Unfortunately, it can happen, even to the most secure of us.
The recent breach at FireEye, one of the world’s largest and most sophisticated cybersecurity firms, has demonstrated that no-one is safe from hackers and network breaches.
In the case of FireEye, the damage is potentially very serious, with ramifications that go beyond corporate boundaries. FireEye is a trusted source of security services to many corporate and government organisations, and its ‘tiger team’ penetration tools are used to probe the defences of these enterprises.
In this breach, it would appear that the threat actors did more than simply break into the network, but actually took away with them some of the tools used by FireEye to test the defences of their clients. This gives the bad guys the ability to see which weaknesses and vulnerabilities are known and are routinely tested against – and thereby provides them with ways for future attacks to bypass the known routes.
There is, at least, a little light at the end of the tunnel. None of the ways in which this breach was effected is classed as a “zero day” exploit, that is, previously unknown to possible defenders and mitigation services. The information stolen is more in the nature of how attacks are detected than about which attacks are known, but this theft means that FireEye will be forced to re-invent its toolkit in order to stay one step ahead in this game.
As to who the other players in this game might be, FireEye is understandably cagey about identifying them. However, some anonymous sources believe that the level of sophistication and execution argues a state actor, with the usual suspect – Russia – at the forefront of the list, specifically the APT-29 Cozy Bear hacking group.
According to a memo from FireEye CEO Kevin Mandia, “we are witnessing an attack by a nation with top-tier offensive capabilities. … The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. … They used a novel combination of techniques not witnessed by us or our partners in the past.” The FBI and Microsoft are also working with FireEye on this case, and are likewise in agreement with FireEye that novel techniques have been used by highly sophisticated attackers.
John Douglas, Technical Director of First Response, comments, “While FireEye is clearly a very tempting target for an attack, no organisation should assume that their network is too small or negligible to be ignored. Almost without exception, no network will have the level of security and protection possessed by FireEye’s network, meaning that attackers will go for the lower-hanging fruit.”
Furthermore, he adds, that even though an enterprise’s network may contain little of interest of value to an attacker, the interconnected nature of today’s businesses means that even such seemingly unimportant networks may act as a trusted gateway to another more lucrative target. The Christmas and holiday season is an especially vulnerable time, often with key staff away from the office, and with corporate guard and vigilance being relaxed.
Though it is impossible to guarantee with 100% certainty that no attacker will ever be able to breach a network, it is possible to mitigate the risk. One practical step that can be taken, Douglas suggests, is to harden the perimeter, making the network a less attractive, because more difficult, target. Perhaps more importantly, it is essential to prepare for the worst case, and have an incident response plan clearly defined and ready to go, meaning that in the event of a security breach, your everyday operations can be restarted with the minimum of fuss and delay.
First Response can help you with both the hardening of network security, including the provision of 24/7 proactive monitoring, and also work with you on the creation and maintenance of a practical response attack plan. Please feel free to contact us to discuss your needs.