Fireeye Hack & Culture

[Update: 3 comments] Fireeye’s announcement of their discovery of a breach is all over the news. The Reuters article quotes a ‘Western security official’ as saying “Plenty of similar companies have also been popped like this.”

I have two comments. First, it’s easy for anyone to label attackers “sophisticated.” Fireeye certainly has more data and experience in assessing that, and I’d like to see their scale. I’d like to hear specifics of what makes them call the hack top-tier. OK, they “tailored their capabilities”? How? When you say “a novel combination of techniques” is that “novel techniques” or “novel combinations”? I understand that that’s unlikely to come out for a while because of investigations.

Second, nearly fifteen years ago, when we wrote the New School, the way we perceived breaches was very different. Now, almost all of what I’m seeing is the message that we should be compassionate and see how we can learn from it, for example: Let’s see how they can react to this and ultimately strengthen the industry.

It’s very positive to see that change has really taken hold.

Third, after writing a first version, I’m seeing lots of compliments about them releasing lots of IoCs, and that release is a great step. Also, I want to say that, if your ability to detect these attacks is dependent on these IoCs, you may be in trouble. And if you’re rushing to add those detections to your defenses, I want to encourage you to ask: how likely is it you’ll be attacked with these specific tools? Never waste a good crisis, sure, but that doesn’t make implementing these IoCs the right use of your crisis energy.

2 Comments on "Fireeye Hack & Culture"

  1. I have such feelings about organizations that horde vulns/tools so their red teams can always be successful. It seems very counter to the responsible disclosure movement as well anti-user. I kind of get it when it’s a nation-state that’s tasked with attacking other nation-states, but otherwise it’s just shitty anti-social behavior.

    1. Unfortunately the red team tools in use by FireEye/Mandiant are sometimes what is necessary in order to convince a company to change behavior. It is hard to call this hording as they customized all those tools themselves. It is also important to note that despite Not having any of those tools, state actors were able to hack into Mandiant. While still useful to an attacker, the tools simply amount to the convenient rag you grab to open the pickle jar. There are many ways to pop that pickle jar besides the rag.

      Look at it this way: Mandiant may have much more sensitive information about who has been breached, how they have been breached, etc. No matter what a state actor gets from Mandiant, it’s going to be bad news bears. If it was just the tools that’s really not as big as some of the other possibilities. And some of that may of course have happened too.

      IMHO a Red team is “successful” when they have opened a door that needs to be locked, so that the business can be safe. Unfortunately, these tools are necessary to achieve that goal.

Comments are closed.