The FireEye hack is a regrettable event that will likely cause significant issues for US companies and governmental agencies. The threat actors behind the FireEye compromise targeted FireEye’s internally developed red team tools. FireEye used these custom tools and exploits to conduct penetration testing on organizations to expose vulnerabilities within networks. Although, FireEye claims that none of what was stolen was a zero-day vulnerability, based on SpearTip’s experience, a significant number of environments are vulnerable to these hacking tools. More than likely, you have systems on your network that are vulnerable to these hacking tools.
Ransomware threat groups will use these tools to steal data and encrypt systems within companies to extort them for large ransom payments within the next 3-4 months. These attacks will lead to large ransomware insurance claims, when covered, and cause significant disruptions to businesses.
Cyber issues continue to increase in severity. Just this morning, 9 Dec, we facilitated four new incident response engagements where the companies data was likely stolen, and systems throughout the corporate networks were encrypted. Of those companies, all had purchased a backup solution and an antivirus solution; only one of those had working backups were working. Even with working backups, they had to engage our IT Remediation team and look at 1-2 weeks before being fully operational. In each case, the threat actor stole data and was threatening to post it online for anyone to download. The ransom demands ranged from $600,000 to $1,400,000. The companies ranged in size from 30 – 450 employees. We wish we were just fear-mongering, but this is a continued threat we see increasing daily.
Despite this bad news, there is a lot a company can do about it. Below are just a few recommendations.
Have a dedicated cyber insurance policy with sufficient limits and the right coverage types – working with a cyber insurance broker is critical.
- For example, without specific coverage, almost no “cyber” policies will cover a ransom payment, especially if this coverage is just added to a liability or EO policy. You may have $10 Million in cyber coverage, but would it actually cover a $1.4 Million ransom payment?
You need to invest in your security.
- The average company experiences about 2-4 weeks of disruption when working with a competent recovery firm, even when the ransom is paid. What would that cost your company?
You need to invest in expertise, not just technology.
- If FireEye can be compromised, so can your environment.
- FireEye’s internal technology failed to detect this; the breach was detected by human cybersecurity experts.
- Part of your cybersecurity solution must include cyber experts monitoring your environment 24/7 that can react immediately when the network is attacked.
If you have concerns about your security posture, feel free to reach out.
Our 24/7 Security Operations Center (SOC) is complete with certified security engineers to monitor and protect your environment. Not only are they continuously preventing cyberattacks, but they can also deploy ShadowSpear® in your environment before or after an attack.