- Group assesses threat to CTI customers as “low to moderate”.
- No indication, assures BT, that any customer data was compromised.
BT sought to calm the nerves of customers of its Cybersecurity Threat Intelligence (CTI) service after US‑based network security player FireEye, one of the Group’s CTI suppliers, reported a data breach on 8 December 2020.
The Group swiftly issued an “intelligence assessment” of the change in threat to both CTI customers and internal operations, and concluded that the risk was “low to moderate”. There was no indication, added BT, that any customer data was breached, “or any reason to doubt that the integrity of threat data that FireEye provides to clients was compromised”.
Crucially, FireEye confirmed that no Zero Day vulnerabilities — a software security flaw that is known to the software vendor but does not have a patch in place to fix it — were leaked.
“The tools taken appear to be standard [penetration] testing tools designed to replicate existing threat actor behaviours and, as such, they do not represent a significant increase in threat actor capability. Furthermore, FireEye has provided a comparatively simple mechanism to effectively mitigate the threat. It is assessed as likely that the attack was conducted by a Russian state-sponsored group. ”
The cybersecurity provider, which specialises in providing techniques tools for Red Teams — ethical hackers that mimic a potential adversary’s attack or exploitation capabilities against an enterprise’s security posture — said it was working with partners, including the US Federal Bureau of Investigation (FBI) and Microsoft, to “fully investigate the incident”. End users of FireEye’s ‘pen’ testing tools include US federal agencies and government ministries.
In a joint statement issued by the FBI and US security agencies in early-January 2021, the line adopted by FireEye — that Russia was likely behind the attack — was repeated. “This is a serious compromise that will require a sustained and dedicated effort to remediate”, they said. Investigators also discovered a vulnerability in a product made by one of FireEye’s software providers, US‑based SolarWinds.
A word to the wise
BT Security Advisory Services, a comparatively new adjunct to BT Global (BTwatch, #311), recommended that the “FireEye‑published detection rulesets are utilised within all organisations’ detection capabilities”.
Somewhat opportunistically, the advisory service went on to mention that “effective implementation and use of security controls can be critical to helping defend and detect against adversaries at a time when cyberattacks are becoming more sophisticated”, and highlighted that its consultation services were available to organisations that have either been “affected or worried”.
“Whether it’s practical help or reassurance that you’re doing the right thing, we’re here to help”, it added.
BT used to refer to FireEye as one of its 20 “core” vendors in the security space (BTwatch, #253). Not anymore. In August 2020, BT Security unveiled a slimmed‑down list of 15 key security service providers, and FireEye was not among them (BTwatch, #315). Another notable absentee was well‑established partner Symantec.
BT Global apparently undertook a full‑scale appraisal of security suppliers in the context of the wider security vendor ecosystem, and cut down its network of solution providers with the aim of simplifying security decisions for its customer base.
BT identified three tiers of security partners:
- Critical Partners: Fortinet, McAfee, and Palo Alto Networks.
- Strategic Partners: Cisco Systems, IBM, and Microsoft.
- Ecosystem Partners: Check Point, CrowdStrike, F5 Networks, ForeScout, Netscout, Okta, Qualys, Skybox Security, and Zscaler.