As part of the breach disclosure, FireEye published a list of vulnerabilities that the Mandiant team uses as well as a list of countermeasures that can be applied to other security tools for monitoring purposes. Many manufacturers may already have pre-developed policies and rules for the disclosed vulnerabilities and tools or will develop dynamic content and policies that can be imported over the next few days. Most also support manual methods as well that are described below. In most cases though, these policies and rules will still need to manually be validated, applied and monitored. Here is a list of several network security manufacturers and methods for importing the FireEye countermeasures.
Cisco AMP – uses Snort import (all-snort.rules)
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117924-technote-firesight-00.html
Palo Alto Networks – import Snort (all-snort.rules)
Palo Alto Networks – Firewall Appliance
https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/create-a-custom-threat-signature/create-a-custom-threat-signature-from-a-snort-signature
Palo Alto Networks – Panorama (as of PANOS 10.x)
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/ips-signature-converter-plugin-for-panorama.html
Checkpoint – import Snort (all-snort.rules)
Checkpoint has responded to the incident with the following community post and states updated on it’s approach to both exploits and attack tools.
https://community.checkpoint.com/t5/General-Topics/Check-Point-Response-to-FireEye-Red-Team-Tools-Leak/m-p/104767#M20123
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ThreatPrevention_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_ThreatPrevention_AdminGuide/131103
Fortinet – FortiSandbox- import Yara rules
https://docs.fortinet.com/document/fortisandbox/3.0.3/administration-guide/690723/yara-rules
Fortinet – Fortigate - Snort conversion is required (all-snort.rules)
https://docs.fortinet.com/document/fortimanager/6.4.0/new-features/914830/fortisigconverter-management-extension-tool-to-import-snort-rules-6-4-3
Proofpoint – Emerging Threats (see latest Snort/Suricata rule set)
https://rules.emergingthreats.net/changelogs/
