As probably everyone knows by now, FireEye reported this past Tuesday that they had been “hacked,” underscoring our industry’s worst fears.
Specifically, they reported that the hack was conducted by foreign government hackers with “world-class capabilities” who somehow managed to break into its network and steal red team kits – a set of offensive security tools that FireEye uses to disguise themselves as threat actors and to test the security of its client networks.
Trust Broken, Fears Amplified
When one of the biggest and most successful global security firms gets taken down, it does not just alarm the security community, it confers shame to all of the 24/7 efforts spent every day by everyone involved in the war effort.
It also paints a vivid target on thousands of FireEye’s customers including a disproportionate number of federal, state, and local government agencies.
And, it even overshadows the notorious Shadow Brokers publication from April 2017 of the National Security Agency’s most coveted hacking tools. That leak led directly to the subsequent repurposing of the exploits into WannaCry and NotPetya worms that shut down computers worldwide. Until Tuesday, that magnified human error was arguably the costliest cyber-operational mistake on record.
The fact that it happened to the National Security Agency amplified our fears and suspicions about whether anything is truly secure, and now, even the slightest doubt can be removed.
If one of the top cybersecurity firms can’t protect itself, how can clients be sure anything from anyone will keep them safe? The myth of a “secured environment” has been revealed to be exactly that.
Our Industry Experts Weigh In
I am graced to be surrounded by 40 of the finest CISOs on the planet who voluntarily serve on our customer advisory board. When queried last evening, folks like James Bone, Dan Bowden, Chuck Brooks, Don Cox, Summer Fowler, Richard Harrison, Mitch Parker, Roger Sels, Greg Touhill and Kathy Wang weighed in with remarkable insights. These ranged from cautionary advice around FireEye’s tools making new attacks harder to detect and the increased national/global threat targeting the logistics and distribution of the COVID-19 vaccine, to our current state of blurred situational awareness contributing to the apparent ease with which the threat actors were able to penetrate with precision.
Other observations from those closest to the federal government included sobering assessments that this breach was a significant attack with a far-ranging impact and a real coup for the attackers.
Chief among them may be that insight into the proprietary FireEye information can help the adversary understand what parts of the attacker’s arsenal have been figured out by FireEye (and potentially the U.S. government) and what hasn’t, thereby providing invaluable intelligence that can be used to refine the attacker’s arsenal.
Understanding FireEye’s playbook may also provide the (alleged) nation-state actor clues on new tools that they should develop to neutralize FireEye (and potentially U.S. government) tools and tactics, techniques and procedures (TTPs), and FireEye’s proprietary reports on FireEye’s red team and pentest customers provides a rich treasure trove of information that can inform further campaigns.
An intriguing question is if this indeed was the work of a nation-state actor group, then why had this attack not been picked up by U.S. Cyber Command and the intelligence community and interdicted? And, according to initial reports that indicated FireEye discovered the attack through a review of VPN traffic logs, why was FireEye exposing sensitive data to an attacker who could drill into the environment with purloined credentials via a VPN, and not using more secured Software-Defined Perimeter capabilities?
The most commonly shared view among those CISOs on our advisory board is that we rarely share intelligence regarding operational deficiencies – budget inadequacies – or best practices as deployed. This results in a failure to evolve better best practices, while at the same time, our adversaries have created a giant marketplace on the dark web, estimated at $3.5 trillion, where all of these deficiencies are made freely available to anyone.
Applying the Golden Rule
In addition, as some of our advisory board members point out, we need to stop wringing our hands and start analyzing, learning, and sharing from these attacks. Without that focus, we will never get better. Casting stones at FireEye is not going to improve cybersecurity for anyone else – and in fact, is part of the golden rules of life. A primary goal of the adversary may very well have been to instill doubt and reputational damage (especially since we are learning that much of what was accessed is open source) and boy, did it do just that.
Information sharing is one piece of the solution, so now is the time to listen to what FireEye can tell us about this incident (ears open, mouths shut) and while we are at it, we need to keep our eye on the ball within our own organizations, remembering the basics of asset management and the prioritization of protection and sustainment of our crown jewels.
Dealing with a Destructive Threat Landscape
Our industry has been operating on an assume-breach and detection/response set of protocols for years. Cases like this breach strongly emphasize that unless the detection to containment to remediation timelines are measured in minutes, we will always suffer impact, lose (IP or client) data, and mount extensive and expensive recovery activity. Continuing this strategy into the future with 5G around the corner, essentially guarantees a destructive threat landscape.
Cases like this strongly emphasize this isn’t a winning strategy; you need prevention, then a response for the remainder that cannot automatically be prevented. Pushing everything into detection is unsustainable.
We are relying on human defenses but cyber no longer is a human-scale problem. Adversaries are automating, but also sharing toolsets. Saying this was done by an advanced adversary negates the reality that any criminal group can go out and acquire these toolsets, easily and cost-effectively, today, which lowers the bar substantially. Factor in that there are now dozens if not hundreds of such advanced nation-state adversaries, too, and you quickly realize cyber warfare is asymmetrical and heavily favors the adversary.
Government’s Failure to Understand
If China is involved, as I have argued for years, we can no longer treat this country as a partner or a competitor. China is an adversary and a very competent one to boot. Their advancements in quantum computing are eye-watering, while we continue to underfund and downplay what now amounts to a national emergency and an existential moment in the arc of history.
As a glaring example of our failure to understand the threat at the top echelon of the federal government, Sen. Mark Warner, D-Va., co-chairman of the Senate Select Committee on Intelligence, came out and applauded FireEye’s transparency in the wake of the hack and said he hoped it served as an example to future companies. He also said it underscores the interconnected interest between U.S. companies and the government in beating back cyberattacks from foreign governments.
If that statement is to be taken as fact, then Senator Warner must answer the question of why our government-funded research into Quantum has been expressed through a paltry $1.2 billion spread over a 5-year span, while China has already connected several cities with an impenetrable QKD network. A deeper dive into that funding reveals that only 20% of it is designated to quantum computing research, equal to the same amount dedicated to global warming.
It is long past time for our governing leaders to stop talking and start recognizing and acting upon the strength of our opponents and the relative weaknesses of our own capabilities in cybersecurity. As our friend, the retired four-star general, and unprecedented 8-1/2-year service as the Director of the NSA, Keith Alexander has said, “We need an air traffic control system that could sit on top of all security infrastructure in partnership between the federal government and private industry, before these attacks can be managed in any meaningful way.”
Time to Take Security Seriously
FireEye disclosing what happened and identifying which tools were taken is definitely helpful and will minimize the chances of others getting compromised as a result of this breach, and Kevin Mandia, their CEO, is to be applauded for his transparency and speed in acknowledgment.
What we learn from this breach about our defensive capabilities and our reliance on a compromised human factor is far more important than the damage that may ensue. Until we start taking cybersecurity seriously, from our government and our board rooms down through the least dangerous clerical pools and the most disconnected quotidian citizens, we will continue to see attacks like this one with consequences far exceeding that of a stolen toolkit.