Assume you are breached, a common concept amongst many security professionals to simplify the decision-making process and improve your overall security posture. We all think it will never happen to us, in fact secretly we hope it is going to happen to someone else so we can carry on with our busy day job. The thought however is always in the back of our minds, is today going to be me?
Today, 8th December 2020 I already had my day planned out, looking through last night’s emails with my first cup of coffee, reviewing threat feeds and skim reading colleague emails for immediate response. I’m quickly focusing on a number of headlines reporting that FireEye have been targeted by a highly sophisticated threat actor who broke into its corporate network and stole a range of automated hacking tools and scripts. My first thought was to a similar event in 2017 with the shadow brokers who released the NSA tool kit which caused with ‘EternalBlue’ which later contributed to all forms of exploits which cost billions to businesses across the globe.
No Zero-Day Exploits or Unknown Techniques
FireEye state that “The Red Team tools stolen by the attacker did not contain zero-day exploits. The tools apply well-known and documented methods that are used by other red teams around the world. Although we do not believe that this theft will greatly advance the attacker’s overall capabilities, FireEye is doing everything it can to prevent such a scenario.”
A comforting statement there are no weapons of mass destruction being unleashed onto the population, only known weapons that have been modified to evade common security tools. Just let that thought settle in for a second ...
This reminds me of the scene in Die Hard 2 where the bad guy has a ceramic gun to bypass metal detectors in the airport, after all we are nearly into Christmas and what a great Christmas movie that is.
Well, I feel much more comfortable now... or do I?
FireEye Products Protect Customers Against These Tools
Reading further through FireEye’s statement they importantly point out “Teams across FireEye have worked to build the countermeasures to protect our customers and the broader community. We have incorporated these countermeasures into our products and shared these countermeasures with our partners, including the Department of Homeland Security, who have incorporated the countermeasures into their products to provide broad coverage for the community.”
That’s good to know, they are undertaking the responsible actions of open disclosure and sharing countermeasures with the wider community. I am still left wondering here what went wrong, will we ever know the truth and most importantly how did this happen to someone like FireEye?
Did you Practice what you Preach?
I hold FireEye as one of the leading security companies, they state in their own words “FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats. We witness the growing threat first-hand, and we know that cyber threats are always evolving. Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”
Being a security company did FireEye only use their own products to protect their infrastructure, or did they use a blend of different vendors as advised for a defence in depth approach? Also, are their in-house systems as robust as they would be for paying customers? As a service business it's possible to conceive that the focus is reflected outwards. Like a Michelin star chief, I bet they cook very differently when at home!
I think it’s fair to say if you have the resources of a technological and well organised nation state to wage war on a corporation it’s only a matter of time before they will cross the threshold and breach the business. If the likes of FireEye can be compromised how safe is your house?
Keep your Home Safe
Burglars are often opportunistic thieves who prey on houses and flats. They seek out any opening that they can take advantage of, specifically doors and windows that are left open or unlocked or are easy to force. Anything of value that they might spot through a window will only spur them on. But it really doesn’t take much to deter these thieves – just smart thinking.
Good advice from the Metropolitan police.
Lock your Doors and Windows
There are valuables inside your business, physical assets as well as intellectual property, furthermore, denying you access to use your data can also be used as blackmail in the form of ransomware. Installing firewalls and limit access to only a number of ports, and where possible have connections that originate outbound so that ports are not open inbound to be probed and tested is a good first step. Expanding on this approach by also segregating internal systems with firewalls to provide a ‘security zone’ limits access and helps restrict lateral movement.
Use strong locking mechanism such as passwords and where possible deploy multi factor authentication and enforced encryption for sensitive data in transit or at rest. Also, keep your application patched and up to date.
Don’t Leave Valuables on Display
Be conscious what you share online and what data is visible, documents may have metadata that provides an adversary with information such as a person’s name, email address even your login ID. Those CV’s of staff on LinkedIn or job adverts recently posted that detail all the technologies at your place of work provide attackers with helpful information.
Fit a Burglar Alarm
Deploying endpoint protection that not only identifies threats but can protect and report on behaviours is highly recommended. With applications that require signatures, these need to be constantly kept up to date. Ideally next generation tools should be used that incorporate artificial intelligence to identify actions, traits and patterns and not just fixed signatures. Get in front of malicious cyberattacks with the data science.
Secure your Sheds and Garages
Secure your outbuildings such as your external portals, websites, forums and DMZ, with the same level of protection (and sometimes more) afforded to internal systems. As trusted systems to your employees and partners, they could be used as a ‘watering hole’ to stage content that is brought into to your business by trusted people.
Monitoring networks, endpoints and devices activity is essential to understand the health and status of your environment. After all, remote based attacks will have to use your infrastructure to travel laterally or exfiltrate data. Monitor, control and be alerted of suspicious or out of character communications.
Report Crime to the Local Police
I’m pleased that FireEye have been open about their data breach, I look forward to learning more from their unfortunate experience and what 'we' as professionals can do done differently to protect against these threats. Sharing experiences and striving to make the world a safer and secure place to do business is the primary objectives of the NCSC which cannot do this alone, they rely on experts such as FireEye and others to provide industry insight and global knowledge to combat cybercrime.
With the Christmas holiday nearly upon us, before you break-up it would be prudent to give your systems a quick once over to make sure you are as protected as you can be with up-to-date patches especially on your gateway devices. While your away from the office adversaries will be probing your systems for weaknesses, looking to exploit the Christian holiday. Last year Travelex on 31st December were targeted through an unpatched vulnerability to their Virtual Private Network (VPN) that cost £52m in recovery and wiped £192m from share prices. Easily unavoidable.
How we Protect Against Cyber Threats
At SolutionsPT we help our customers protect against threats with our award-winning security and recovery solutions for OT. We don’t say that events like this won’t ever happen to our customers because this is clearly possible. What we do is we continue to closely monitor and follow the ever-evolving cybersecurity threat landscape across industrial environments, to make sure we fully understand what the risks are so that we’re able to support and advise our customers accordingly.