FireEye Hack: Sizing Up the ImpactDoes Theft of Penetration Tools Pose a Serious Threat?
FireEye's disclosure this week of the theft of its penetration testing tools - and its proactive response - has drawn praise but raised many questions, as well (see: FireEye Says Nation-State Attackers Stole Pen Test Tools).
See Also: Beginners Guide to Observability
Among the questions: How much damage can hackers actually cause by using the stolen tools? And who likely perpetrated the attack against a cybersecurity industry heavyweight?
FireEye reported Tuesday that it was the target of a combination of hacking techniques tailored to penetrate its defenses, resulting in the theft of its "Red Team" tools. These include scripts, tools, scanners and techniques that are used to test clients' infrastructure for security vulnerabilities or configuration lapses that could lead to a data breach.
In a Tuesday statement, CEO Kevin Mandia said: "We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use to minimize the potential impact of the theft of these tools.”
FireEye, which suspects nation-state hackers were involved, did not say when the company was attacked or how long the attackers were in its systems. It doesn't believe any customer information was exposed.
"Kevin Mandia continues to be one of the straight shooters in the business and is demonstrating leadership in disclosing this attack," says retired Air Force Brigadier Gen. Gregory Touhill, who served as CISO of the United States under former President Barack Obama and is now CEO of Appgate Federal (see: Fire in the Hole).
Touhill says the theft of FireEye’s penetration testing tools poses a severe threat because hackers can use them to create countermeasures or to make it appear as if the attacks are coming from different nation-state actors.
"Reading FireEye's data may provide a phenomenal source of information on the cyber activities of other nation-state actor groups against FireEye customers," Touhill says.
Scott Shackelford, chair of Indiana University's cybersecurity program, says the theft of the FireEye tools is comparable to the theft of cyber weaponry from the U.S. National Security Agency by the Shadow Brokers in 2016. That stolen material eventually led to the WannaCry and NotPetya attacks.
"The fact that FireEye has the ability to counter these exploits does not mean that vulnerable systems can be patched in time to avoid them being exploited," Shackleford notes. "The fact that FireEye has already been public and proactive in publishing information about the specific tools that were breached while working with law enforcement is encouraging."
But Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former member of the NSA's elite hacking team, says the threat posed by the stolen FireEye tools is not as severe as the threat posed by the stolen NSA cyber weaponry.
"These tools are far less damaging than NSA's tools," he says. “Even if these tools get dumped, attackers will need time to understand them before using.”
FireEye already has posted to GitHub a set of countermeasures that can be used to block or detect the use of its Red Team tools.
The company says the hackers’ efforts were consistent with a nation-state cyberespionage effort because the intruders were seeking information related to certain government customers.
Cybersecurity specialists say a nation-state actor would have the resources and be willing to invest the time to take on the formidable task of hacking FireEye.
"When you have a determined adversary like a nation-state and you're a high-priority target, they are eventually going to get in,” Williams says. “It's a testament to FireEye's detection that, even with all of the preparatory work that likely occurred, they still detected the intrusion."
But Touhill says it’s puzzling that the U.S. Cyber Command and the intelligence community did not detect the FireEye hack if, indeed, a nation-state was involved.
Phil Reitinger, president and CEO of the Global Cyber Alliance, says the FireEye incident demonstrates that skilled hackers, with enough time and resources, can hack any organization.
"What counts then is how you respond and, so far, I'm impressed with the level of response from FireEye, especially developing mitigations and sharing them with the community," Reitinger says.
Mike Wiacek, founder and CEO of security firm Stairwell and founder of Google's Threat Analysis Group, calls on FireEye to immediately share information with other security firms. “We are in a race against time to make sure they [the countermeasures] are quickly, easily and readily detected by every defensive product under the sun," he says.
Managing Editor Scott Ferguson contributed to this story.