Perhaps the biggest lesson out of this breach is that there are no such thing as impenetrable defences. The goal of any cyber security program is to minimize and manage risk, as you can never eliminate it. For businesses, being able to detect and respond to a breach is very important, as seen from how FireEye has handled things so far. They very quickly discovered the breach, disclosed of it to the authorities, brough in outside experts to help with the investigation, and have let the cyber security world know how to defend themselves from unauthorized use of their stolen tools. Rather than try to hide the breach, by being upfront about the breach will go along way to ensuring they continue their good reputation in the cyber security space.
Earlier this week, FireEye disclosed that they had been breached. Kevin Mandia, Chief Executive officer of FireEye, wrote earlier this week in his company’s blog: “Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years…. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.” This is big news for the following reasons. 1. This was a nation-state sponsored attack This is important: these aren’t kids just “messing around.” According to the New York Times, it looks like the work of “Russian Intelligence Agencies” and FireEye has already contacted the FBI for support. Certain governments around the world would be interested in in either using the information and tools found to either attack the United States’ government agencies or use against other groups around the world. 2. They were in the FireEye Network undetected and stole tools and information The fact that these threat actors were able to bypass FireEye’s detection tools is worrisome. FireEye is deployed in many large organizations, and in many large government organizations. If they were able to lurk in FireEye’s network undetected, the chances are good they could be lurking in other networks undetected as well. The fact that they also stole FireEye’s hacking tools which they use to test their client’s networks is also disturbing. Now those tools could be used to attack FireEye’s clients. 3. FireEye is one of the biggest cyber security companies in the world, with many government contracts FireEye is typically the go-to firm for government agencies that suffer a breach. This makes them a big target for state-sponsored hackers. It is suspected that it is the cyber defence information of the governmental agencies, and not the hacking tools that the threat actors were after. 4. If FireEye can get hacked, anyone can FireEye is a big cyber security firm with many products used to help prevent cyber attacks. This proves the point that anyone can be hacked, it is just a matter of when. But FireEye isn’t the first major security firm to be breached, nor will they be the last. Kaspersky disclosed a similar breach in 2015; RSA Security was also hacked in 2011 by a nation-state actor later linked to China; and Avast got hacked twice, the first time in 2017, and again in 2019.