The Virtual CISO

Breach Notification , Fraud Management & Cybercrime , Fraud Risk Management

Fire in the Hole

What the FireEye Breach Tells Us About How We're Failing at Cybersecurity
Fire in the Hole
FireEye CEO Kevin Mandia (Photo: Stuart Isett/Fortune Brainstorm Tech, via Flickr/CC)

FireEye, underscoring our industry's worst fears, reported Tuesday that it had been "hacked."

See Also: Live Virtual Summit | Measuring Your Data's Risk & The Cost of Unpreparedness

The company said it was hacked by foreign government attackers with "world-class capabilities" who somehow managed to break into its network and steal red team kits - a set of offensive security tools that FireEye researchers use to disguise themselves as threat actors and to test the security of the company's clients' networks.

When one of the biggest and most successful global security firms gets taken down, it does not just alarm the security community; it minimizes all of the 24/7 efforts spent every day by everyone involved in the war effort.

It also paints a vivid target on thousands of FireEye's customers, including a disproportionate number of federal, state and local government agencies.

And it even overshadows the notorious Shadow Brokers publication in April 2017 of the National Security Agency's most coveted hacking tools. That leak led directly to the subsequent repurposing of the exploits into WannaCry and NotPetya worms that shut down computers worldwide. Until Tuesday, that magnified human error was arguably the costliest cyber-operational mistake on record.

That it happened to the National Security Agency amplified our fears and suspicions about whether anything is truly secure, and now even the slightest doubt can be removed.

If one of the top cybersecurity firms can't protect itself, how can clients be sure anything from anyone will keep them safe? The myth of a "secured environment" has been revealed to be exactly that.

CISOs React

I am graced to be surrounded by 38 of the finest CISOs on the planet who voluntarily serve on our customer advisory board. When queried last evening, folks such as James Bone, Dan Bowden, Chuck Brooks, Don Cox, Summer Fowler, Richard Harrison, Mitch Parker, Roger Sels, Greg Touhill and Kathy Wang weighed in with remarkable insights. These ranged from cautionary advice around FireEye's tools making new attacks harder to detect and the increased national/global threat targeting the logistics and distribution of the COVID-19 vaccine to our current state of blurred situational awareness contributing to the apparent ease with which the threat actors were able to penetrate with precision.

Other observations from those closest to the federal government included sobering assessments that this breach was a significant attack with far-ranging impact and a real coup for the attackers.

Chief among the impacts may be that insight into the proprietary FireEye information can help adversaries understand what parts of the attackers' arsenals have been figured out by FireEye (and, potentially, the U.S. government) and what hasn't, thereby providing invaluable intelligence that can be used to refine attackers' strategies.

Understanding FireEye's playbook may also provide the (alleged) nation-state actors with clues on new tools that they should develop to neutralize FireEye's (and, potentially, the U.S. government's) tools and tactics, techniques and procedures. And FireEye's proprietary reports on its red team and pen test customers provide a rich treasure trove of information that can inform further campaigns.

An intriguing question is: If this, indeed, was the work of nation-state actors, then why had this attack not been picked up by U.S. Cyber Command and the intelligence community and interdicted? In light of initial reports that indicated FireEye discovered the attack through a review of VPN traffic logs, why was FireEye exposing sensitive data to an attacker who could drill into the environment with purloined credentials via a VPN and not using more secured software-defined perimeter capabilities?

The most commonly shared view among those CISOs is that we rarely share intelligence regarding operational deficiencies - budget inadequacies - or best practices as deployed. This results in a failure to develop improved best practices, while at the same time, our adversaries have created a giant marketplace on the dark web, estimated at $3.5 trillion, where all of these deficiencies are made freely available to anyone.

As some of our advisory board members point out, we need to stop wringing our hands and start analyzing and sharing lessons learned from these attacks. Without that focus, we will never get better. Casting stones at FireEye is not going to improve cybersecurity for anyone else. A primary goal of the adversary may very well have been to instill doubt and reputational damage (especially because we are learning that much of what was accessed is open source) - and boy, did it do just that.

It's Time for a Winning Strategy

Information sharing is one piece of the solution, so now is the time to listen to what FireEye can tell us about this incident (ears open, mouths shut). And while we're at it, we need to keep our eyes on the ball within our own organizations - remembering the basics of asset management and the prioritization of protection and sustainment of our crown jewels.

Our industry has been operating on an assume-breach and detection/response set of protocols for years. Cases like this breach strongly emphasize that, unless the detection to containment to remediation timelines are measured in minutes, we will always suffer impact, lose (IP or client) data and mount extensive and expensive recovery activity. Continuing this strategy into the future, with 5G around the corner, essentially guarantees a destructive threat landscape.

Cases like this strongly emphasize this isn't a winning strategy. You need prevention, then response for the remainder that cannot be automatically prevented. Pushing everything into detection is unsustainable.

We are relying on human defenses, but cyber no longer is a human-scale problem. Adversaries are automating, but they're also sharing toolsets. Saying this was done by an advanced adversary negates the reality that any criminal group can go out and acquire these toolsets easily and cost-effectively, which lowers the bar substantially. Factor in that there are now dozens if not hundreds of such advanced nation-state adversaries, and you quickly realize cyberwarfare is asymmetrical and heavily favors the adversary.

If China is involved, as I have argued for years, we can no longer treat this country as a partner or a competitor. China is an adversary and a very competent one to boot. Its advancements in quantum computing are eye-watering, while the U.S. continues to underfund and downplay what now amounts to a national emergency and an existential moment in the arc of history.

As a glaring example of our failure to understand the threat at the top echelon of the federal government, Sen. Mark Warner, D-Va., co-chairman of the Senate Select Committee on Intelligence, came out and applauded FireEye's transparency in the wake of the hack and said he hoped it served as an example to other companies. He also said it underscores the interconnected interest between U.S. companies and the government in beating back cyberattacks from foreign governments.

Warner must answer the question of why our government-funded research into quantum has totaled a paltry $1.2 billion spread over a five-year span, while China has already connected several cities with an impenetrable QKD network. A deeper dive into that funding reveals that only 20% of it is designated for quantum computing research, an amount equal to that dedicated to global warming.

'Air Traffic Control' System Needed

It is long past time for our governing leaders to stop talking and to start recognizing and acting upon the strength of our opponents and the relative weaknesses of our own capabilities in cybersecurity. As our friend Keith Alexander, the retired four-star general who served as director of the NSA, has said: "We need an air traffic control system that could sit on top of all security infrastructure in partnership between the federal government and private industry, before these attacks can be managed in any meaningful way."

FireEye disclosing what happened, and identifying which tools were taken is definitely helpful and will minimize the chances of others getting compromised as a result of this breach, and Kevin Mandia, the company's CEO, is to be applauded for his transparency and speed in acknowledgement.

What we learn from this breach about our defensive capabilities and our reliance on a compromised human factor is far more important than the damage that may ensue. Until we start taking cybersecurity seriously, from our government and our board rooms down through the least dangerous clerical pools and the most disconnected quotidian citizens, we will continue to see attacks like this one with consequences far exceeding that of a stolen toolkit.

About the Author

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.