FireEye Breach Response Resources

As part of the breach disclosure, FireEye published a list of vulnerabilities that the Mandiant team uses as well as a list of countermeasures that can be applied to other security tools for monitoring purposes. Many manufacturers may already have pre-developed policies and rules for the disclosed vulnerabilities and tools or will develop dynamic content and policies that can be imported over the next few days. Most also support manual methods as well that are described below. In most cases though, these policies and rules will still need to manually be validated, applied and monitored. Here is a list of several network security manufacturers and methods for importing the FireEye countermeasures.

 

Cisco AMP – uses Snort import (all-snort.rules)
https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/117924-technote-firesight-00.html

 

Palo Alto Networks – import Snort (all-snort.rules)

 

Palo Alto Networks – Firewall Appliance
https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/create-a-custom-threat-signature/create-a-custom-threat-signature-from-a-snort-signature

 

Palo Alto Networks – Panorama (as of PANOS 10.x)

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/content-inspection-features/ips-signature-converter-plugin-for-panorama.html

 

Checkpoint – import Snort (all-snort.rules)
 
Checkpoint has responded to the incident with the following community post and states updated on it’s approach to both exploits and attack tools. 
 
https://community.checkpoint.com/t5/General-Topics/Check-Point-Response-to-FireEye-Red-Team-Tools-Leak/m-p/104767#M20123
 
https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_ThreatPrevention_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_ThreatPrevention_AdminGuide/131103

 

Fortinet – FortiSandbox- import Yara rules

https://docs.fortinet.com/document/fortisandbox/3.0.3/administration-guide/690723/yara-rules
 
Fortinet – Fortigate - Snort conversion is required (all-snort.rules)

https://docs.fortinet.com/document/fortimanager/6.4.0/new-features/914830/fortisigconverter-management-extension-tool-to-import-snort-rules-6-4-3

 

Proofpoint – Emerging Threats (see latest Snort/Suricata rule set)

https://rules.emergingthreats.net/changelogs/

As always, Optiv stands ready to assist you with any security matter during these complex and trying times. If you need help, please do not hesitate to contact us at info@optiv.com.



Read Optiv’s FireEye Breach Perspective – Optiv's SVP, Cyber Defense Applied Security, Anthony Diaz, offers some steps organizations should take to secure their operations both short and long-term.

Optiv Flash Panel: Software Supply Chain Compromise

Software supply chain compromise explained: What you need to know and lessons learned. Join us for an important panel discussion featuring Optiv threat experts, who will uncover what we know of the compromise and its implications for organizations.

 

Watch On-Demand