Threat actors steal ‘white hat’ tools, but FireEye publishes countermeasures to help the cybersecurity community thwart their use.

The cyberattack on FireEye, revealed earlier this week, elevates cyber risk for all organizations. But thanks to information sharing and countermeasures released by FireEye, it’s an increased threat level that cybersecurity professionals can anticipate and mitigate.

As was widely reported, after equity markets closed on Tuesday, FireEye announced that a cyberattacker — most likely a nation-state — had accessed Red Team tools that the company normally uses to test its own customers’ security. These are tools that FireEye legitimately uses, with customers’ permission, to perform “white hat” attacks that test the cyber resilience of an organization. Though different in detail, these are similar in concept to the phishing simulation tools offered by companies to test employees’ cybersecurity awareness.

In his public notice, FireEye CEO Kevin Mandia wrote that the attackers “used a novel combination of techniques not witnessed by us or our partners in the past.” The techniques thwarted counter-security tools and forensic examination, helping the cyberattackers operate without detection. According to The New York Times, that included using thousands of newly registered IP addresses that had never before been used in attacks.[1] Mandia said there’s no evidence that customer information was compromised; but if any emerges, the customers involved will be contacted directly.

What FireEye is Doing to Help Organizations Increase Cyber Resilience

Mandia went on to list a series of actions FireEye is taking to help customers and the broader cybersecurity community protect themselves should cyberattackers begin to use the stolen tools. To date, though, the company has not detected any evidence that the tools have been deployed. FireEye did not reveal exactly when the attack took place.

FireEye’s actions include:

  • Developing more than 300 countermeasures that can be used to defend against its Red Team tools,
  • Incorporating those countermeasures in its own products, and
  • Making them available to the entire cybersecurity community via GitHub.

Additional Countermeasures to Increase Your Cyber Resilience

In addition, Carl Wearn, Head of Risk & Resilience, E-Crime & Cyber Investigation at Mimecast, noted that it’s important to pay close attention to perennially recommended cyber hygiene principles — which too many organizations ignore. These include:

  • Strictly limited access controls
  • Robust phishing protection and anti-phishing awareness programs
  • Using multifactor authentication (MFA)
  • A strong password regime
  • Regular and timely patching of critical vulnerabilities (as these are most routinely targeted by such tools)

“Organizations should pay particular attention to remote access tools such as remote desktop protocol (RDP) processes and network traffic to prevent exploitative intrusion or exfiltration,” Wearn said. “These are mitigations organizations should be utilizing in any case, given threat actors continued significant focus on RDP processes and exploits.”

How Mimecast is Protecting Itself and Its Customers

Internally, Mimecast has taken appropriate actions based on the information provided so far and will continue to monitor the situation

Peter Bauer, Mimecast CEO, noted that the attack on FireEye “proves that no organization is impervious to cyberattacks. We applaud FireEye’s proactive sharing of information to help protect customers. While not every organization is a likely target for nation-state actors, every organization is a likely target for some type of malicious actor.”

“Organizations should work with their stakeholders and cybersecurity providers to understand the threats they face and identify the actions to minimize risk to themselves, their customers and third parties with which they conduct business. More than ever, organizations need to consider the network of the broader security community and practice defense-in-depth,” Bauer said.

The Bottom Line

FireEye’s Red Team tools have been stolen and, as time goes on, will presumably begin to appear in the hands of threat actors around the world. There are specific FireEye-provided countermeasures companies can deploy to boost their cyber resilience by helping to detect and prevent cyberattacks using those tools. But at the end of the day, the most important countermeasure — as always — is good-old-fashioned high-quality cyber awareness. Many organizations could stand to be more diligent on that front.

[1]FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State,” The New York Times

Secops banner .jpg

You may also like:

FBI Names Forwarding Rules a Business Email Compromise Culprit

Business email compromise ‘forward…

Business email compromise ‘forwarding rule’ tact… Read More >

Megan Doyle

by Megan Doyle

Contributing Writer

Posted Dec 03, 2020

Anatomy of a Sustained BEC Attack on Microsoft 365 Users

Cyberattackers lurked in victims’ …

Cyberattackers lurked in victims’ Microsoft 365 email … Read More >

Megan Doyle

by Megan Doyle

Contributing Writer

Posted Nov 17, 2020

Cyberattacks Grow More Targeted in the Time of COVID

The pandemic has changed business and wo…

The pandemic has changed business and workplace dynamics, an… Read More >

Sam Greengard

by Sam Greengard

Contributing Writer

Posted Nov 20, 2020