FireEye disclosed on the 8th (FireEye blog post by Kevin Mandia, December 8) that the company had been the target of a sophisticated state-actor intrusion that resulted in the theft of FireEye's internal red-team assessment tooling. The tooling — the offensive-capability suite that FireEye uses in its red-team customer engagements — has been, on FireEye's analysis, taken in full, and the company has published the comprehensive list of detection signatures, IoCs, and Snort rules to enable the security community to detect use of the stolen tooling against any subsequent targets (FireEye GitHub repository for the red-team tool indicators).
The disclosure is, in form and operational character, unusually candid. FireEye is a major US security-services firm and the public disclosure of this nature against the company is a substantial reputational event. The choice to disclose comprehensively, to publish the indicators-of-compromise to enable defensive use, to attribute (in tentative terms) to a state actor, and to commit to ongoing investigation transparency is — by the standard of post-Uber-disclosure norms that I have been writing about for years — exemplary. The Mandiant-side disclosure tone has been consistent through the company's history (the original APT1 report in 2013 is the historical precedent for substantive technical transparency about state-actor activity) and the operational handling of this case is in the same tradition.
The technical content is being analysed continuously. The red-team tool suite includes implementations of well-known offensive techniques as well as some elements that are non-public capability. The detection content FireEye has published covers the full inventory; the customer-side action is to incorporate the detection signatures into customer SOC content, monitor for any indicators-of-compromise consistent with use of the stolen tooling, and elevate alert posture for the post-disclosure period. Our SOC has incorporated the FireEye-published content as of yesterday afternoon and the customer-portfolio detection coverage is comprehensive.
The wider question — and this is the one that is going to develop substantially in the coming weeks — is what the intrusion against FireEye implies about the state actor's broader campaign. A sophisticated state-actor cluster does not, in the normal pattern, target a single security firm in isolation; the targeting against FireEye is likely to be one element of a wider campaign against multiple targets, possibly including other security firms, possibly including FireEye's customer base, possibly including other categories of organisation that the actor has interests in. The follow-on disclosures that may emerge from this — from FireEye itself in their continuing investigation, or from other affected organisations as they become aware of compromise — are the operational concern for the next several weeks. The Mandiant team is unusually well-equipped to drive the investigation; the public disclosure cadence will, on the historical pattern, produce useful additional detail.
For the customer briefings, the FireEye case is producing a different kind of conversation than the typical breach disclosure. The customer organisations are not, in the main, FireEye customers, so the direct-impact question is limited. The wider question — whether their own security-vendor relationships are exposed to comparable risk, whether the threat-actor cluster running the FireEye operation may be in their own networks, what the defensive posture should be — is more substantive. The customer-organisation conversations this week have included an unusual amount of substantive engagement with the operational and strategic implications.
I will return to this as the FireEye investigation produces additional public detail. The case is structurally significant in ways that the next several weeks will clarify.