The recent breach experienced by FireEye on Tuesday has rocked the cybersecurity world. In this article, we will discuss who was behind the breach, what they took, and what steps organizations can take to safeguard their own digital assets against hackers. Intelligence sources stated that the tool grab is only a small part of the concern.
World-renowned cybersecurity firm FireEye announced on Tuesday, December 8th, that a well-organized group of hackers, likely state-sponsored, compromised FireEye’s offensive security toolsets. The hackers broke into a secure network and stole tools developed by the company’s experts designed to simulate attacks on client assets for training purposes.
Who is FireEye?
FireEye is one of the world’s top security firms, handling cybersecurity for governments and large enterprise customers around the world. Best known for their top-notch research on state-sponsored threat actors and their impressive incident response capabilities, FireEye has been involved in investigating some of the most high-profile breaches experienced by governments and organizations.
The Malicious Actors Behind the Breach: Who is Cozy Bear?
In a public announcement following the incident, on Tuesday December 8th, FireEye CEO Kevin Mandia said: “Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examinations. They used a novel combination of techniques not witnessed by us or our partners in the past.”
The concern here is the sophistication of the methods used to conduct this attack and the fact that these novel methods were allowed to be exposed. These groups don’t typically expose their TTPs (techniques, tactics, and procedures) unless they have other more valuable TTPs for future use. This in and of itself shows that they are upping their game and likely have even more sophisticated, novel methods at their disposal.
Current evidence suggests that Russia’s state-sponsored Cozy Bear is behind the attack, recognizing that attribution is challenging. The notorious group, who managed to penetrate the White House and State Department a few years ago, also recently attempted to steal coronavirus vaccine research.
While Cozy Bear may be able to use the tools they have stolen to target other organizations, Wired magazine suggests that the hack is likely more about sending a message rather than gaining useful tools. As a security expert, I interpret this attack as a warning shot across the bow. Clearly, FireEye’s government customers were also in the cross-hairs of this attack.
Why is Russia Retaliating Against FireEye?
FireEye was the first organization to tie the hacker group known as Sandworm, which was responsible for the blackouts in Ukraine in 2015 and 2016, as well as the incredibly destructive worm NotPetya in 2017, to Russia’s GRU military intelligence agency.
FireEye was also the first to provide public evidence that that same threat actor was behind attempted sabotage at the 2018 Winter Olympics. All three of these incidents were later named in a US indictment against six Sandworm hackers.
Do I Need to Be Concerned?
Mandia did say that the tools stolen in the attack, which are able to detect weaknesses in computer networks, could be used against customers or others. However, the attackers appear to have been primarily focused on finding information on select government customers. The attack was extremely targeted.
In some ways, this seems more like an intelligence-gathering operation rather than a smash and grab of security tools.
It may be that the tools were an added bonus. Personally, I am not as worried about the tools as much as I am about the upping up of the Russian game of collecting intelligence on our cleared defense contractors (CDCs) and targeting commercial companies in order to steal their intellectual property (IP).
I believe we are witnessing an attack by a nation with top-tier offensive capabilities. The attackers tailored their world-class capabilities specifically to target and attack FireEye. In most cases, when threat actors like Cozy Bear use these types of capabilities and skill levels, they are not typically identified.
No Zero-Day Exploits Exposed During Breach
In a blog post published on the FireEye website, the company clarified that the tools stolen by the threat actor didn’t contain any zero-day exploits, but instead included well-known and documented methods used to test the security of customers’ networks. Though FireEye doesn’t feel that this incident will greatly enhance the overall hacking capabilities of the group behind it, FireEye is still taking precautions to safeguard customer networks. This is where reconnaissance and counterintelligence resources come into play.
To help other organizations protect themselves against attacks like this, FireEye has published a list of countermeasures that organizations can use to help identify the stolen tools should they be used against them. The list can be found on FireEye’s GitHub repository. Several other security companies have already added the identification methods (TTPs) into their monitoring and alerting systems following the attack, and a few companies even had them in place as far back as October of this year.
The Lesson Behind the Attack: Anyone Can Be Hacked
When a top-tier cybersecurity firm like FireEye is breached, it can be disheartening. After all, if the experts can’t defend themselves against malicious actors, what chance do ordinary organizations have? The first thing we should not do is throw stones or point fingers because when it comes to high-level nation-state attacks, anyone can become a victim, whether you are a commercial, a top-tier cybersecurity firm, a US Government Agency, or an ordinary small or medium-sized business. Incidents like this are just a reminder that no defense is completely impenetrable, particularly when it comes to complex environments like enterprise networks.
The goal of modern security programs like those provided by EVOTEK, is to take a holistic approach and start with enterprise and security architecture. The focus is on managing and minimizing risk, reducing the chances of being targeted, and helping organizations contain incidents and limit the damage as quickly and effectively as possible. EVOTEK leans in with our clients with an advisory look at strategy, helping our clients map their overall security strategy and integrate it seamlessly into the broader business strategy. That way, when you are focused on security, you are also focused on protecting your most critical and valuable assets and your most sensitive data, your “crown jewels.”
What Steps Can I Take to Safeguard My Organization?
Every organization is different, so you will need to tailor your approach to validate and strengthen your security posture. However, there are a few basic things every organization should be doing. These include:
- Take inventory. You can’t protect your data unless you know what information you are storing. Taking an inventory will give you an accurate picture of your data and allow you to identify the crown jewels of your organization.
- Monitor your network. Monitoring your network allows you to keep a close eye on all network activity, giving you the tools you need to spot suspicious activity.
- Segment your network. Segmenting your network helps contain the threat should your perimeter be breached and provide additional layers of defense around your crown jewels.
- Keep tabs on your endpoints. Make sure you are closely monitoring all traffic entering, exiting, and moving laterally in your network. This can help you spot suspicious behavior patterns that may indicate something is wrong.
- Leverage IDS/IPS. Intrusion detection systems and intrusion prevention systems are critical for monitoring and controlling your systems and networks.
- Use your YARA rules. YARA rules are a way of identifying malware or other suspicious files by creating rules that look for specific file characteristics. YARA rules are commonly used to identify familiar strains or families of malware.
- Monitor and respond to alerts. An alert is only useful if your team gets it and is able to act on it, so make sure to monitor and respond to all alerts.
- Understand your supply chain. Just because your organization takes security seriously doesn’t mean everyone in your supply chain is as diligent with their security practices. Make sure your supply chain doesn’t inadvertently leave your organization exposed.
- Validate regularly. Regularly validating the efficacy of your tools and processes will help ensure they are continuing to meet your needs and give you the chance to update them if necessary.
- Don’t forget your patches! Security patches are essential for addressing known security vulnerabilities. I’m still shocked at the number of organizations that don’t install security patches in a timely manner.
- Practice makes perfect. Even the best, most comprehensive incident response process is only useful if your team knows how to implement it effectively. Running through tabletop exercises with different scenarios, at the very least, will give your team a chance to put their skills and knowledge to the test; just like fire drills, you want to make sure everyone knows what to do and where to go before a crisis strikes.
Assess Your Cybersecurity Posture Regularly
The best thing your organization can do is assess your cybersecurity posture regularly and do what you can to make it difficult for attackers to access sensitive data or critical systems. Document data flows for those systems that are of highest priority for the organization (effectively your ‘crown jewels’) and understand the security protections related to these systems. Ensure that you maintain an accurate and complete inventory of sensitive data and the systems and locations that process, transmit, and store this data. Make sure this data is appropriately protected and governed, and that you have monitoring for the access, movement, and user activity around such data.
By regularly validating your current security posture’s effectiveness, you can identify and address gaps quickly, making it more difficult for hackers. You can do this by utilizing breach and attack (BAS) tools, regular security and configuration reviews, and red team exercises. Security teams at times feel this is excessive, but honestly, I feel it’s a necessity to find a vulnerability prior to an actor using it against me. Remember, the “fight isn’t fair,” and the threat actors have the advantage of unlimited money, resources, and time. Malicious actors only need to be right once to infiltrate your network; you and your security team need to be right every single time to fend off attacks successfully. The advent of deception technologies can help change this dynamic. When adversaries interact with decoys in your environment, this alerting can provide early-warning of system intrusion. When deception is deployed correctly, now the adversary has to be right 100% of the time or risk signaling their presence in the environment.
Have an Up-to-Date Incident Response Program in Place
You also need to have an up-to-date incident response plan in place to help limit or avoid significant damage should an incident occur.
Not everyone is a cybersecurity expert, but as the FireEye breach shows, even the most prepared organizations will be targeted. Join us on Wednesday, December 16th at noon PST for an executive intelligence briefing from EVOTEK’s Executive Panel consisting of former law enforcement, intelligence community, cleared defense contractor (CDC), and commercial security leaders, to understand how attacks on both commercial and governmental organizations increase during the holidays.