Mitigating against the Recent FireEye Breach

Mitigating against the Recent FireEye Breach
August 30, 2021

A quick discussion of the recent FireEye breach and how to implement the FireEye Tool countermeasures into Byte25 to keep your network safe.

If you are working in cyber security, you are probably aware of the recent FireEye breach. On the off chance that it passed you by, FireEye was recently hacked resulting in the theft of a range of their internal hacking tools, or as FireEye refer to them, their ‘Red Team’ tools.

Of course it could have been worse. FireEye could have lost the results of previous penetration tests which no doubt would have caused considerable disquiet amongst their customer base. But the exposure of their internal penetration test tools is certainly significant. We are talking about one of the world’s leading cyber security companies here – their tools are likely very sophisticated, well beyond simple Kali Linux tools run by script kiddies. 

I am sure the cause and ramifications will be discussed at length, but what is impressive is the open and rapid response from FireEye. FireEye CEO, Kaven Mandia in a blog post (https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html) has been frank and transparent in discussing the breach. More importantly, FireEye have reacted quickly to prepare countermeasures that can detect and block the use of the stolen penetration test tools.  FireEye have made the counter measure tools publicly available for other security vendors to implement. A full repository of the FireEye counter measures is available here https://github.com/fireeye/red_team_tool_countermeasures.

Part of the FireEye countermeasure tools come in the form of a set of Snort rules  that can be loaded directly into the Byte25 Threat Detection engine. Loading these rules will ensure that the Byte25 Threat Detection Engine will identify intrusion attempts by malicious actors using the stolen FireEye tools. At this stage, it is unclear whether Proofpoint will include the FireEye countermeasure rules into their standard Emerging Threats ruleset. So in the interim, any Byte25 customers needing help in installing the FireEye countermeasure rules into their Byte25 appliances please reach out to us at support@byte25.com and we will be happy to help guide you through the process.