As was recently announced by FireEye, some of their “Red Team” tools were stolen by a nation state attacker for the purposes of identifying weaknesses in their operations. The good news is none of these were zero-day exploits. The bad news is the set of vulnerabilities exploited are well-known exploits and part of a testing suite used by FireEye’s Red Team.
As a quick review, a “Red Team’s” purpose is to mimic a cyberattack and exploit existing vulnerabilities by any means. This goes beyond IT controls to include using staff members, processes, or even facilities security weaknesses to accomplish the breach. They use covert methods to breach an organization in an effort to better train the client’s IT security team. This is different from penetration testing (a subset of red teaming) which is an overt exercise in identifying vulnerabilities and exploiting vulnerabilities using only IT controls and usually within a defined scope.
If a vulnerability is included in a Red Team’s testing suite, it indicates the organization has observed some of its clients are either unaware of the vulnerability and/or are still leaving it unpatched. In other words, sophisticated attackers can use a Red Team’s information to understand what vulnerabilities are typically unaddressed, thus giving them insight into the easiest way to infiltrate.
One big issue here is organizations continue to be susceptible to well-known vulnerabilities with available patches. Some common reasons we see when we talk to prospects are:
- Poor asset visibility
- Poor performance by vulnerability scanners leading to missed vulnerability identification
- Infrequent scanning of assets (every 3 -6 month scanning intervals) scan
- Patch teams unable to keep up with overwhelming and out-of-date patch to-do-lists
- Improper prioritization of vulnerability risk leading to scattered patching efforts
- “Active” monitoring solutions failing to detect passive threats between scans
Similar to the catastrophic results of ransomware like WannaCry, where many legacy vulnerability scanners failed to identify vulnerable systems, organizations are failing to identify and prioritize common exploits in their environment. This proactive first line of defense is critical to preventing compromised systems that eventually lead to a breach or successful ransomware campaign.
Fortunately, customers and prospects leveraging Digital Defense's Frontline.Cloud™ platform can expect full coverage for all of the FireEye toolkit exploits. Using Frontline Threat Landscape™, you can also determine if there are any new exploits that are being used in the wild and map the risk to your specific assets to help re-prioritize patching of these specific vulnerabilities in case they were missed. View related SolarWinds Orion advisory for more details.