FireEye, one of the world’s largest cyber security companies, announced this week that they were hacked. Their hacking tools were stolen.
CEO Kevin Mandia said in a statement that based on his “25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities.” The level of sophistication of the attack that FireEye sustained shows it had to have been at the hands of a Nation-State. Fingers point to Russia, as they so often do. FireEye brought in Microsoft and the FBI to help investigate.
The cyber security community has applauded FireEye for promptly disclosing the breach and immediately getting tools out to its clients. They are sharing their indicators of compromise (IOC) and countermeasures on their GitHub account. Nonetheless and not surprisingly, upon the breaking news, FireEye stock (FEYE) dropped from 15.52 to 13.50 a share, a capitalization loss of $450m. It could have been worse.
These kinds of attacks do happen. Just in the last few years hackers have hit to name but a few of the bigger names: the U.N., Bank of America, Equifax, LinkedIn, Deloitte, Tumblr, Saudi Aramco and Twitter. Hackers have breached security companies like FireEye including Kaspersky in 2015, RSA Security in 2011 and Avast in 2017 and 2019.
Speaking of Twitter… the danger of adversarial cyber attack brings another news item into focus - Twitter has appointed Peiter Zatko, a renowned hacker as its Head of Security. Known also by his hacker handle Mudge, he is tasked with making changes in both infrastructure and procedures. Prior to this post, he worked with Stripe, Google and DARPA. His introduction to cyber was with the hacking group Cult of the Dead Cow. They were best known for releasing MS Windows hacking tools in an effort to push Microsoft to improve its security.
Hackers work 24/7 and don’t take off for holidays. They plot and scheme and dig, hoping to find a new way in, every day. The adversarial landscape changes continually. Likewise, the security measures defending against that enemy must be continuous and vigilant.
In security, mind set is critical. A committed adversary is not limited by law, rules or morality. For an adversary, a challenging situation only represents an opportunity to use creativity to solve it. They are aggressive and highly motivated. To effectively secure against adversaries, savvy security professionals adapt that same attitude. That stance would inform how assessments are made and analyzed and guide the design of procedures.
This is why we at Chameleon carp on about the benefits if not necessity of red teaming. True, FireEye conducts cyber red teams for its clients, that’s its business. One wonders of course what exactly went wrong there. We encourage our clients to share red team results as broadly as possible so that everyone involved even on the periphery of security is informed and on board. It will be interesting to see what FireEye learns and what it shares about the hack.
Insider threat prevention is another important element in a good security system. Often, a hack is accomplished from the inside by exploiting naivete via social engineering or leveraging malicious intent from company employees. The best firewalls in the world can’t prevent a key employee from giving away critical information knowingly or unknowingly to assist an assault. Many organizations spend incredible resources on technical measures while neglecting the chance to find the bad apples on the human element side.
Doesn’t it just make total sense to hire an ‘adversary’ to safeguard against adversarial threats wherever or however they might appear?