When FireEye announced yesterday that “a nation with top-tier offensive capabilities” had used “novel techniques” to steal an inhouse red-team tool, the security community found itself wondering what their reaction should be. It’s a community that, in the past, has struggled not to eat its own children when embarrassing things happened.
This time around, there were FireEye defenders, among them James Azar, who posted to LinkedIn to say that anyone “bashing FireEye, Inc. for a #nationstate attack” should “think twice.”
A few dozen replies followed, many of the replies along the same lines as a comment posted by Ramesh Rajagopal, president of Authentic8, who said “defense in depth should also reflect how the industry stands behind each other to support the attacked.”
The general line of thinking was that even companies that are expert in cyberdefense will, on occasion, fall victim to hackers.
Well, yes, there’s always the chance that a well-provisioned nation-state attacker will break through even the best defenses. No argument there. But what seems the bigger thing to support is that FireEye appears to have done all the right things when the breach was discovered.
Several commentors took this line of thought: A tool used for pentesting and outfitted with several hundred individual attack capabilities was stolen, so the victim has publicly released countermeasures and information that can be used to catch attacks mounted from the stolen tool. FireEye was quick to announce the breach and has been transparent about it, so far as outsiders can tell. This is certainly how you’d like to see a breached company react.
Of course, the New York Times said rather flatly that “The breach is likely to be a black eye for FireEye,” but I’m not so sure. In some ways, it may actually be a good thing, as much as I’m sure they absolutely hate that the breach happened.
Because, if you’re going to be breached, this is the sort of breach that makes you look like you are all about hardcore hacker juju.
Consider comments that have cropped up under Bruce Schneier’s brief post on the event in his “Schneier on Security” blog have included much speculation on where FireEye actually fits in the security industry. Someone posting as Assumed said “I’ve always assumed that FireEye was an ‘agency’ corporation. At one point, they were helping decrypt hard drives that were infected with Ransomware for free. What kind of resources does that take? And who is capable?”
Nothing about the incident reveals anything substantive about the government agency ties that FireEye may or may not have. A blog entry that digs into the materials FireEye released on its GitHub points out that “From what’s been made available in the repo, the tools are mostly open source and not developed by FireEye.”
So they had a bunch of tools for testing various exploits, just as you’d expect that a company in FireEye’s line of work would have. But, wow, they seem like ninjas when this gets referred to as a “red team tool” that was heisted by “a nation with top-tier offensive capabilities.” Does this event mean that they will no longer be, as the New York Times put it in the lead paragraph, “the first call for government agencies and companies around the world who have been hacked?” Heck no. These guys obviously roll with the bad boys.