FireEye, one of the largest security firms in the market, released a statement saying they were the victim of a highly sophisticated attack.
In a press release on December 8, 2020, FireEye CEO Kevin Mandia said the threat actor not only gained access to its internal network and stole hacking tools, but also searched for sensitive information related to their government customers.
This story is gaining a lot of attention, and for obvious reasons. A security company should never fall victim to a cyberattack, right?
It's not that simple.
FireEye doesn't become a firm that big by having poor security practices. They are a very respectable organization, and to criticize this doesn't solve anything.
"What this breach is doing, is providing everyone with a reminder of what's important to an organization when it comes to defending itself against cyber-attacks." - Derek White
Cyber threats come in all shapes and sizes. From basic attacks to sophisticated attacks, no organization is breach-proof. Attackers aren't much different than home burglars. The main difference? Cyber-criminals don't usually break-in, they are allowed in.
If cyber-criminals and threat actors want in, they plan their attacks based on the target. If a house has a fence, motion lights, a large barking dog, and a security guard...burglars don't plan to walk up to the front door. They get more creative and develop a plan of attack.
In FireEye's case, the threat actor(s) likely knew that basic attack vectors weren't going to be successful. They obviously did their homework and picked their targets and had a sophisticated plan to deploy once someone let them in (gained access to the internal network).
Cybersecurity is not a "set it and forget it" situation. In order to protect against basic attacks, sophisticated attacks, and always evolving new threats, organizations need to have an on-going security program in order to lower the risks and associated impacts on their business.
This starts with an assessment. In order to mature the security posture of an organization, there needs to be a stake in the ground and a "moment in time" for which all progress can be made.
Some assessments are based on risk, impact, and likelihood. Some assessments are assessing against a framework of controls for either industry-standard best practice, or for compliance requirements. Regardless of what is being assessed, the important output is the gaps in which an organization is deficient, often referred to as a gap-analysis.
Once a gap-analysis report is generated, an organization can begin its remediation efforts and roadmap to achieve the desired outcome. In order to prioritize your plan, the above-mentioned factors risk, likelihood, and impact should always be considered as factors like cost, timelines, and resources (internal and external) are built into the plan.
It's easy to focus on the "low hanging fruit" in the security world. This is where a lot of organizations take the "DIY" approach, only to lose time/focus with other matters, and pushing security down the list. This is where the severity of a breach can become catastrophic to an organization.
Dedicating the right resources (financial, internal, external, etc) to remediate gaps and increase security maturity is important. So is measuring the effectiveness of those efforts.
At Beryllium, we spend a lot of our time working with contractors of the United States Department of Defense (DoD), and who make up the Defense Industrial Base (DIB). The importance of securing our National Defense information, unfortunately, isn't enough motivation for many organizations of the DoD supply chain, to fully implement and manage a good cybersecurity program.
Any time changes are made to a business, whether it be process improvement, product improvement, etc. it's always a good idea to re-assess against what was newly implemented. The same is true for cybersecurity.
How can an organization be sure that their remediate efforts to closing gaps are getting done and being effective? Conduct a re-assessment to not only provide internal confidence but to help shape "moving-forward" efforts and decisions as threats evolve and business situations change.
Whether you self-assess or utilize outside expertise to re-assess, the importance of assessing and showing progress rarely comes with negative consequences.
There's a difference between believing and knowing. As the security world begins to see more and more certifications (like the CMMC), there's a new level of organization risk for being "wrong" or "inaccurate."
Utilize an independent party to attest that your compliance efforts are justified. Build confidence in your efforts by having someone else tell you that the effectiveness of your efforts has benefited the organization. Eliminate that feeling of uncertainty and take pride in not being an easy target (and, in turn, a vulnerability to your customers, employees, etc.)
Find a subject matter expert who understands the security landscape your organization lives in. Find a subject matter expert who understands more than just "auditing against requirements", but understands what it will take for your organization to actually get things done and in place. Use a letter of attestation from an independent SME to build confidence from your customers.
In the case of FireEye, we may never learn exactly how this sophisticated attack became successful, but most organizations don't have the benefit of working directly with Microsoft and the FBI to determine what happened.
For many smaller businesses, the attacks are far more basic. Why? because basic attacks are working. For many of the small-to-medium size businesses making up the DoD supply chain, the risk of "believing" they are secure is not worth the consequences if they are wrong.
If you are a supplier of the DoD and subject to DFARS 252.204-7012, 7019, or 7020 (and eventually 7021), and need to implement NIST SP 800-171 in order to be successful prior to CMMC Level 3 certifications, contact Beryllium today.