Everyone is susceptible to successful cyber-attack, even one of the world’s best cybersecurity firms: FireEye. You may have heard the name prior to the recent reports of a breach, as people from FireEye are frequently guests on national news shows or quoted in national and international publications.
Let’s take a closer look at the recent breach at FireEye, which is even more evidence that cybersecurity strategies need to emphasize detection, response and recovery, as prevention is only one piece of effective cybersecurity programs.
Over the last few years, hackers have increasingly targeted service providers – from developers to outsourced IT service companies – and the FireEye breach suggests that trend continues today. Despite FireEye being a top-tier security company that Fortune 500 companies, governments and even the FBI hires for their cybersecurity services, they were still hacked. If this does not convince you that anyone can be hacked, what will?
The Significance of the FireEye Hack
You may be asking “If everyone can be hacked, why spend so much on cybersecurity?” Well, any home can be broken into but you still lock the doors and enable the alarm. Cybersecurity is the deadbolt and chain, the alarm and the call to emergency services – in this analogy the deadbolt is the prevention phase, while the alarm and emergency call are detection and response, respectively. To extend the analogy, the FireEye security breach is like a thief getting the master key to an apartment complex (or to the lockbox that contains all the original keys). These hackers may now have a much easier time breaking in to the complex’s units (or FireEye clients) without breaking the physical locks that would otherwise trigger an alarm. With more sophisticated thieves, you may have a greater need to review your investment in cybersecurity.
FireEye has acknowledged the hackers have made off with a copy of their proprietary tools for assessments and performing penetration tests on their clients. This is an issue because the only difference between a penetration tester and a criminal hacker is ethics. Tools created and used by ethical hackers like the penetration testers at FireEye (or here at CyZen for that matter) are a gift to criminals – it’s like having a better lock pick. While these tools might not benefit state-sponsored clandestine operations like those allegedly behind the attack on FireEye, it can still be useful, if only as something they can sell on the dark web. Better tools in the hands of a thief warrants double checking the locks on your door.
It is not known is what else may have been stolen. FireEye, as of its initial news release, could not rule out the possible exfiltration of client information, reports on detected vulnerabilities or the trending data for detected weaknesses. This information could expose FireEye’s clients unless the documented vulnerabilities have already been addressed. Trending data could enable attacks on a network that succeed faster and help criminals remain undetected. Dwell time is a key metric in cybersecurity – how long does an attack go on without being detected. Ask yourself “how long does it take emergency services to respond to a call from central station? Can your business live that long?”
Any time a managed service provider (“MSP”) or managed security service provider (“MSSP”) is hacked, there is a concern that hackers may also attack the victim’s clients. FireEye sells and services network and email threat detection appliances. This service is typically done remotely. The hacker may now have tools and information that will allow them to use FireEye appliances to snoop on networks utilizing the company’s security monitoring and threat detection tools without being discovered. To do so, the hacker would likely need to convince the client to enable the remote access features and enable shell access. This may be enough of a barrier to prevent intrusion, but the threat is significant enough to warrant mentioning. The takeaway for you is to ask: What monitoring technology do you have in place? Can it detect activity by users and systems that are outside the norm?
Takeaways and Response Recommendations
As a business operating in the 21st century, you already know you’re at risk of cyberattack, so what does the FireEye hack change? It boils down to escalation. Hackers may now have a new set of industry-leading tools that could enable them to attack companies and networks without being detected. The good news is there are things you can do to ensure the threats are reduced:
- First off, if you are a FireEye customer, you want to update passwords and rotate access certificates for their managed services. Contact your client representative for assistance.
- If it has been some time since your last vulnerability and risk assessments, now is a good time to schedule these with a service provider.
- Speak with your IT and security teams to have them double and triple check that your security configuration is up to date – many companies are behind due to the pandemic.
If you need help, CyZen, a Friedman LLP powered company, is ready to assist with everything from assessments to 24x7 logging monitoring and response management. CyZen offers a variety of packages to meet your company’s technological needs. We do not sell software or hardware, but lead with our expertise and services. First, we make sure the solutions you have are working as expected. Then we ensure they are fully utilized for effective and efficient operations and security. When there is a compelling need, we may suggest adding or replacing a solution – our product is our service and people, not widgets. By emphasizing a high-touch, personal approach we are able to make real security the priority.
Need Cybersecurity services?
Contact us today by visiting us at CyZen – Cybersecurity Consultants – Infosec Services, emailing firstname.lastname@example.org or calling 212.842.7005.