There is no impenetrable armor.<\/h2>\n\n\n\n
In my 20+ years in cybersecurity, I\u2019ve yet to see the bad guys entirely prevented from \u201cgetting in\u201d once and for all. Eventually the odds stack up, and a breach occurs. There is no impenetrable armor. When I worked at Network Associates in 2001, it was Code Red that slammed our networks. And Symantec posted an early write up for SQL Slammer because it hit them too. The common element with security vendor breaches is typically downplaying the impact and a lack of transparency as a misplaced way to preserve stock valuation. <\/p>\n\n\n\n
Fortunately it\u2019s not every day that elite Red Team tools and tactics are exposed. Last time it was 2016 and the Shadow Brokers<\/a> leaking The Equation Group\u2019s NSA tools – leading to WannaCry attacks in May 2017 and other highly devastating attacks. The FireEye breach<\/a> is different: no zero day vulnerabilities<\/a> were exposed and the company was extremely transparent and rapid in their response on December 8th. Their advisory begins with a powerful sentence: <\/p>\n\n\n\n \u201cA highly sophisticated state-sponsored adversary stole FireEye Red Team tools\u201d<\/em><\/p>\n\n\n\n Because they knew their tools were stolen they IMMEDIATELY took responsibility and released hundreds of countermeasures (against their own stolen intellectual property) so every organization can at least detect the indicators of compromise (IOCs) — albeit late (or to the right) in the attack lifecycle<\/a>— to mitigate further damage. Hopefully this breach will have a much lower impact than The Equation Group breach and set a good example — if not a new standard — of how such incidents should be handled in the future.<\/p>\n\n\n\n The bottom line is that organizations need to shift to a more proactive stance so they can preempt attackers during their reconnaissance phase, to the left<\/em> of initial access in the attack lifecycle.<\/p>\n\n\n\n FireEye posted detective countermeasures against their Red Team tools on December 8th and has been updating them frequently: https:\/\/github.com\/fireeye\/red_team_tool_countermeasures<\/a><\/p>\n\n\n\n These countermeasures provide incredible insight into how FireEye was using only a relatively small number of highly powerful exploits to infiltrate customers’ networks. While vulnerability scanners can trigger a large number of high severity issues that might distract you into security theater<\/a> activity, you need to focus on what\u2019s critical. In the present situation, special attention should be given to the products below that are targeted by the FireEye tools as they will now be specifically attractive to hackers with access to the breached trove:<\/p>\n\n\n\n Proactively searching for these products in an organization is a first step in checking their posture, including validating the latest patches are applied, checking for default credentials, proper encryption settings, misconfigurations, unintended exposure to the internet, etc. And because we KNOW these tools were stolen from FireEye by bad actors, you can safely predict they will be used against you. Therefore, organizations need to better discover these target assets<\/a> now before they become the paths of least resistance the bad guys find and exploit.<\/p>\n\n\n\n Other information we can glean from the way FireEye is handling this breach comes from FireEye\u2019s Github where you can see a real-time response to a nation-state attack by a professional cybersecurity organization. Tools and tactics are being revealed quickly and secops is paying attention as you can see from the date stamps and download activities.<\/p>\n\n\n\n What\u2019s clear from the details released on December 14th about the supply chain attack on SolarWinds<\/a> — that lead to the breach at National Telecommunications and Information Administration, the US Treasury, and others — is that the SolarWinds supply chain attack<\/a> is also how hackers gained access to FireEye’s network and that the incident was considered so serious that it led to a rare meeting of the U.S. National Security Council at the White House, on Saturday, December 12th.& you can see from the Github screencap of the SUNBURST countermeasures<\/a> FireEye released on Sunday, December 13 that they are meant to detect this attack in real time. In other words, FireEye personnel are working as fast as they can to make sure that this thing is understood and contained as much as possible. If only we had a time machine.<\/p>\n\n\n\n The FireEye response is exemplary and contrasts rather starkly with SolarWinds\u2019 neutral Security Advisory<\/a> released December 14, that basically enumerates that any company running SolarWinds Orion platform with their software updates from March 26, 2020 onward had better be vigilant with quite a few software packages, including cybersecurity operations tools:<\/p>\n\n\n\n The top line of the advisory on December 14th from SolarWinds uses passive voice to downplay the severity of the incident by calling out the sophistication of the attack, the manual effort involved and the versions affected.<\/p>\n\n\n\n \u201cSolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds\u00ae Orion\u00ae Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix<\/span or 2020.2 HF 1.\u201d<\/em><\/p>\n\n\n\n This is not just your standard \u201csophisticated attacker\u201d though. APT29 is a nation state actor associated with Russia intelligence agencies that has essentially weaponized the SolarWinds\u2019 commercial software used by the U.S. government and other SolarWinds clients. They have turned commercial off the shelf software into a trojan horse with privileged network access to every device and system it\u2019s configured to monitor and manage. Microsoft\u2019s Security Response Center provides an excellent write-up<\/a> if you\u2019d like more details and, even as this is being written, we\u2019re fully expecting to see more details emerge.<\/p>\n\n\n\n By December 15th at 8:00 a.m. SolarWinds provided an update with much stronger language about what they understood happened and clear indication of the steps they\u2019ve taken to mitigate the threat and validate what software packages are, and are not impacted.<\/p>\n\n\n\n SolarWinds tools are doing network monitoring, virtualization management, voice over IP management, controlling high availability, and performing log analysis. In other words, by exploiting the Orion platform, the bad guys could own your network along with the instrumentation that might stop them or allow you to detect them. And depending on what packages you\u2019ve installed on the Orion Platform, they may be managing your cloud environment, firewalls, routers, and switches, your IP addresses, and even DNS. For example:<\/p>\n\n\n\n 1. SolarWinds VMAN<\/a> can add, edit, or remove managed cloud instances in AWS and Azure. So in addition to looking for exposed SolarWinds systems, you will want to check for unexpected or absent cloud assets with your attack surface management<\/a> platform. For organizations with significant digital transformation efforts in place, or those generally leveraging the cloud — the case with the anonymized CyCognito customer in the screenshot below \u2013 this can be a significant exposure. In this case, there are 23,000 assets classified as Infrastructure as a Service (IaaS).:<\/p>\n\n\n\n 2. SolarWinds Network Configuration Manager<\/a> can configure Cisco, Juniper, and Palo Alto firewalls and switches, so you\u2019ll want to find those and double check they aren\u2019t configured as a path of least resistance into your network. Here is a search for these platforms in the CyCognito platform<\/a> as an example, classified automatically into environments. The key takeaway is that you are going to want to find and audit all of the systems like these if you were using the compromised SolarWinds platform with the back-doored updates.<\/p>\n\n\n\nProfessional Breach Response: A Timeline on GitHub<\/h2>\n\n\n\n
\n
Protect Your Paths of Least Resistance<\/h5>\n\n\n\n
![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CyCognito-Blog_Shift-Your-Security-Posture_Figure2.png\")
<\/figure>\n\n\n\nThe \u201cStandard Response\u201d: Solarwinds Security Advisories<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CyCognito-Blog_Shift-Your-Security-Posture_Figure3.png\")
<\/figure>\n\n\n\nNot your standard \u201csophisticated attacker\u201d<\/h5>\n\n\n\n
![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CyCognito-Blog_Shift-Your-Security-Posture_Figure4.png\")
<\/figure>\n\n\n\nSo What is the Potential Impact?<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CyCognito-Blog_Shift-Your-Security-Posture_Figure1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CyCognito-Blog_Shift-Your-Security-Posture_Figure7.png\")
<\/figure>\n\n\n\n
![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CyCognito-Blog_Shift-Your-Security-Posture_Figure8.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.cycognito.com\/blog\/wp-content\/uploads\/CyCognito-Blog_Shift-Your-Security-Posture_Figure9.png\")
<\/figure>\n\n\n\n