. … Such tools are used by so-called red teams, which mimic malicious hackers in training exercises that simulate real-world hack attacks.
…
An unnamed source … said the hack appeared to be the work of the Russian SVR intelligence service. If true, that means the hackers belong to a group that goes under a variety of monikers, including APT 29, Cozy Bear, and the Dukes.
What a catastrophe! Lily Hay Newman and Andy Greenberg disagree, calling it a Statement—but Not a Catastrophe:
That the attackers made off with some of its offensive tools [is] a startling admission but almost certainly not as devastating as it may first sound. [But it] sends a clear statement that while Russia may have been relatively quiet during the US presidential election, the Kremlin’s digital prowess remains formidable.
…
In practice the threat from the tools is important but likely not ruinous. … FireEye’s head start on distributing defense tools makes it more likely that if Russia dumps the [stolen code] it would be as a sort of victory lap and statement to the US government rather than as a specific effort to wreak havoc.
What does the firm have to say for itself? CEO Kevin Mandia writes thuswise—Details of Recent Cyber Attack:
We witness the growing threat firsthand, and we know that cyber threats are always evolving. Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack … by a nation with top-tier offensive capabilities.
…
We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed [and] we are proactively releasing methods and means to detect the use of our stolen Red Team tools … in order to minimize the potential impact.
…
The attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated … customer information.
What’s the significance of the stolen tool set? mike_d explains:
Take the tool mimikatz, which is publicly available and well known. It can dump stored passwords out of Windows memory.
But if you download mimikatz and try to run it every single antivirus/endpoint protection solution will light up like a Christmas tree. However, the underlying technique isn't being blocked – just the specific implementation. This is why we build our own tools: to demonstrate to defenders that while they are blocking a specific implementation they have not addressed the underlying vulnerability.
…
FireEye … did the responsible thing and released fingerprints that could be used to detect every single one of their tools. They effectively burned their entire catalog and put them in to the class of "public" tools that are easily identified.
…
Also, everyone gets hacked. No matter how good you are or how many cyber security engineers you have on staff, there is still Matthew in accounting that will open that invoice attachment.
True, dat? Jake Williams—@MalwareJake—approves this message:
Mad props to FireEye for disclosing and taking this action. I’m sure others would have handled things much differently.
…
Most of the FireEye customers expressing concern that the breach could be impacting their security likely never would have detected a similar intrusion in their own networks. They have cause to be concerned, but it's for the wrong reason.
…
If you claim (without seeing FireEye's Red Team tools) that their release will cause another WannaCry (or some other panic inducing hyperbole), you deserve to be run out of the infosec industry.
But phantomfive is unconvinced:
FireEye is a … crappy security company. … They are better at writing press releases than they are at security. … Can't keep their own stuff secure, so they blame a "nation state."
…
If you're a security company you better be on point. You can have security that is good enough that an attacker would have an easier time with physical attacks than with remote attacks.
And Grease Monkey don’t got no truck with that:
Can't see them getting any new customers for a while, and I expect some of their existing customers will be leaving as soon as is practically possible. All of which is perfectly understandable.
Would you want to be protected by a company who had their "most secure servers" hacked? It matters not how much they protest that the attack was sophisticated and unusual—you can't go round claiming to be the best in your field and then get pwned and not pay the consequences.
So Ray Morris worms his way into the narrative: [You’re fired—Ed.]
FireEye [have] been hacked in a major way again because their security sucks. … Their overall security as a company has been pretty bad. … FireEye has experts in a few topics, and a couple thousand employees who are absolutely clueless about security.
The last time they had a major hack and the company lost 30% of its value, it [was] because their flagship product had a bunch of really, really newbie security mistakes. As in: clearly nobody who knew anything about application security had taken a glance at the design of their own product.
However, heed the experience of Hal Pomeranz:
Rarely do I see people who actually do incident response or operational information security work dunking on organizations for getting breached. Perhaps they understand something the bandwagoners do not?
Meanwhile, Bitsminer mines the PR response for sales pitches:
"We were so valuable that we got hacked."
"We now have a better understanding of our customers' perspectives."
"We weren't the first … and we won't be the last."
The moral of the story?
FireEye wasn’t the first, and won’t be the last. Are you next to be hacked? How would you know if you had been?
And finally
This is how they advertise soda in the Philippines
Hat tip: Miss Cellania
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
This week’s zomgsauce: Elyse Horvath (cc:by-sa)
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
