One of the premier Threat Intelligence and Cyber Security companies has been hacked.  So far they are stating that only their prized Red Team hacking tools were stolen.

Right now, they are only stating that their Red Team tools were stolen.  Yes, I purposely repeated myself.  They have also posted information and countermeasures to help people protect their environments (See GitHub link below)

In other articles, there are those that are saying that FireEye has not divulged when exactly this hack occurred.  Others are saying that there are a few other Cyber Security Companies that have also been hacked.  Supposedly, FireEye is the first to openly admit that they were hacked.

This is a shock to the Cyber Security Industry.  A leading company in Threat Intelligence and Cyber Security is hacked and their tools stolen ?  Who are the other companies not coming forth yet? Where does this leave their reputation? Was this a network Hack, insider Hack, Internet Hack or just someone being careless about their network and access points?  Was it a broken VPN connection?  VPN credential stolen ?  Who knows yet as it is too early to tell.

What about the threat intelligence they may have amassed for various actors both foreign and domestic, not to mention state actors.  Why in the world would someone hack into a Threat Intelligence organization to ONLY steal Red Team Tools ?  Those of us in the Industry are shocked and worried what more will be exposed from this hack.  This is a major event within the industry. On a scale of 1 to 10, it's a 12.

What to learn from this?

• Double check all of your networks border gateways, routers, firewalls and VPNs.
• Make sure that your patches and OS's are up to date. ( test your patches and updates in a separate lab, again zero trust )
• Make sure your VPNs and up to date and protected.
• Make sure you have some sort of IPS and IDS systems in place watching all inbound connections.
• Make sure your SIEM product is correctly pulling out unwanted traffic and alerting the right people.
• Make sure that your ID Federation products are up to date and double check the settings.
• Make sure that ANY old or outdated Firewall rules are removed.
• Make sure that ANY device on your network it not operating with old unnecessary rules.
• Make sure you can account for every connection within your network.
• Make sure that all of your WiFi APs are up to date.
• Make sure you are not utilizing any outdated or hackable WiFi APs.
• Ensure that your Disaster Recovery / Business Continuity policies are up to date.
• Ensure that there are no insider threats.
• Ensure that your employees are trained in the latest Cyber Security Policies and Training.  Once a year recertification should be mandatory.
• Ensure that your Cyber Security Training also includes Phishing techniques.  Train your people HOW to spot fake emails!  It's easy and very cost effective!
• Do not trust anything.  Verify it every "X" months. 
• Perform periodic Audits on your network, storage, permissions, accounts, systems and software.
• Don't wait until it it too late.
• Record and audit time stamps on files to periodically compare to see if any files were touched or changed when they should not have.
• Be diligent, if something does not look right, question it.
• Check the permissions on files, systems and periodically audit them for compliance.  No one should have all the keys to the kingdom. 

Seems like a long list ?  It's not. It's a beginning. Automate where you can, but audit the automation periodically.  Ensure that the Automation is doing exactly what it is designed to do and nothing more.

Never, ever let your guard down.  Never.  Always have backup contingent plans.  Always be diligent and question anything that looks or feels out of the ordinary.  See something, say something but also DO something.

Github FireEye Countermeasures and information

Read more on SC Media here

Cert Release

UPDATE:

It turns out that the hack at FireEye is the tip of the iceberg.  An update for SolarWinds Orion software was compromised and sent out to all of SolarWinds users.  This includes Federal Agencies and Commercial entities. Orion Software holds credentials, such as Domain Admin, Cisco/Router/SW root/enable creds, ESXi/vCenter Credentials, AWS/Azure/Cloud root API keys. and so much more. CONSIDER THESE CREDENTIALS COMPROMISED.

You should consider an Emergency Response at the highest Criticality to change these passwords, tokens, etc.   Change them AFTER an Orion Software update that fixes the vulnerability.

2020-12-15- Solarwinds office in Austin is raided by FBI, US Marshals and the Texas Rangers.

Stay vigilant!