Category Archives: Security Perspective

Corporate posts by the FireEye team

Live from Infosecurity Europe 2014: Cybersecurity Experts Come Together

| By | Business of Security, Executive Perspectives, Security Perspective

Infosecurity Europe 2014 was the place to be for any major player in the world of cybersecurity, and live from the show floor; the FireEye Blog team had a front seat to some exciting conversations. Paul Dwyer, director at FireEye, had the opportunity to sit down with a number of influencers and ask questions that were on all of our minds.

In this first podcast in the series, Amar Singh, senior analyst at KuppingerCole, and founder of ARK Advisors discusses the threat of malware, and also touches on the subject of industrial espionage. Click here to listen to the full podcast. Bruce Hallas, founder and curator of The Analogies Project, a not-for-profit venture designed to help the information security community communicate and engage more effectively with stakeholders, joined Paul in our next podcast. Hallas discussed the significance of generational cybersecurity, and outlined the key behaviors and security working practices of generations Y and Z. Click here to listen to the full discussion.

First Base Technologies CEO Pete Wood also sat down with us for a chat, and shared his thoughts on how an information security function evolves to become business-led. Mr. Wood was also asked about the current business security model, and whether cybersecurity should be considered a Board Level issue. Click here to listen.

Finally, FireEye Director of Technology Strategy EMEA, Jason Steer had the chance to speak with Brian Honan from BH Consulting about the recent Internet Explorer (IE) browser vulnerability, as well as the importance of separating networks into different segments. Listen to the full podcast here.

Did you attend Infosecurity Europe 2014? Chime in and let us know what you thought of the event and the topics discussed. Leave us a comment below.

Reporting on Key Issues in Cybersecurity: Panel Discussion with Renowned EMEA Reporters

| By | Business of Security, Security News, Security Perspective

Last week, FireEye held a panel podcast featuring renowned reporters covering Europe in advance of the highly anticipated Infosecurity Europe conference.

The panel includes reporters from some of the most credible publications covering information security, including Eleanor Dallaway from Infosecurity Magazine, John Leyden from The Register, Tom Brewster, a freelance journalist for TechWeek Europe and Guardian, and Dan Raywood, editor of IT Security Guru.

In the podcast the panelists discuss key issues in cybersecurity today, including the recent Heartbleed controversy. They also touch on why Infosecurity Europe is crucial for the information security community, and hint at what we can expect from the big event.

To listen to the full podcast, click here.

FireEye Enters Agreement to Acquire nPulse Technologies

| By | Business of Security, Executive Perspectives, Security News, Security Perspective
Today, I’m excited to announce that we’ve entered an agreement to acquire nPulse Technologies, the performance leader in network forensics. The acquisition is expected to close during the second quarter of 2014, subject to standard closing conditions. nPulse has the fastest solution available for high-speed full packet capture and indexing. By combining the nPulse products with the FireEye platform, we’re building enterprise forensics capabilities that will enable incident investigation and remediation that no other security vendor can match. When combined with Mandiant services and the services capabilities of our partners, we’ll be able to provide customers complete visibility into the network with quality analytics that accelerate the path from detection to resolution. This acquisition is a vital part of our long-term strategy to build a single security platform that protects against the most advanced threats and offers customers one solution to detect, contain, resolve and prevent threats.

With the acquisition, FireEye will further expand its security platform with the following:

  • FireEye will offer the industry’s first Enterprise Forensics solution with a unified view of network to endpoint forensics, enabling enterprises to minimize risk and drive down mean time to resolution.
  • The Enterprise Forensics solution, coupled with the FireEye threat analytics solution, will form a comprehensive intelligence platform.
  • The FireEye Network Threat Prevention Platform combined with newly introduced IPS capabilities and the addition of nPulse’s forensics will offer a comprehensive threat management platform.
  • The Enterprise Forensics solution together with FireEye Managed Defense™ will enable the industry’s most advanced managed service capabilities, bringing together deep visibility and rich context from Enterprise Forensics with active defense capabilities of the Managed Defense portfolio.

The New Reality of IT Security
Our Mandiant services team has investigated thousands of breaches and from this experience we know that no matter how good your defenses, with users in the system, every organization has some malicious code within their network. In fact, we know the median number of days attackers were present on a victim’s network before being discovered was 229 days in 2013. But today, when a data breach can result in being called to testify in front of Congress, every organization should be prepared to answer questions about how an attacker got into their network and what data was impacted. Preventing malicious code from entering the network is always key, but now we need to know more - when the malicious code appeared, how the network was compromised and if any data was removed. This is the new reality of enterprise security.

Enterprise Forensics - A Black Box For Your Network

Previously adding enterprise forensics involved building a customized solution that correlated data from multiple point products monitoring different parts of the network and across endpoints. Overwhelmed by cost and complexity, many organizations simply put this off, leaving a wide hole in their IT security and response capabilities. After entering into a technology partnership with nPulse Technologies earlier this year, we saw how our joint customers benefited from bringing together nPulse network information with FireEye threat intelligence and endpoint data.

With this acquisition, FireEye will combine nPulse network forensics with the endpoint products acquired from Mandiant to incorporate attack information from the host, endpoint, network and cloud. We like to think of enterprise forensics as adding a flight data recorder – or a black box – to the network. With complete visibility into the network, the FireEye platform will be able to produce higher quality alerts to help protect against threats as well as quickly quantify the impact of a breach following the discovery of malware on a network. With big-data analytics and real-time capabilities, FireEye will offer enterprise forensics that help answer the most important questions an organization has after a breach.

nPulse extends our reach into an organization’s history because it can log all network activity for as long as they choose to retain that data. With the industry’s fastest lossless, intelligent capture and retrieval, nPulse gives us the ability to “go back in time” to see the full extent of how malicious code behaved on the network. By being the first to deliver end-to-end (network and endpoint) detection and forensics at scale, FireEye enables enterprises to minimize risk by quantifying the impact of a breach while accelerating detection and resolution from days to a matter of minutes. For our Mandiant team and partners, this means we can deliver better service and more comprehensive incident response capabilities.

And most importantly, by reducing incident investigation time, providing validated breach information and improving the quality of alerts, our customers and clients can reduce their exposure to attacks while substantially reducing operational expenses.

At FireEye we’re building the most comprehensive security platform and I look forward to welcoming the nPulse Technologies team to the FireEye family. In the short term after the acquisition, nPulse will continue to operate normally and current customers should expect no disruption in current capabilities and service. Over the coming months after the acquisition, we’ll work to combine the nPulse products with the FireEye platform and bring enterprise forensics to all our customers and partners. Once again, FireEye is leading the way to solve the most complex and time-consuming security challenges.

 

Forward-Looking Statements
This blog post contains forward-looking statements about the expectations, beliefs, plans, intentions and strategies of FireEye relating to its pending acquisition of nPulse. Such forward-looking statements include statements regarding the impact of the pending acquisition of nPulse on FireEye’s competitive position, future product offerings and potential benefits of current and future product offerings. These statements reflect the current beliefs of FireEye and are based on current information available to us as of the date hereof, and FireEye does not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made. The ability of FireEye to achieve these business objectives involves many risks and uncertainties that could cause actual outcomes and results to differ materially and adversely from those expressed in any forward-looking statements. These risks and uncertainties include market adoption of FireEye’s virtual machine-based security platform; the termination of FireEye’s pending acquisition of nPulse if FireEye and nPulse fail to satisfy the conditions for closing in the definitive agreement; the failure to achieve expected synergies and efficiencies of operations between FireEye and nPulse; the ability of FireEye and nPulse to successfully integrate their respective technologies, products, personnel and operations; FireEye’s ability to attract and retain new customers and expand and train its sales force; the failure to timely develop and achieve market acceptance of combined products and services; the potential impact on the business of nPulse as a result of the pending acquisition; the loss of any nPulse customers; the ability to coordinate strategy and resources between FireEye and nPulse; the ability of FireEye and nPulse to retain and motivate key employees of nPulse; general economic conditions; as well as those risks and uncertainties included under the captions “Risk Factors” and “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” in FireEye’s Form S-1 filed with the Securities and Exchange Commission on April 22, 2014, which is available on the Investor Relations section of FireEye’s website at investors.fireeye.com and on the SEC website at www.sec.gov. Any future product, feature, or related specification that may be referenced in this blog post are for information purposes only and are not commitments to deliver any technology or enhancement. FireEye reserves the right to modify future product or service plans at any time.

 

Live from InfoSecurity Europe 2014: The Nitty Gritty of Sandbox Evasion

| By | Advanced Threat Trends, Business of Security, Security Perspective

Infosecurity Europe 2014 was a great gathering of the top minds in cybersecurity, and in case you missed the event, we were excited to capture live content from the show floor to share with our readers. Over the next few days, the FireEye Blog will be sharing a number of insightful podcasts with various experts in the field on the hottest issues in information security.

Paul Dwyer, director at FireEye, had an opportunity to sit down with FireEye Senior Director of Market Research, Rob Rachwald to discuss the ins and outs of sandbox evasion including the four categories of evasion.

Rachwald says it is critical to understand sandbox evasion methods, “we need to understand what these evasion methods are in great detail. And if you do know it in great detail, you can do two things. One, you can build a better defense, and two, you can look for technologies that are really, really strong to help improve your defenses. “

To learn more about sandboxing, click here for the white paper Hot Knives Through Butter. To listen to the full podcast live from Infosecurity Europe 2014, click here, and make sure to check back soon for our next featured interview.

Ghost-Hunting With Anti-Virus

| By and | Executive Perspectives, Security Perspective

In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen’s “Innovator’s Dilemma,” where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in “declaring anti-virus dead” in the Wall Street Journal.

At FireEye, we look at hundreds of malware samples daily, and, in a recent talk at RSA Conference, Zheng Bu, vice president of research at FireEye presented some interesting data that security teams should consider as they think about their AV initiatives. Looking at nearly half a million malware samples over two years, our researchers discovered that the average lifespan of a piece of malware is very short. The chart below compares how many hours (X axis) malware lives against the total pool of malware samples (Y axis) to show just how quickly they disappear:

av1

Our data shows an interesting picture: most malware remains active for no more than two hours when FireEye is detecting it. To be precise, our analysis showed that in 2013:

  • 82 percent of malware disappears after one hour
  • 70 percent of malware only exists once

With the half-life of malware being so short, we can draw the conclusion that the function signature-based AV serves has become more akin to ghost hunting than threat detection and prevention. In spite of this, IDC found the market for endpoint security products like anti-virus to generate $11 billion in revenues in its “Worldwide IT Security Products 2013 – 2017 Forecast” despite APT activities creating nearly fifty unique malware infections everyday.

In AV Land, Everyone Is a Sacrificial Lamb

Today’s AV model makes everyone a sacrificial lamb. In the past, malware writers would write their attack code once with little need to iterate. Today, as our numbers show, rapidly developing iterations of malware is becoming the de facto way of hacking.

A simple comparison of the malware writing process versus anti-virus signature development shows a stark contrast.

First, let’s look at the malware development process:

figure1_v2

Malware is developed, QA’d against the latest AV signatures, released, and once it is picked up by AV sensors and shared among vendors—the malware dies. The process takes a few days at most.

By contrast, anti-virus vendors work in a process that takes a few days to a few weeks.

av2

Examining the two “supply chains,” you quickly see why anti-virus is inherently behind the curve – doomed to chasing ghosts. By the time malware signatures are updated from collection and have gone through QA, the samples are more-or-less defunct unless it is a rare instance where the core code of the malware could not be modified. Over the years AV vendors have increased the frequency of signature updates to convey the benefits of eventual detection. However, it is already an increasing challenge to apply frequent security updates to thousands of business-critical computer assets in medium to large size organizations – especially where many assets such as laptops are also mobile. Ultimately this does not close the days to weeks collecting new malware samples can take, which is why security solutions – like FireEye – that do not rely on such a reactive model detect malware faster.

To be clear, single-iteration malware will continue to persist, and a minor need for AV will remain to provide a layer of reactive protection against these unsophisticated, benign threats. But with high-profile breaches occurring frequently, being driven by fast-moving, advanced threats, it is clear that next generation technologies and approaches are needed. Even Gartner has noted the senescence of anti-virus in two very recent reports. Notably, in the Magic Quadrant for Endpoint Protection Platforms (i.e., anti-virus), where its opening sentences of the “Market Overview” state:

The rise of the targeted attack is shredding what is left of the [endpoint] anti-malware market’s stubborn commitment to reactive protection techniques. Improving the malware signature distribution system, or adapting behavior detection [in endpoint solutions] to account for the latest attack styles, will not improve the effectiveness rates against targeted attacks. (From 8 January 2014).

So, what should we do as an industry knowing that the AV is ineffective today based on these findings? We recommend:

  • Accepting that the signature-based AV model cannot play a key part of enterprises’ threat-prevention models. Start shifting security strategies to modern methods that identify malware at the time of attack rather than after it has died.
  • Reconfigure compliance mandates to place much less emphasis on AV and other reactive, signature-based approaches. Once regulators and compliance mandates make it easier to adopt innovation, we’ll finally make life a little harder for the attackers.

In doing this, we will be able to protect ourselves not from the ghosts that we imagine are haunting our homes, but from the burglars and malware that truly steal our possessions and erode our foundations.

The FireEye Advanced Threat Report 2013: European Edition

| By | Advanced Threat Trends, Security Perspective

We recently published the 2013 FireEye Advanced Threat Report during RSA Conference, providing a global overview of the advanced attacks that FireEye discovered last year. We are now drilling that global analysis down into the European threat landscape with our first Regional Advanced Threat Report.

Recent European cyber attacks, like the ones against the European Parliament or LaCie, make it clear that advanced attacks are a becoming a harsh reality in Europe. Motivated by financial and political objectives, threat actors have increased their levels of sophistication to steal personal data and put organizations into non-compliance with user privacy EU directive (2002/58/EC).

The top-line findings from our first Regional Advanced Threat Report are alarming, as we:

  • Recorded over 250 new workstations infected every day
  • Identified more than 90 APT families
  • Observed threats impacting all verticals, particularly the Healthcare, Financial Services and Government verticals

Diving deeper, we saw that the rate of increase in workstation infections skyrocketed in the last four months of 2013. A clear sign of how rapidly threat actors targeting European organizations are evolving, the number of unique infections more than doubled from January to December 2013.

eu1

Figure 1 – Unique Infections Trending over 2013

We also took a look at the distribution of infections amongst European nations and saw a heavily skewed landscape. In particular, Great Britain, Switzerland, Germany and France represented more than 70 percent of infections across 2013, leaving 18 nations to split the remaining 30 percent.

eu2

Figure 2 – Unique Infections by Country

Next, let’s consider which industry verticals in Europe were most targeted by advanced attackers. Threat Actors have been busy targeting high-value organizations that offer rich personal information or intellectual property. The below chart shows the number of infections that occurred in each of the 20 verticals that FireEye tracks around the world. Alarmingly, no industry vertical in Europe was spared and this trend is most likely to continue.

eu3

Figure 3 – Unique Infections by Industry Vertical (Listed from Most-Infected to Least on Right)

Based on the latest Mandiant M-Trends report, the Financial Services vertical accounted for 15 percent of threat actors’ actions on a global basis. In Europe, we saw Financial Services account for 17 percent of attacks, aligning closely to the global statistic. In a stark contrast however, Healthcare/Pharmaceuticals represented 21 percent of infections in Europe compared to the four percent this vertical accounted for globally.

Beyond Infections: Diving Into APT Attacks

When pulling this report together, we saw the notable rise in infection rates and the attacks across verticals, and we also saw strong similarities in how APT attacks targeted European industry verticals. As you can see below, aside from the extraordinary fact that European Federal Governments accounted for a quarter of APT attacks, the Financial Services and Healthcare/Pharmaceutical industries maintained top positions as targets.

eu4

Figure 4 – APT Attacks per Vertical (Listed from Most-Targeted to Least on Right)

This consistency between infections and APT attacks also carried over to the distribution of APT attacks between different countries. As we see below, when it comes to country-by-country analysis, the top-three most impacted in Europe are the UK, Germany and Switzerland – the same top-three infected countries.

eu5

The highest number of APT activity in Europe, by country can be summarized in the following order:

  1. Germany
  2. United Kingdom
  3. Switzerland
  4. Luxembourg
  5. France
  6. Spain
  7. Norway
  8. Belgium
  9. Finland

In addition, we found that when measuring the world’s most-targeted nations by number of unique verticals hit by APT attacks, three European nations made the top-ten: France, the UK, and Germany.

UKI52

With such a strong rise in infections and just a couple of industries and countries accounting for a massive number of the attacks carried-out in Europe, we are certainly seeing a change in the threat landscape with this report. And while the situation would seem bleak already, we predict that there is still more time for the European market to strategically get ahead of these advanced attack before they fully mature into a constant threat.

With that time in mind, we recommend the following for European organizations:

  1. Ensure existing security tools are up to date. Much commodity malware can be easily addressed with legacy, signature-based tools.
  2. Implement Advanced Threat Protection systems to ensure high value data is safeguarded.
  3. Plan and Implement an Incident Response and Management strategy to close existing security gaps.
  4. Share and collaborate with other entities on emerging cyber threats to optimize your security posture.

To find out more about the report or how to address these rising issues, come visit the FireEye team at InfoSec UK at Stand J60.

The FireEye Advanced Threat Report 2013: UK & Ireland Edition

| By | Advanced Threat Trends, Security Perspective

Accompanying our Regional Advanced Threat Report (ATR) for Europe, we are also drilling even deeper with a Regional ATR focused on the United Kingdom and Ireland (UKI). During our assessment of these two countries, we have identified all types of threat actors compromising our customers’ networks: nation state, cyber criminals, activists, and amateurs alike.

This report summarizes 2013 data gleaned from the FireEye Dynamic Threat Intelligence (DTI) cloud of worldwide malware protection platforms. Over the past year, FireEye:

  • Recorded over 70 new workstations infected every day
  • Identified more than 42 APT families
  • Observed threats impacting all verticals, particularly Financial Services, Telecom, and Energy

As we saw with the European report, the rate of increase in workstation infections across Ireland and the UK skyrocketed in the last four months of 2013. This may indicate that threat actors increased the volume of activity against organizations in the United Kingdom and Ireland in the post-vacation lull because they anticipated employees would be less attentive around security matters and thus have a higher rate of success. Alarmingly, the number of unique infections more than tripled from January to December 2013.

UKI1

Figure 1 – Unique Infections Trending over 2013

Next, let’s consider which industry verticals in UKI were most infected by attackers. Unsurprisingly, the Financial Services vertical is far and away the most targeted in UKI as “The City” is the largest financial platform for Europe and the world. Of course, threat actors have also been busy targeting the other high-value industries of UKI, particularly the Telecommunications and Energy/Utilities/Petroleum Refining verticals. As with the rest of Europe though, no industry vertical was spared in the UK or Ireland and this trend will likely continue as new attack vectors enter these industries.

UKI2

Figure 2 – Unique Infections by Industry Vertical (Listed from Most-Infected to Least on Right)

Rising Attack Landscape Means Rising APT Families

The consistency between the UK’s and Ireland’s threat landscapes has also extended into the way the APT attacks are carried out. Most important to highlight is that Federal Government continues to be the number one target in UKI – as with Europe – only with that industry vertical accounting for a startling 49 percent of APT attacks versus 25 percent for all of Europe.

UKI3

Figure 3 – APT Distribution per Vertical (Listed from Most-Targeted to Least on Right)

Financial Services remains a top-three target of APT attacks as well in UKI, but the Energy/Utilities/Petroleum Refining industry climbs from seventh place in Europe to second place in UKI. Given the major corporations in those spaces operating out of UKI, that these organizations are a prime target by APT actors is unsurprising.

How those APT attacks were carried out is shown in the chart below identifying the 21 APT malware families that we identified in attacks throughout 2013.

UKI4

Figure 4 – APT Malware Families for UKI

We previously noted in our European report that, when looking at the sheer number of APT attacks, the United Kingdom received the second most of any European country in 2013. Despite trailing Germany as the most-targeted European nation, the UK was tied for fourth globally with France and Thailand when it came to most verticals targeted by APT attacks. Specifically, all three nations saw 12 distinct verticals hit, with the next closest European nation being Germany with nine verticals.

UKI52

Figure 5 – APT Attacks by Country

While the UK and Ireland face unique challenges based on the maturity of the Financial Services, Telecommunications and Energy-based industries that are based there, we have found that the overall market is very much in-line with the rest of Europe. Thus, as with our outlook for the whole of Europe, we see an opportunity for UKI cyber defenders to get ahead of the rapidly expanding advanced threat actors.

To find out more about the report or how to address these rising issues, come visit the FireEye team at InfoSec UK at Stand J60.

The Road to Resilience: How Cybersecurity is Moving from the Back Office to the Boardroom

| By | Executive Perspectives, Security Perspective

For too long, our industry has framed cybersecurity as a technical issue.

We have measured success on the volume of malware we detect and block, not how we respond to the threats that matter. We have taken a one-size-fits-all approach to security incidents, regardless of who’s attacking, how they work, and what they’re after. We have rarely engaged other business units when responding to incidents — and when we do, we fixate on the technical details rather than weighing their business impact.

Yes, cybersecurity has a technical component. But more than anything, it is a business issue.

Fortunately, the old mindset is changing. Under the banner of “cyber resilience,” security leaders are beginning to acknowledge that cybersecurity must evolve. Striving to ward off attacks is no longer enough — organizations must also respond to incidents with a focus on managing their business impact.

To gauge how far along organizations in the Europe, Middle East, and Africa (EMEA) are in this evolution, FireEye recently asked 25 security leaders across the region about their experience and perceptions. Their answers reveal a sizable divide among in both awareness and maturity when it comes to cyber resilience.

Breaches Increasingly Routine
Not surprisingly, EMEA security leaders say that cyber breaches are increasingly routine. In our survey, 44 percent of organizations said they had breached at least once per year. And that total probably understates the problem — a full 28 percent were not sure whether they have been breached.

img1

All threats viewed equally — regardless of risk or impact
A solid majority of respondents (68 percent) said they “always” care about breaches. Only 16 percent said their level of concern depends on the severity of the incident. This lopsided statistic suggests that IT professionals are not yet looking at breaches from the perspective of risk or impact.

img2

Priorities misaligned in incident response
We see the same lack of business alignment in organizations’ responses to breaches. When a breach occurs, 84 percent of those in our EMEA survey notify relevant business leaders, and 76 percent notify company executives. We often hear that companies are looking for security leaders to engage at a business level. But if business leaders and executives are still being notified about most breaches, we’re still treating security as a technical problem.

img3

Our survey found a split in where security teams focus their response. About 60 percent base their response plan around all IT systems, and 40 percent focus on critical systems and resources. This response, too, suggests that organizations see many breaches as a technical problem rather than a business problem.

Along the same lines, communications, public relations, and business teams are typically far less engaged in incident responses than IT security and technical teams, executives, and HR departments. If cyber resilience is about enabling business resilience, then business teams should play an equally critical role in incident response.

When engaging with executives, we in the security community do not seem to be taking a risk-based approach. And clearly, we are not speaking executives’ language: the impact of a breach on the company’s financial results.

Who is included in incident response plans?

img4

Moving toward a risk-based security framework
Most security leaders leverage at least one security framework or standard — and in most cases, they leverage two or more. These frameworks include best practices defining what to protect, how to protect it, and how to monitor deployed controls. These features make the frameworks valuable tools to help define strategies and gauge their effectiveness. But adoption of ISO27005 — which focuses on business-risk assessment — is far behind that of ISO27001.

Adopted security frameworksUntitled

Leveraging automation
Just about every security leader would like more resources. But most of us must make the most of what we have.

What is clear from our survey is that incident response is consuming the biggest share of time and resources.

Security tasks that consume the most time and resources (weighted average)img5

The volume of attacks is rising. And IT systems are playing an increasingly critical role in business. So having well-defined and tested response capabilities that leverage automation would seem a key component to cyber resilience.

Bolstering cyber resilience
Cyber security is, and will remain, an evolution. Everyone is on their own journey along the maturity curve. Security leaders must evaluate their place along that curve based on their perceptions of risks and the controls they need to put in place.

Cyber resilience recognizes that prevention is only part of the solution. Organizations must realize the following:

  • Businesses will increasingly measure security leaders not just on what they stop or let through, but on how they respond to what does get through.
  • A breach can happen in seconds, yet the exfiltration takes hours or days and can last for months.[1]
  • When it comes to measuring business impact, not all breaches are equal.

At the same time, organizations must retool their strategies to better discover and respond to security incidents. This shift requires:

  • Having a documented, regularly reviewed, and well-tested cyber response strategy that includes both the business and technical response plans.
  • Reducing the time and costs involved in response.
  • Being able to qualify the business risk of the incident. By better aligning cyber strategies to business drivers and business risk, security leaders can have a bigger business impact and increase their relevance to executives.

Zero-Day Attacks are not the same as Zero-Day Vulnerabilities

| By | Executive Perspectives, Security Perspective

When it comes to “zero-days,” there is much room for confusion in terms of definition and priority. At FireEye, we follow the industry-standard term of “zero-day attacks.” This term is defined as software or hardware vulnerabilities that have been exploited by an attacker where there is no prior knowledge of the flaw in the general information security community, and, therefore, no vendor fix or software patch available for it.

Here is the Wikipedia definition:

“A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, one that developers have not had time to address and patch.[1] There are zero days between the time the vulnerability is discovered (and made public), and the first attack.”

Many security researchers identify vulnerabilities – some as a byproduct of attack detection and others as a core focus. With the exception of vulnerabilities identified by black hat hackers for use in attacks, nearly all vulnerabilities are responsibly, and confidentially, sent to the party responsible for the creation of the software so that fixes can be made. These can range from critical holes like those we found exploited in globally popular software like Internet Explorer to the never-exploited ones in rarely used applications.

FireEye has demonstrated unparalleled capabilities finding zero-day exploits that are “in the wild,” meaning the vulnerability is being used by criminals and threat actors for malicious purposes. In 2013, FireEye discovered 11 zero-day exploits that were actively in use by advanced threat actors and has already discovered an additional two in 2014. Zero-day exploits already in use by APT actors represent the most critical cyber threat to the CISOs of organizations. Even if APT actors do not target an organization, other criminal exploit authors will often reverse the zero-day exploit and create their own version before patches can be released.

At FireEye, we examine data from over 2 million virtual machines located in every corner of the globe, resulting in near instantaneous threat intelligence and threat metrics being captured in our Dynamic Threat Intelligence™ (DTI) cloud. This intelligence allows us to evaluate the entire attack life cycle, or “kill chain,” of an attack and view the behaviors of the attacker. FireEye examines all of the tools, tactics and procedures (TTPs) used by attackers to create an initial compromise, establish a foothold, escalate privileges, conduct internal reconnaissance, move laterally, maintain persistence, and finally complete their mission.

Killchain

Figure 1. The attack lifecycle

Our focus is to create a holistic view towards security at every step in the attack lifecycle, of which identification of zero-day exploits in use by malicious actors plays one component. We also contribute back to the security research community by sharing detailed, comprehensive views on attack lifecycles, for example in Operation Ephemeral Hydra. At FireEye, our defense strategy encompasses all malicious activities you may find on your network, or on your endpoints – including those that leverage zero-day vulnerabilities and those that do not.