On 8 December, FireEye announced that malicious actors had accessed their tool vault and compromised the company's highly sensitive tools for red team activities. Our thoughts and support are with the FireEye team and we wish them only the best as they quickly mitigate the attack and support their customers and partners worldwide. Based on the sophistication of the attack described, we continue to be concerned at the state of the advanced malicious actor threat landscape and encourage diligence in designing layered, robust defensive strategies.
In the short term, Optiv recommends that organizations take this time to shore up their defenses. This includes:
- Validating patching and hardening processes to ensure that they are working correctly
- Disabling any single-factor login entry points
- Updating security tools to include the detection signatures released by FireEye to identify the exposed tools. Optiv has updated our security content to protect our clients
- Segment critical data and ensure that defenses are increased around these areas
- Perform regular retroactive threat hunting activities for the near term at a minimum focused on irregular VPN logins, windows native scripting and authentication activity
- Rehearse incident response playbooks and make revisions where needed
Longer-term, this serves as a reminder that no single solution can provide comprehensive security defenses. A robust security program must be exactly that, a program. Policies and processes need to align with technical controls.
- Technical controls should be layered, providing multiple points of detection should any individual systems and controls be bypassed using tools such as the ones exposed this week.
- Assessments should be comprehensive and continuous, exploring the breadth of attack surfaces that you expose beyond just the network perimeter.
- Threat detection should be robust and built upon a robust logging capability; even a mature threat actor with undetectable bypass 0-day tools will likely set off a defense somewhere in a well-defined environment. Additionally, that logging is critical should an investigation need to occur.
- Remediation activities should be thorough. Yes, some findings are expensive to fix, and some require extensive network or application redesigns. However, if these same issues show up year after year through your assessment activities, this is a red flag indicator.
While none of this is new or groundbreaking, the idea of a program working together continues to be one of the toughest to solve. Individual policies, controls, assessments, and projects are completed in a vacuum, and these efforts are seldom integrated to share data and work toward common outcomes. Optiv’s recommendation to reduce risk in the face of unknown threat actors and 0-day vulnerabilities and bypasses continue to be fully integrated, robust programs that bring together the data and processes from all security investments to reduce breach risk.
Optiv Flash Panel: Software Supply Chain Compromise
Software supply chain compromise explained: What you need to know and lessons learned. Join us for an important panel discussion featuring Optiv threat experts, who will uncover what we know of the compromise and its implications for organizations.