08 December 2020 will be remembered as a significant day in information security history. On that day, information security giant and, through its Mandiant division, pioneer FireEye disclosed that they were compromised by a likely state-sponsored entity. (Specific attribution is lacking at this time, although there are rumors APT29/Cozy Bear may be responsible – more to come on this in the future.) Within the insular (and at times catty and vindictive) security community, there were likely feelings of schadenfreude over such a breach befalling an industry giant known for its incident response prowess. That the intrusion appears to have focused on collecting internal red team tooling may contribute to this sentiment given the vociferous and very public stance taken by some FireEye employees with respect to offensive security tools.
Yet as the title of this posting implies, FireEye is hardly unique nor deserves any special blame in this instance – as “there but for the grace of God go I” sums up the security experience of all organizations, including infosec vendors. While at the moment many may dance on the grave of FireEye’s reputation (at least privately), the idea that FireEye is at all unique in this instance – in terms of either targeting or success – is laughable. Rather, this event simply highlights a risk all security firms face, and which some take more seriously than others.
For example, one need only look to the adjacent industry of Information Technology (IT) Managed Service Providers (MSPs) to see how adversaries have evolved in terms of indirect targeting. APT10’s intrusions against multiple MSPs as part of the Cloud Hopper campaign is but one (although high-profile) example of how adversaries increasingly target those firms either enabling operations or with extensive trusted access to final victim networks as part of intrusion methodology. Thus, every security company from service providers to penetration testers to product companies needs to not only be aware of the threat posed to their organizations, but also have a plan in place for how to respond when they are almost inevitably compromised.
In this respect, initial returns for FireEye’s response – which was almost certainly planned in advance and coordinated with government and media partners – seems quite good. In addition to providing (high-level) information on the event itself, FireEye also released a collection of detection items related to tools perceived as compromised or stolen. While I might quibble that these items could stand additional documentation, comments, and context to better orient themselves in detection and response, the very fact that FireEye did this at all speaks well to the organization. Other firms who may find themselves similarly situated in the future (or who are already in this position, but lack the visibility to know that this is the case) would do well to take note – having a plan and communication to blunt criticism and enable community defense is key in trying to maintain reputation and stature through such events.
Which brings me to another observation which I’ve hinted at repeatedly in this post – FireEye is hardly alone in this matter. In fact, FireEye has previously found itself in this position albeit with far more limited implications. Any and every security firm that may be smug at the moment – whether in public or private – should take note that they are valuable targets for bad actors. Moreover, such firms may themselves lack the capability to even identify or detect such an intrusion given the haughtiness of so many security professionals toward taking their own advice and operational or technological limitations for infosec purposes.
Thus service providers in general and security and audit/pentesting providers in particular should take this as a warning – that if they are not already compromised in some fashion by an adversary, they will almost certainly be targeted in the future. By understanding this risk and its implications for both clients and the organization’s own reputation, firms can attempt to “get ahead” of events through response and communication planning. FireEye appears to have drawn on a reservoir of goodwill with both government and media sources to arrange a coordinated, sequenced disclosure of events – smaller firms or those without similar reputations will be hard pressed to duplicate this set of circumstances. So just as we in the security field advise customers and clients to “assume breach”, we need to start taking our own medicine.
My sincere best to the incident responders, IT personnel, and other stakeholders at FireEye as they work to recover from this breach. Such actions are non-trivial and will need to be nearly flawless to ensure continued client trust in the organization. Ultimately, we all may find ourselves similarly situated at some time in the future – so sympathy and understanding are more fruitful reactions at this time than derision.