FireEye cyberattack leaves more questions than answers

There's a reason the cybersecurity industry follows the cliche edict, cyberattacks are not a matter of if, but when. Once an attack occurs, attention turns to rapid response and transparency.

While industry is working to understand FireEye's cyberattack, announced Tuesday, attention is turning to response. And with that, questions emerge:

The cyberattack took place "recently" but FireEye CEO Kevin Mandia did not outline when in his blog post detailing the attack. Mandia also did not disclose how long the attack and access lasted.
Attackers "targeted and accessed" Red Team tools that FireEye uses for diagnostic security. What was not disclosed was how the attackers compromised the tools, other than mention of a "sophisticated" actor using a novel technique.
While the company is attributing the attack to a nation state, it did not say which one. The New York Times report says the attack perpetrators are "almost certainly Russian."
While FireEye created "more than 300 countermeasures" the company did not release indicators of compromise (IOCs) that detail the method attackers used to access FireEye systems.
FireEye has seen "no evidence" attackers exfiltrated customer data, but the investigation is ongoing and a larger impact could be revealed.

The delay in some information sharing is the result of FireEye's efforts to not "interfere with the ability of the FBI to conduct its separate, ongoing investigation," said a FireEye spokesperson in an emailed statement. "We want to be absolutely certain we obtain all the evidence available to us to further advance this case, and some disclosures at this point would jeopardize that collection."

Earning $899 million in revenue in 2019, FireEye is a major cybersecurity firm with 3,000 employees operating globally. With 9,600 customers, including 1,000 customers from government and law enforcement agencies worldwide.

"They design defenses for this, for the Defense Department and all sorts of federal contractors and enterprise companies," said Peter Firstbrook, vice president, analyst at Gartner. To be able to go under their radar and access their tools, "that is a pretty sophisticated attack."

In addition to security technologies and threat intelligence, FireEye's consulting arm Mandiant works directly with companies to hone defenses. The primary concern is if there is a crack in FireEye's defenses, it could allow attacks against companies under its protection resulting in devastating, supply chain attacks.

This attack poses a risk to FireEye's customer base and supply chain, including major companies and governments, said Carl Herberger, vice president of security services at CyberSheath Services International. "Are they at risk? And if not, why not?"

If attackers "found a weakness in FireEye, or some way to get past them, which obviously they did because they got in, then that also gives them information about how to get past every other FireEye customer," Firstbrook said.

Because attackers burnt their tools and FireEye caught them, the company can do a forensic audit to determine how attackers got in.

If the attacker got past FireEye's defense using a novel technique, it is possible they could have successfully bypassed other organization's defenses without anyone noticing, Firstbrook later said in an email.

A high priority for security organizations, especially FireEye customers, is to check their logs for the indicators of compromise behind the attack, Firstbrook said.

"They may be withholding this info because it involves a zero day and they don’t want to disclose the zero day before it can be patched," Firstbrook said. "But that is a concern."

Industry has seen this before

Security companies are under attack all the time; they pose a ripe target. FireEye is the latest to get hit. Bit9, now part of VMware's Carbon Black, Kaspersky, Symantec and Trend Micro all were compromised in the past, according to Firstbrook. As was RSA in 2011.

The question of trust emerges. If the security firms tasked with protecting customers are impacted, who else can companies turn to?

FireEye has not said how it determined an attack took place, Herberger said. "The thing that really bothers me about it the most is that there was no discussion about whether or not we should be concerned with whether or not the fidelity of their security, of their service ongoing, is compromised."

While experts have commended FireEye for its early response, and collaboration with stakeholders including the FBI and Microsoft, they are calling on FireEye to release more information, which requires further investigation.

What happens now is FireEye will reconstruct the intrusion on their end and start looking for how the attack was executed, said Mike Wiacek, CEO of cybersecurity startup Stairwell Inc. Further access points or areas of compromise could be revealed.

It's like when someone breaks into a museum to steal a work of art, but grab something from the gift shop on the way out, Wiacek said. The first thing that's noticed is the theft at the gift shop; it takes time for people to find out the masterpiece was the main target.