Attackers Breach FireEye – An Attack Surface Security Reminder

As if the world needed any more convincing,  the recently disclosed breach of FireEye made clear that even top name security companies have difficulty keeping safe from attackers. We’re monitoring the rapidly unfolding details and will discuss more as the story evolves, but it’s a clear reminder that organizations need to monitor and secure their attack surface.

The challenge of fully defending valuable assets, business infrastructure and secrets is daunting, with odds firmly on the attacker. It is not, however, a futile endeavor. Security teams can shift the balance through new strategies, practices and technologies.

A good starting point for shifting the balance is with an understanding that attackers generally operate with business-like discipline. This means that they want to minimize costs and risks and maximize results. While the attack on FireEye was from a nation-state presumably for political purposes rather than for financial gain, the same principle applies.

Minimizing costs and risks drives attackers to choose the path of least resistance to gain access to an organization’s assets and infrastructure. Sometimes, the path of least resistance is compromising a user’s computing device or account. While this is still a highly effective way to initiate a data breach, there are a growing number of tools (e.g., User and Entity Behavior Analytics (UEBA) solutions) that look for anomalous user, machine or network behavior and may be able to detect an in-progress attack .

Another very effective way to conduct an attack is for attackers to find exposed assets that are not monitored by an organization. Nearly all organizations have these, sometimes in great numbers. These can be systems or digital assets run by a partner or third party and not under the control of the organization, but with a viable pathway to the organization’s applications and data. Sometimes they are shadow IT – IT provisioned by an employee or group within the company without the knowledge or supervision of IT. They may even be forgotten assets, long ago abandoned but never taken out of commission.

Knowing that attackers commonly target these blind spots, a proactive approach to shifting the balance away from bad actors is to identify assets that are currently out of view of the IT and security teams. Most organizations are so focused on protecting assets they already know about that they have little time to consider those that are unknown to them but readily found and exploited by attackers. This common but counterproductive security habit must change. Every organization should add practices and technology that can find all attack surface assets and make that a foundational aspect of their security program. 

CyCognito provides a full solution for discovering these assets, identifying critical risks they may be harboring, and prioritizing risks according to their business impact. It’s important to monitor for this hidden risk, known as shadow risk, on an ongoing basis. Gartner recently named CyCognito a Cool Vendor in recognition of our groundbreaking efforts, highlighting our platform’s relevance to digital transformation and pandemic resilience.

Of course improving security and shifting the attacker-defender balance in favor of the defender involves a wide range of strategies, practices and technologies. But, starting with one of the most basic and generally unaddressed security gaps is not only sensible but critical. A full view of the attack surface is a foundational step that should cover assets that are known, unknown, managed, unmanaged, on-premises, in the cloud, and in partner and subsidiary environments. For effective digital risk management, it’s important to evaluate the attacker view of your assets and eliminate their paths of least resistance into your network and then move on to advanced practices to further evolve your security.