By Chris Nyhuis, Vigilant CEO
A Vigilant Threat Alerts Series
We are pretty positive that by now you have heard about the FireEye attack in the news. This type of news is never good, and you have to feel badly for them. As security practitioners, we’re all on the same side of this battle.
The attack against them was led by a nation state and was very targeted with, what seems to be at this point, a very focused goal. The attacker wanted to steal attack tools FireEye had created to test the defenses of their clients. This point has caused some confusion in the marketplace. Therefore, we wanted to bring awareness to the points that directly matter to you and clear up any confusion.
There were two parts to this attack. The first stage of the attack was to bypass FireEye's defenses. The second stage of the attack was to steal FireEye's hacking tools.
- First Stage:
- Key Takeaway: The initial attack against FireEye could have repercussions for some companies.
- Implications: The attacker that compromised FireEye's defenses now has specific tools and tactics that can be used to circumvent FireEye systems. FireEye has not indicated whether they know about the details of these tools or tactics yet, or whether they have protections against them, so it is possible that these are still effective attack tactics in general.
- Second Stage:
- Key Takeaway: Attack tools FireEye created to test the defenses of their clients can now be used by attackers. This is the point the public should be most worried about. FireEye developed in house custom attack tools (e.g. malware, phishing schemes, etc.) they used as part of their Security Validation services they offered to customers. These tools appear to be the focus of the attack and the primary assets that were stolen.
- Implications: Now that these tools are in the wild they can be used against companies to gain access into their environments.
- Silver-lining: FireEye quickly let the security community know about the details of their stolen tools so security companies (like Vigilant) could create detection and prevention against these custom attacks. That being said, what we (and the broader security community) don’t yet know is when exactly the attack occurred and how long ago the tools were stolen. The tools could have been in the wild for a long time; however, FireEye has not released details about these circumstances yet.
As a Vigilant customer you are covered. Due to FireEye’s quick release of the information that was stolen, the security community could take action (again, we’re all in this fight together with so much respect to them for doing this). Vigilant reviewed the attack profiles of the stolen tools and, as of this morning, has detection in place to identify and prevent attacks from these vectors. If you subscribe to our services, we have detection for these attacks and there is no additional action you need to take.
If you are only taking advantage of one of our managed services (e.g CyberDNA® or MEDR) and would like to learn how to both strengthen your security and reduce your security risk, please contact your Vigilant Customer Relationship Specialist.