What We Can Learn From The FireEye Breach
Whether you’re in the Security sector or not, you probably heard about the breach FireEye suffered earlier this week, on December 8th. If not, check out their blog post published in an attempt to notify not only their customers, but the industry as a whole.
FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats. We witness…
In short, it seems a nation-state hacker group was able to gain access to FireEye’s network and steal tools used to conduct their business. FireEye is a multi-million dollar security company that offers a range of products and services, including endpoint and email security, and managed defense services and threat intelligence capabilities. One of their offerings, Security Validation, provides their customers with the tools needed to test their defenses.
We arm you with the ability to optimize your spend on your security stack by testing your configurations with real attacks, not simulations, in the production environment to pinpoint which systems or tools are leaving assets at risk. We proactively identify configuration issues and expose the gaps across your people, process, and technology.
The tools stolen in the attack were what FireEye referred to as their Red Team tools, used in their Security Validation offering, to perform fake attacks on production networks.
When the breach was disclosed on Tuesday, I started to see a lot of posts about it on social media, and some team members at work shared it as well. I won’t deny the fact that a Cybersecurity company suffering a breach is a big deal, but how some people responded shocked me.
If we’ve learned anything in 2020, it’s that things work out better when we come together and support one another. This can be applied to anything. It’s important to work together and learn from one another when a fellow security company is down.
What’s that saying? You don’t kick someone when they’re already down? Yeah, let’s consider that in this situation.
FireEye suffering a breach is something that has a wide range of ramifications on their enterprise. For one, their stock dropped 13% after the news was disclosed. Second, situations like this seriously affect their reputation as a security company. There’s no reason to fuel the fire by adding bad press and publicly criticizing the company on social platforms.
In my opinion, it’s not about whether you get attacked or not, it’s your response to the attack that matters. And it’s not a matter of if you get attacked, but when.
In the technological era we live in, everyone is a target. Are there carefully, planned out attacked like this one? Of course. But more often than not, the attacks companies see are opportunistic. A result of an attacker somehow finding out about their company, doing a bit of leg work, and finding a vulnerability they can exploit.
Things to Consider
Before we move on to a lessons learned discussion, let me first provoke some thought here.
FireEye is a well-known, public Cybersecurity company that is held to certain standards.
For one, being that they’re a public company, they’re regularly audited. This means there are people coming in, multiple times each year making sure they’re doing what they say they’re doing, and most importantly, checking that they’re compliant against regulations.
If they weren’t compliant in some way, they would be held accountable for that, and depending on the severity, it may be publicly disclosed. Given that, don’t you think we can trust that they did all they could to prevent this from happening?
Second, they have invested millions of dollars to help companies defend against attacks and they provide top notch services and products. Don’t you think they also invest just as much, if not more, in the security of their own company? The security of their network directly impacts their reputation and I think that’s something they’d want to uphold.
What Can We Learn From This Breach?
It Happen to Anyone
While our initial reactions to this breach were likely along the lines of, “What? FireEye suffered a breach? How could they let that happen?”, we must take a step back and treat them as we would treat any other company in this situation: a victim.
Although FireEye is a Security company known for helping clients defend against sophisticated attacks, they are just another company that has suffered a cyberattack. This breach is a reminder that it can happen to anyone.
I read an article a few weeks ago by Matthew Doan that talks about how Cybersecurity is being treated as a Finite Game, a game with a clear set of rules and a way to win. The reality is, Cybersecurity rules are always changing, the players are always changing, and there will never be a way to win.
Reframing Cybersecurity as an Infinite Game
A vital lesson for business leaders with big digital aspirations
If an attacker group wants to target a specific company, they will find a way to accomplish that goal because to them, hacking is a game, and one they must win.
Response is Key
In terms of response, FireEye is doing all the right things. They are setting a great example for how technology companies should respond to a breach. Instead of feeling the need to defend themselves and their reputation as a Security company, they’re offering up all the information they have to help other companies better prepare themselves.
On Wednesday they released a list of CVE’s (Common Vulnerabilities & Exposures) that should be applied to affected systems in order to reduce the effectiveness of the stolen Red Team tools. They also released a set of detection rules that can be implemented to assist Security teams in detecting and responding to potential attacks leveraging the stolen tools.
In the face of an attack, FireEye is putting the industry first by providing security professionals with the information they need to protect their companies from an attack carried out using the stolen tools.
You Can Never Be Prepared Enough
New vulnerabilities and exploits are discovered each day, ranging from very low severity to critical issues that should be addressed ASAP.
Being that I work in a Security role, I had to review the information released by FireEye, specifically the CVEs, to ensure my organization implements a patch plan to address those. In reviewing those vulnerabilities I saw that the severity of them ranged from Medium to Critical. Even if you don’t work in the IT industry, you can probably gather that a medium severity vulnerability is categorized as being much less important than a critical one.
The are a number of factors that contribute to the criticality of a published vulnerability, but to sum it up, the industry standard is CVSS, Common Vulnerability Scoring System. The system factors in eight characteristics of a vulnerability and the score is then calculated based off of the combination of the factors.
The score above is a 10, Critical, mainly because the attack complexity is Low (easy to exploit), there are no privileges required to exploit, and an exploit requires no user interaction. There is a lot more to it, but to keep it high level, just know that the ease of exploit directly affects the criticality.
So given the above, security programs usually prioritize critical vulnerabilities over less critical ones that are categorized as low and medium. Why does this matter? Well, the majority of companies have a plethora of vulnerabilities and new ones get added to that every day, so it’s the security team’s responsibility to review those and determine which one’s are most important to remediate.
Of the CVE’s FireEye noted in their prioritized list:
- 10 are Critical (Score of 9.0–10)
- 5 are High (Score of 7.0–8.9)
- 1 is Medium (Score of 4.0–6.9)
While it’s clear the majority of these vulnerabilities were already categorized as being critical, we must also be aware of these high and medium vulnerabilities. Many security companies are solely focused on Critical findings, some are focused on both Critical and High findings, but many are not looking at Mediums or Lows at all. Simply because there are bigger fish to fry.
All that being said, by doing this, we’re choosing to focus on what’s been deemed most important based on the complexity and availability of the exploit, and a lot of the times we neglect to even look at anything with a score lower than 7.0 or 8.0.
Going back to the idea of Reframing Cybersecurity as an Infinite Game, it’s easy to see how it is in fact an infinite game. The threat landscape is changing every day and there will never be a “win” from a security program perspective. There is always work to be done to further protect our companies from falling victim to an attack. Over the years I’ve realized it’s not about preventing an attack, it’s about reducing the impact when an attack occurs. Because if we’re being honest, attacks are inevitable. They’re bound to happen at any organization.
In a perfect world, security teams would ensure all Critical findings are patched, then Highs, then Mediums, and finally, Lows. Wouldn’t that be nice! Unfortunately, in the game of Cybersecurity, new threats are released daily, severity levels change day by day, and many times vulnerabilities relating to those critical threats can’t be patched due to business-related roadblocks.
The game of Cybersecurity is one of careful analysis, prioritization of what matters most to your organization, and of course, execution. It’s one thing to understand the threats to the security of your organization, it’s another thing to be able to address them.
A Message to Those Criticizing FireEye
To those of you blaming FireEye, I urge you to take a step back, look at their actions since the attack, and put yourself in their shoes.
Think about the thousands of people that are now tasked with post-incident responsibilities: the security and legal teams at FireEye working with the FBI to investigate the incident, the employees that have to answer to all the concerned customers, and the team tasked with doing a post-mortem of the incident to ensure it doesn’t happen again.
The individuals that support the organization are real people that work so hard to prevent situations like this. They are already under immense amounts of pressure and stress as a result of the incident, there is no need for us to be criticizing them on top of that.
In my opinion, Cybersecurity positions can be very under-appreciated roles and I think many times people form opinions without understanding the full picture. Only those at FireEye can speak to whether or not they were prepared for this, or what factors contributed to this incident. Many times, security departments face challenges that prevent us from doing our best to secure the organization. To name a few:
- Budget constraints
- Business constraints
- Lack of resources
- Technical debt
The FireEye security team is no different, and they may have faced some of those challenges that prevented them from further protecting the organization.
So, let’s remember to empathize with FireEye and all the individuals working to make organizations as secure as they can be. We security individuals work very hard to do what we can to protect our users, systems, and organization. If the tables were turned, and your organization were in this position, how would you feel if people were criticizing you?