How the FireEye post about being hacked could be clearer
FireEye is a cyber security company with tools you can use to test your systems. Somebody hacked them and stole the tools. I’ll give FireEye credit for discussing the theft honestly, but they’ve got a bit to learn about clarity under pressure.
Analyzing FireEye’s post
Here’s the post with my analysis.
FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
December 08, 2020 | by Kevin Mandia
FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats. We witness the growing threat firsthand, and we know that cyber threats are always evolving. Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. Our number one priority is working to strengthen the security of our customers and the broader community. We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber attacks.
What’s good: Clearly admits the problem.
What could be better: Couched in self-serving terms and buries the lede. The first two sentences are just warm-up, and irrelevant. The lede is that somebody attacked them (“we were attacked by a highly sophisticated threat actor”). That statement is in passive voice and includes the weasel words “highly.” The self-justifying “number one priority” immediately makes the reader suspicious.
Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.
We are actively investigating in coordination with the Federal Bureau of Investigation and other key partners, including Microsoft. Their initial analysis supports our conclusion that this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.
What’s good: Describes the threat, tells what they are doing next.
What could be better: Filled with more ill-defined weasel words like “world-class” and “highly trained.” Also reads as “If we got hacked, they must be pretty good.”
During our investigation to date, we have found that the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.
We are not sure if the attacker intends to use our Red Team tools or to publicly disclose them. Nevertheless, out of an abundance of caution, we have developed more than 300 countermeasures for our customers, and the community at large, to use in order to minimize the potential impact of the theft of these tools.
We have seen no evidence to date that any attacker has used the stolen Red Team tools. We, as well as others in the security community, will continue to monitor for any such activity. At this time, we want to ensure that the entire security community is both aware and protected against the attempted use of these Red Team tools.
What’s good: Identifies what was stolen, and how FireEye is taking measures to protect customers from the stolen tools. (“Red Team” tools are tools that mimic what attackers do, used by cyber security staff to test vulnerabilities in clients’ systems.)
What could be better: Wordy.
Specifically, here is what we are doing:
– We have prepared countermeasures that can detect or block the use of our stolen Red Team tools.
– We have implemented countermeasures into our security products.
– We are sharing these countermeasures with our colleagues in the security community so that they can update their security tools.
– We are making the countermeasures publicly available in our blog post, “Unauthorized Access of FireEye Red Team Tools“.
– We will continue to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with our security partners.
What’s good: A clear and specific list
Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact them directly.
What’s good: Describes potential additional problems.
What could be better: Starts with a dangling modifier.
Over many years, we have identified, cataloged, and publicly disclosed the activities of many Advanced Persistent Threat (APT) groups, empowering the broader security community to detect and block new and emerging threats.
Every day, we innovate and adapt to protect our customers from threat actors who play outside the legal and ethical bounds of society. This event is no different. We’re confident in the efficacy of our products and the processes we use to refine them. We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.
What’s good: Sounds determined.
What could be better: A clearly self-serving “you can still trust us.” Goes on too long (as in “methinks thou does protest too much”).
How I would rewrite the FireEye post
FireEye are security professionals, not professional writers. It’s tough to write clearly in a crisis. I’d give their effort a solid B, but it’s instructive to see how it might read if it were clearer, didn’t bury the lede, and avoided weasel words. Because the original announcement as on the right track, my revision shown below is an edit, not a complete rewrite.
Here’s how our we were attacked — and the measures we’ve taken to keep clients safe
We recently suffered a cyber-attack, in which a threat actor gained access to our Red Team tools. Based on the level of discipline, operational security, and techniques, we are sure this was no ordinary attack. We believe this was a state-sponsored attack. We have now taken steps both to investigate what happened and to keep our clients safe in the wake of the attack.
Regarding the attack: Based on my 25 years in cyber security and responding to incidents, I’ve concluded the attacker was a a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years. It included elements specifically targeted at FireEye. The attackers operated clandestinely, using methods that counter security tools and forensic examination. We and our partners have not seen this unique combination of techniques before.
We are actively investigating in coordination with the Federal Bureau of Investigation and partners including Microsoft. Their initial analysis supports our conclusion that this was the work of a sophisticated state-sponsored attacker utilizing novel techniques.
The attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behavior of many cyber threat actors and enable FireEye to provide diagnostic security services to our customers. None of the tools contain zero-day exploits. Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.
We have seen no evidence to date that any attacker has used the stolen Red Team tools. However, in case the attacker attempts to use our tools against others, we have developed more than 300 countermeasures for our customers and the community at large. We want to ensure that the entire security community is both aware of and protected against the attempted use of these Red Team tools.
Specifically, here is what we are doing:
- We have prepared countermeasures that can detect or block the use of our stolen Red Team tools.
- We have implemented countermeasures into our security products.
- We are sharing these countermeasures with our colleagues in the security community so that they can update their security tools.
- We are making the countermeasures publicly available in our blog post, “Unauthorized Access of FireEye Red Team Tools“.
- We will continue to share and refine any additional mitigations for the Red Team tools as they become available, both publicly and directly with our security partners.
The attacker primarily sought information related to certain government customers, which is consistent with a nation-state cyber-espionage effort. While the attacker was able to access some of our internal systems, at this point in our investigation, we have seen no evidence that the attacker exfiltrated data from our primary systems that store customer information from our incident response or consulting engagements, or the metadata collected by our products in our dynamic threat intelligence systems. If we discover that customer information was taken, we will contact the customers directly.
We’re confident in the efficacy of our products and the processes we use to refine them. We have learned and continue to learn more about our adversaries as a result of this attack, and the greater security community will emerge from this incident better protected. We will never be deterred from doing what is right.