What Comes After the FireEye Attack

By now it’s common knowledge that FireEye has disclosed they were the victims of an attack by a nation-state seeking government information. If you aren’t aware of the particulars of this attack, I strongly encourage you to take a few minutes and read the blog posted by the FireEye team. It includes details about the attack and what was compromised, as well as how the company plans to address the situation.

In the next few days, we will face a barrage of messages from vendors seeking to reassure their customers that this isn’t a big deal and/or use this as an opportunity to sell them additional solutions. What I want to do is cut through all this noise and share what the real takeaways are from this attack.

1. No one is Immune. Seriously.

By far this is the thing all of us should keep top-of-mind. It doesn’t matter if you’re a consumer or a multi-billion-dollar enterprise, no one is immune to an attack. FireEye kept their red team info in a guarded vault and it was still compromised. Be wary of any vendor or partner that promises or guarantees that this type of attack will not happen to you or to them because that’s simply not the case. Dr. Chase Cunningham, author of Cyber Warfare – Truth, Tactics and Strategies and Principal Analyst at Forrester lays this out pretty clearly in his latest video.

2. Post-Attack Transparency is Paramount

The FireEye team did everything right here, including posting a list of countermeasures for publicly-available technologies. As they’ve demonstrated, by far the most important thing any organization can do once it has been the victim of an attack is clearly and openly communicate what happened, how they’re moving forward, and what their customers and partners need to know and need to do.

Transparency is particularly critical with this attack as we do not know if the attackers in this case plan to use the Red Team tools themselves or release these tools publicly. Because FireEye has been transparent in detailing exactly what was compromised, organizations can be ready for either scenario.

3. Moving Forward – Vigilance

Look – FireEye isn’t the first and won’t be the last major vendor targeted by nation-state attackers. What will be critical as we move forward is continued vigilance and an understanding that security is not a static event but an ongoing process. This means constantly evaluating your security efforts and ensuring all of your solutions reflect the latest updates and patches.

What Stealthbits Customers Need to Know

In the spirit of constant vigilance, there are a few things Stealthbits customers should know in the wake of this attack. First, rapid patching is the front line of defense, so I encourage you to verify you are patched for these vulnerabilities as we expect an uptick in exploitation. Second, deploy the YARA rule set to detect the FireEye tooling in their EDR solution. The point of this blog is not to criticize FireEye or any other security vendor who has faced an attack or break in the last few years. In fact, it’s the opposite, in face of an attack, FireEye has responded absolutely the best way possible – by being transparent.   The message I want to leave you with is focused on a way forward – to identify a pragmatic solution to eradicate these attackers.  Let us find ways we can work together and stay vigilant, offering the very best protection to keep your critical assets safe.

If anyone has any questions or would like to discuss Stealthbits solutions, I invite you to reach out to me personally at Jim.Barkdoll@stealthbits.com.