No organization is 100% secure – ever!
FireEye is one of the world’s renowned cybersecurity firms with customers including major government agencies and enterprise customers around the world. The company is known for its world-class research on state-sponsored threat actors and its incident response capabilities.
On 8th December 2020, FireEye CEO Kevin Mandia said in a public statement that they were recently attacked by a highly sophisticated threat actor. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
This led them to believe that it was a state-sponsored attack, which FireEye has not attributed to any particular country, although the Washington Post reported that it was the hacking arm of Russia’s SVR foreign intelligence service, known in the security industry as APT29 or Cozy Bear. At the time, the company confirmed that it has not seen any evidence that customer information was stolen, although the company’s internal red team tools were accessed by the attackers. Red team tools are hacking software and tools that a company uses to detect weaknesses in its customers’ computer networks to test their cyber defences. In a blog post, the company confirmed that the tools accessed did not contain any zero-day exploits and they would do everything to limit the capabilities of the attacker.
Does the attacker require these internal red team tools from FireEye? Not necessarily, as the company states that the attackers developed a never-before-seen combination of techniques to break into the company and therefore, the threat actors are likely more than capable of creating similar tools to what FireEye had. But what is the risk? Government agencies and enterprises who are not FireEye customers might not have detection for these tools’ place, as they were designed to be undetectable for red team engagements.
Therefore, as promised, FireEye soon released hundreds of countermeasures to identify any of the stolen tools being used in the wild. These include indicators of compromise (IOCs) and detection rules and signatures for publicly available or open-source detection technologies like OpenIOC, Yara, Snort, and ClamAV. The details of CVE identifiers are available on FireEye’s GitHub repository here.
What next?
A point to be noted is that most of the stolen red team tools (and other publicly available tools) can be slightly modified, to evade security detection mechanisms. Hence, it is crucial to understand that these detection rules alone will not prevent an organization from getting attacked, but to continue doing what they are doing to secure themselves – managing and patching vulnerabilities in a reasonable amount of time, deploy an alerting mechanism for their infrastructure with an IDS/IPS and firewalls.
Resources:
https://github.com/fireeye/red_team_tool_countermeasures
