What Happened
On December 8th, 2020, FireEye announced that it had been the victim of a cyber attack perpetrated by an advanced nation state actor. They've disclosed their research into the attack in a few places, including:
As part of the breach, a large number of FireEye's Red Team tools were exposed to the attackers. FireEye very quickly published a large set of countermeasures for the global community to use in detecting use of the malicious use of these tools, including:
- Yara Signatures
- Snort Signatures
- FE Helix Signatures
- ClamAV Signatures
All of these can be found on their Github Repository, here: GitHub - fireeye/red_team_tool_countermeasures
Implementing Countermeasures in RSA NetWitness
There are no silver bullets when it comes to detection and responding to threats of any nature, let alone ones executed by advanced-capability actors. It's important for organizations to take a holistic approach, manage and prioritize patching, and continue to evolve their proactive hunting capabilities. To that end, please take a look at a couple other blog posts from our field teams discussing their approach and the capabilities that already exist in the NetWitness to help respond to this situation and detect usage of some of the malicious toolkit:
https://community.rsa.com/community/products/netwitness/blog/2020/12/11/fireeye-breach-beyond-the-signatures - A great post from our Threat Hunting team discussing overall approach and the exploited vulnerabilities.
https://community.rsa.com/community/products/netwitness/blog/2020/12/12/fireeye-breach - A great post from our IR team talking about the existing NetWitness visibility into many of the tools implicated in the attack.
In addition to those, we do want to ensure we can guide customers through the relevant detection opportunities, whether re-purposing the existing countermeasures published by FireEye (and others) or developing detections native to the RSA NetWitness platform. We are working through this process right now and will update this page accordingly if/as we learn more. As a start, please consider the following implementation of the provided Snort and Yara Signatures:
Snort Rules
As of 11.5, we have a much improved and expanded ability to deploy snort signatures. FireEye has published this set of snort signatures to detect related activity on the network: https://raw.githubusercontent.com/fireeye/red_team_tool_countermeasures/master/all-snort.rules
These rules can be uploaded to Network Decoders by following the instructions here: https://community.rsa.com/docs/DOC-96852#Configur
From here, any matches on any of the signature IDs (captured in the sig.id meta key) can be queried in Investigate via: sig.id=25894,25893,25874,25881,25879,25848,25887,25873,33355045,25872,25890,25892,25878,25891,25857,25880,25885,25900,62010239,25886,25875,25889,25877,25888,25884,25902,25866,25899,25882,25876,25901,25849,100001,25850
You may also consider creating an app rule on the decoder to create a single additional meta value when the above condition holds true, simplifying the subsequent search condition and ESA alert logic (if you choose to create an alert). An example of a manually created ESA Alert for any matches against that snort signature set is below:
Yara Signatures
Customers who have the Malware Analysis component can deploy the Yara signatures FireEye has published here: https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-yara.yar
Instructions on enabling this custom Yara content on a Malware Analysis appliance can be found here: MA: Enable Custom YARA Content
We will continue to update this blog post with additional information relating to these countermeasures as we have it.
