9 December 2020
Nathan Smolenski

Three Practical Takeaways from the FireEye Hack

What cyber insurance brokers and policyholders should (and shouldn't) take away from this week's biggest cybersecurity story.

The cybersecurity world was alerted yesterday to the news that FireEye, a well-known firm that helps organizations with cyber security and incident response, has been hacked and that tools they’ve developed were stolen. By drawing comparisons to the April 2017 public release of the NSA’s Eternal Blue exploit tools, initial reporting implied that the tools, now in the hands of the bad guys, may lower the barrier to attacks and present new risks.

In reality, there are some key differences between this situation and the NSA hack that are worth noting. To help cut through the noise, here are three quick takeaways for any organization or cyber insurance broker trying to make quick sense of the story: 

1. Take a breath and count to ten. This is not the NSA 2.0. 

The tools that were taken from FireEye were “red team tools” used to approach clients’ systems adversarially, simulating how sophisticated bad actors would plan and execute an attack based on vulnerable software or configurations of that clients’ environment. Such tools being in the hands of the wrong people sounds scary. However, these are not purpose-built, novel digital weapons like the ones the NSA develops. FireEye’s “arsenal” would have been developed through years of observing the tools, tactics and protocols used by bad actors against FireEye’s clients. True, FireEye may have unique and sophisticated versions of these tools that were in some way different from what was known more widely already, but nothing revealed has been totally groundbreaking.

2. FireEye probably wasn’t surprised 

Given the firm’s quick and comprehensive response, FireEye was clearly prepared for this eventuality — evidence of a “not if, but when” attitude. Since FireEye has made a name for itself by tracking down and outing the actors behind major hacks and helping clients protect themselves, it makes sense that they saw themselves as a major target. FireEye released a detailed listing of their tools and targeted vulnerabilities on Github to allow any security team to examine its own systems and ensure they are protected. (See below for a list of CVEs that should be prioritized as a result of the hack).  

3. Cybersecurity hygiene is the real story

The details the firm released about its tools prove one thing above all: regular lifecycle and vulnerability management is important. The list of critical CVEs with the most potential impact from the tools being used by bad actors (below) looks extensive, but any company that has good cyber hygiene should have patched or otherwise remediated these risks already. Some of them have been identified for over six years; there are no new “zero day” vulnerabilities described (risks that are identified but for which the vendor has not created a patch or other temporary remediation). Rather than a completely new and dangerous set of risks for organizations to worry about, this is a matter of refocusing on the fundamentals of vulnerability management, patch management and general vigilance.  

What to do now

The biggest story of this episode may end up being about FireEye itself: their “secret sauce” has been exposed and their reputation and revenue threatened. How the firm proceeds will be an interesting case study. But that’s for later rumination. Right now, the takeaway for any organization is this: take a breath, check against the vulnerabilities that FireEye identifies, and consider improving your vulnerability management, patching and software lifecycle management if there are any gaps revealed by the exercise. 

Prioritized list of CVEs that should be addressed to limit the effectiveness of the Red Team tools

This is a recommended order and customers may make their own priorities based on their unique environments. If you are a Corvus policyholder or have a client with a Corvus policy and need additional assistance, contact services@corvusinsurance.com to schedule a call with our CISO.

  1. CVE-2019-11510 – Pulse Secure VPN – pre-auth arbitrary file reading from Pulse Secure SSL VPNs – CVSS 10.0

  2. CVE-2020-1472 – Microsoft Active Directory escalation of privileges – CVSS 10.0

  3. CVE-2018-13379 – FortiGate SSL VPN – pre-auth arbitrary file reading from Fortinet Fortigate SSL VPN – CVSS 9.8

  4. CVE-2018-15961 – RCE via Adobe ColdFusion (arbitrary file upload that can be used to upload a JSP web shell) – CVSS 9.8

  5. CVE-2019-0604 – RCE for Microsoft Sharepoint – CVSS 9.8

  6. CVE-2019-0708 – BlueKeep – RCE of Windows Remote Desktop Services (RDS) – CVSS 9.8

  7. CVE-2019-11580 – Atlassian Crowd Remote Code Execution – CVSS 9.8

  8. CVE-2019-19781 – Citrix NetScaler – RCE of Citrix Application Delivery Controller and Citrix Gateway – CVSS 9.8

  9. CVE-2020-10189 – RCE for ZoHo ManageEngine Desktop Central – CVSS 9.8

  10. CVE-2014-1812 – Windows Local Privilege Escalation – CVSS 9.0

  11. CVE-2019-3398 – Confluence Authenticated Remote Code Execution – CVSS 8.8

  12. CVE-2020-0688 – Remote Command Execution in Microsoft Exchange – CVSS 8.8

  13. CVE-2016-0167 – local privilege escalation on older versions of Microsoft Windows – CVSS 7.8

  14. CVE-2017-11774 – RCE in Microsoft Outlook via crafted document execution (phishing) – CVSS 7.8

  15. CVE-2018-8581 – Microsoft Exchange Server escalation of privileges – CVSS 7.4

  16. CVE-2019-8394 – arbitrary pre-auth file upload to ZoHo ManageEngine ServiceDesk Plus – CVSS 6.5

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video