Shostack + Friends Blog


Fireeye Hack & Culture

Thoughts on the recent Fireeye Hack and the culture surrounding breaches

[Update: 3 comments] Fireeye's announcement of their discovery of a breach is all over the news. The Reuters article quotes a 'Western security official' as saying "Plenty of similar companies have also been popped like this."

I have two comments. First, it's easy for anyone to label attackers "sophisticated." Fireeye certainly has more data and experience in assessing that, and I'd like to see their scale. I'd like to hear specifics of what makes them call the hack top-tier. OK, they "tailored their capabilities"? How? When you say "a novel combination of techniques" is that "novel techniques" or "novel combinations"? I understand that that's unlikely to come out for a while because of investigations.

Second, nearly fifteen years ago, when we wrote the New School, the way we perceived breaches was very different. Now, almost all of what I'm seeing is the message that we should be compassionate and see how we can learn from it, for example: Let’s see how they can react to this and ultimately strengthen the industry.

It's very positive to see that change has really taken hold.

Third, after writing a first version, I'm seeing lots of compliments about them releasing lots of IoCs, and that release is a great step. Also, I want to say that, if your ability to detect these attacks is dependent on these IoCs, you may be in trouble. And if you're rushing to add those detections to your defenses, I want to encourage you to ask: how likely is it you'll be attacked with these specific tools? Never waste a good crisis, sure, but that doesn't make implementing these IoCs the right use of your crisis energy.