As FireEye grapples with breach investigation, questions remain
FireEye’s announcement this week that hackers breached its systems has sent shockwaves through the cybersecurity community, raising new questions about how one of the most influential security firms in the U.S. grappled with an apparently state-sponsored attack.
It also has triggered policy discussions about whether the U.S. government should do more to protect cyber industry titans like FireEye, one of the top cybersecurity firms in the world with customers that counts Fortune 500 companies among its clients. The hack adds FireEye to the list of cybersecurity companies that have experienced their own breaches, a roster stretching back to at least the beginning of the last decade.
“This news has rocked the cybersecurity industry to our core, unlike anything since the RSA hack” from 2011, said Tom Bossert, president of Trinity Cyber and the former homeland security adviser to President Donald Trump. “It’s a pretty big deal.”
FireEye revealed on Tuesday that it had been breached. The company said the attackers — who demonstrated ties to a nation-state cyber espionage campaign — made off with red-team tools, and sought information related to its government customers, although there was no evidence they took any client information.
FireEye’s stock tumbled shortly thereafter. While some observers have correctly pointed out that anybody can be hacked, it was a hard blow for a cybersecurity giant like FireEye to take.
“This ought to be a wakeup call for us that we’ve got some high end nation-state actors that are using exquisite tactics, techniques and procedures combined with some powerful tools, and they’ve been able to puncture one of the top tier entities out there,” said Greg Touhill, the first federal chief information officer who’s now president of the federal group for Appgate, a cybersecurity firm. “We all need to be taking a look at the forensics that FireEye is going to share or is sharing right now.”
Rick Holland, vice president of strategy and CISO for cybersecurity company Digital Shadows, said “this should be an eye-opener for everybody.”
What we know, and what we don’t
Information security professionals differ on how dangerous it is for the red-team tools to fall into the hands of foreign hackers. A worst-case scenario involves attackers turning those tools toward malicious purposes, or using them to enhance their ability to avoid detection.
Many cybersecurity experts have praised FireEye’s disclosure and response, noting that it includes useful countermeasures to block the stolen tools and more. But so far, FireEye isn’t saying anything publicly beyond its initial blog post.
It’s fairly typical for large companies during a breach announcement to specify on what date the breach happened, how it was discovered, how long the attackers remained inside the systems, when an initial investigation was conducted and how much time transpired between discovery and disclosure. For instance, when the Marriott hotel chain in November 2018 announced a breach affecting up to 500 million Starwood guests, the company said the original indicator was a security alert Sept. 8, resulting in an investigation which determined that hackers’ unauthorized access dated back to 2014.
FireEye’s disclosure offers none such detail, saying only that the attack occurred “recently,” and that it was looking into the matter further.
“We’re actively investigating this incident with our partners at Microsoft and coordinating with the FBI,” said a spokesperson, Sarah Coutermarsh. “Please know that there may be some delay in our ability to share that information, as we do not want to do anything to interfere with the ability of the FBI to conduct its separate, ongoing investigation. We want to be absolutely certain we obtain all the evidence available to us to further advance this case, and some disclosures at this point would jeopardize that collection.”
CEO Kevin Mandia wrote in the blog post that the attackers used a “novel combination of techniques,” that they were “highly trained in operational security and executed with discipline and focus” and that “they operated clandestinely, using methods that counter security tools and forensic examination.” (Data breach victims often note their attackers’ “sophisticated” methods.)
Holland, of Digital Shadows, praised much of FireEye’s response, but was struck by the lack of dates in the FireEye disclosure, among other factors. “I would really like to see them release that threat actor group that is [responsible],” he said, “as well as the techniques that the actors are using, and having that confirmed.”
The Washington Post reported that the leading suspect in the breach is the Russian hacking group known as APT29, or Cozy Bear, which has been associated with the Kremlin’s SVR intelligence agency. A note from CrowdStrike, a FireEye competitor, said it had not attributed the attack to APT29.
FireEye also said that if it later learned a customer’s information was taken, it would notify them. As a company that helps others respond to breaches, FireEye would have extensive information about its customers’ vulnerabilities that they don’t want released. Capital One, for instance, hired FireEye’s Mandiant arm as part of its breach investigation and tried to keep those details under wraps in a lawsuit.
“I think if this was really seriously trying to be transparent about what happened, it would go into far more detail,” Carl Herberger, vice president of security services at CyberSheath Services International.
Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies, was more generous toward FireEye. “The post told me everything I need to know,” he said. “The FBI probably told them to keep their mouth shut. It doesn’t bother me.”
Capitol Hill has taken an interest in the breach, as well. Both the House and Senate Intelligence Committees have requested briefings from the intelligence community, and both have received direct briefings from FireEye about the attack, according to aides. Some other offices have received briefings from FireEye, too.
“We have come to expect and demand that companies take real steps to secure their systems, but this case also shows the difficulty of stopping determined nation-state hackers,” said Virginia Sen. Mark Warner, the top Democrat on that chamber’s intelligence panel. “As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors on which we all rely.”
That “rethinking” Warner referred to involves several elements, a Warner aide said. One is what minimum government cybersecurity standards some companies should have to reach, such as companies that handle large volumes of sensitive personal information like Equifax or are “systemically important” in some way, such as companies like FireEye.
Further, the breach has resulted in questions over whether the U.S. government is capable of warning companies when major nation states like Russia or China are targeting certain sectors or tools, the aide said. Such a process could also involve more frequent government examinations of companies’ systems to help them shore up vulnerabilities, something the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency does in some cases and that the Defense Department does for vital contractors. It could even involve offering ongoing monitoring and defensive assistance.
Lewis said a bigger government role might not matter. “If FireEye can’t protect itself, we shouldn’t expect anyone else to do a better job,” he said.
The FBI offered a rare acknowledgement that it was conducting an investigation into the breach. And DHS said it was working, alongside other federal agencies, to determine its scope.
Sean Lyngaas contributed to this story.