Yesterday, FireEye went public with notice of a breach that included some of their red team tools (https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html). While it is a hard situation, I believe it mostly sets a good example around communications and response in addition to being a good reminder of the risk for organizations in the cybersecurity space. Anyone can get breached, so lets go into what lessons can be learned from it.
Starting with the positive, they were proactive and provided details around what happened as well as what they are doing to address it for themselves and the broader community. Releasing ways to detect the red team tools is a great way to support broader security and being open about what was taken can help others focus on where they may need to improve their security.
The only negative I have — We get it, it was an advanced attack. Most of the first three paragraphs are about how advanced and state-sponsored the attack was and this seems like overkill. Nobody wants to say they were hacked by the worst hacker on earth using the most basic stuff but at some point you are just doing PR for the attacker.
For firms in the cybersecurity space, especially large ones, this highlights the additional value for an attacker. In addition to all the normal corporate data (HR, financial, etc) that could be valuable, cybersecurity companies often have interesting customers and their own tools and techniques.
For the customers, since highly regulated environments require cybersecurity capabilities, going after a large firm in cybersecurity is likely to include a focus on customer data. All levels of government, financial services, energy and power, healthcare, etc. are all interesting to adversaries in my experience and all require substantial security capabilities, like the ones provided by FireEye.
From looking at the tools that were targeted, depending on the attacker and the organization, stealing tools and techniques could be a cheap way to do R&D in addition to providing short term capabilities (short term assuming defenders implement the mitigations provided by FireEye). This is unique to the cybersecurity industry but may be just an extension of nation states going after tools or technique of another nation.
When I worked with agencies and organizations on improving security I believed that you didn’t have to out run the bear (get it, Fancy Bear 🙂)just other organizations since very few attacks are truly targeted. Unfortunately for firms in the cybersecurity industry, this may be less true. With a combination of corporate data, information about interesting customers, and tools that can be reused, the cybersecurity is likely to continue to see interest from advanced attackers.