Sean Ennis

FireEye Breach - Implementing Countermeasures in RSA NetWitness

Blog Post created by Sean Ennis Employee on Dec 9, 2020

What Happened

On December 8th, 2020, FireEye announced that it had been the victim of a cyber attack perpetrated by an advanced nation state actor.  They've disclosed their research into the attack in a few places, including: 

 


https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
 


As part of the breach, a large number of FireEye's Red Team tools were exposed to the attackers.  FireEye very quickly published a large set of countermeasures for the global community to use in detecting use of the malicious use of these tools, including:

  • Yara Signatures
  • Snort Signatures
  • FE Helix Signatures
  • ClamAV Signatures

 

All of these can be found on their Github Repository, here:  GitHub - fireeye/red_team_tool_countermeasures 

 

Implementing Countermeasures in RSA NetWitness 

There are no silver bullets when it comes to detection and responding to threats of any nature, let alone ones executed by advanced-capability actors.  It's important for organizations to take a holistic approach, manage and prioritize patching, and continue to evolve their proactive hunting capabilities.  To that end, please take a look at a couple other blog posts from our field teams discussing their approach and the capabilities that already exist in the NetWitness to help respond to this situation and detect usage of some of the malicious toolkit:

 

FireEye Breach - Beyond the signatures  - A great post from our Threat Hunting team discussing overall approach and the exploited vulnerabilities.

FireEye Breach  - A great post from our IR team talking about the existing NetWitness visibility into many of the tools implicated in the attack.

 

In addition to those, we do want to ensure we can guide customers through the relevant detection opportunities, whether re-purposing the existing countermeasures published by FireEye (and others) or developing detections native to the RSA NetWitness platform.  We are working through this process right now and will update this page accordingly if/as we learn more.  As a start, please consider the following implementation of the provided Snort and Yara Signatures:

 

Snort Rules

As of 11.5, we have a much improved and expanded ability to deploy snort signatures.  FireEye has published this set of snort signatures to detect related activity on the network: https://raw.githubusercontent.com/fireeye/red_team_tool_countermeasures/master/all-snort.rules 

 

These rules can be uploaded to Network Decoders by following the instructions here: https://community.rsa.com/docs/DOC-96852#Configur 

 

From here, any matches on any of the signature IDs (captured in the sig.id meta key) can be queried in Investigate via: sig.id=25894,25893,25874,25881,25879,25848,25887,25873,33355045,25872,25890,25892,25878,25891,25857,25880,25885,25900,62010239,25886,25875,25889,25877,25888,25884,25902,25866,25899,25882,25876,25901,25849,100001,25850

 

You may also consider creating an app rule on the decoder to create a single additional meta value when the above condition holds true, simplifying the subsequent search condition and ESA alert logic (if you choose to create an alert). An example of a manually created ESA Alert for any matches against that snort signature set is below:

 

 

Yara Signatures

Customers who have the Malware Analysis component can deploy the Yara signatures FireEye has published here: https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-yara.yar

 

Instructions on enabling this custom Yara content on a Malware Analysis appliance can be found here: MA: Enable Custom YARA Content 

 

We will continue to update this blog post with additional information relating to these countermeasures as we have it.

Outcomes