With the recent hack of FireEye, there have been many questions circulating among Cybersecurity experts and the clients that they serve. At LRQA we’re dedicated to providing the most robust and secure security practices to the people we serve.
In light of recent events, we’ve asked our security experts who, on a daily basis, are on the front lines of cybersecurity to answer the questions we received. We hope this information can help you keep yourself prepared, protected, and offer peace of mind that LRQA is fully prepared to keep you protected.
How can I stop this happening to me?
One of the strongest measures to test your environment against sophisticated attacks is by conducting Red Team testing. Red Teaming and other intelligence led testing are great activities which help identify the routes that threat actors, such as hacktivist, organised crime and nation states, would take in compromising your business. These threat actors are then simulated and defences are tested to gain an understanding of how well your organisation would stand up to these attacks, in addition to how to improve defences moving forward to prevent these attacks in future.
Purple Teaming, which combines the activities of Red Teaming and Blue Teaming, is ideal for those who have recently conducted Red Team engagements. Purple Teaming will take a specific scenario and dry run it alongside the Blue Team, ensuring their configurations are set to detect these specific attacks per scenario.
A dedicated Security Information and Event Management (SIEM) solution that continuously monitors your critical infrastructure to detect and prevent attacks, such as LRQA’s SOC, is becoming more vital for organisations as we move further into the digital age. These systems need to be continuously configured to ensure they are detecting these sophisticated types of attacks. FireEye’s countermeasures have already been released, and these should have been automatically distributed to Intrusion Detection/Prevention Systems (IDS/IPS). Businesses should ensure complete and up to date IDS/IPS coverage of their on-premise and Cloud infrastructure.
Additionally, further detection tool sets such as EDR and NDR should have updated watchlists to detect key Indicators of Compromise as released by FireEye.
Am I being targeted?
A common question you may have is, “How do I know if I’m being targeted?”
The answer is you may not know until it’s too late. To combat this unknown, utilising a Threat Intelligence solution can alert you to any attack. Threat Intelligence exercises such as Digital Attack Surface Assessments or Key Persons Threat Intelligence solutions help identify the threat actors who may be targeting you, along with their tactics and procedures. Knowing who might be attacking you, why, and how will help you plan and prepare how to defend against these attacks.
If a reputable cybersecurity company has been breached, what defences does LRQA have in place to stop you being breached?
LRQA have a state of the art SOC (Security Operations Centre), which is constantly updated using data from real world Threat Intelligence and Red Team simulation testing. We have a dedicated Research & Innovation department who create tools of the highest sophistication levels and ensure we have defences in place that would detect these.
Have I been breached?
Threat Intelligence can not only help to identify whether your company has had data exfiltrated and distributed, but also give potential early warning of attack by looking in places such as criminal forums, domain registrations, the dark/deep web or password dumps. LRQA Cyber Emergency Response Team (NCERT) can help to identify Indicators of Compromise within your environment along with providing remediation guidance to help stop attacks in their track within the cyber kill chain.
What does this mean for existing FireEye customers? What action should they be taking?
A robust Incident Response process should be put into place should a breach, or suspected breach, occur. If you don’t have the in-house resources to conduct IR exercises, these can be outsourced to LRQA’s SOC. Internal Incident Management procedures should be regularly tested for any weaknesses and gaps.
Security Best Practice should always be communicated clearly and followed. There are core principles that should be applied across the board such as ensuring passwords are strong, complex, random, not repeated over multiple accounts, and that they are changed regularly or whenever a compromise is suspected. Corporate devices should have anti-malware solutions in place as well as an effective, responsive and manageable MDM solution.
Security Awareness Training is a powerful exercise that should be conducted regularly within any organisation. Weaknesses in People, Processes and Technology can cause breaches and with people being the weakest element in the chain of defence and they should regularly undergo training to keep them wise to the latest types of social engineering attacks. Effective Security Awareness Training is delivering in a format that is relevant, participation-based that keeps the recipient engaged, and encourages a positive environment where all questions can be raised and addressed.
For more information and advice in relation to the FireEye hack, please don’t hesitate to get in touch with our LRQA Team.