<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Stamus ND/NDR is Armed to Detect Stolen FireEye Red Team Tools

Yesterday, FireEye/Mandiant announced that a “highly sophisticated state-sponsored adversary stole FireEye Red Team tools.” We agree with a Microsoft spokesperson who was quoted as saying “This incident demonstrates why the security industry must work together to defend against and respond to threats posed by well-funded adversaries using novel and sophisticated attack techniques.” 

Stamus Networks and our partners are already working together to ensure a swift and thorough response. Here are the steps we are taking:

Last night our partner Proofpoint published a set of 42 signatures for their ETPro Suricata ruleset. These contain specific detection mechanisms for the offending tools. The ETPro team is working as we write this to develop even more detection signatures for these stolen tools.

For users of the Stamus Network Detection (Stamus ND) and Stamus Network Detection and Response (Stamus NDR) who subscribe to the ETPro feed, these new signatures will be activated by default at your next scheduled update. You may find these in your system by searching for “[fireeye]” signatures from the Enriched Hunting user interface. 


Figure 1. ETPro rules for detecting FireEye tools in Stamus ND/NDR

For those who are using SSP for proactively threat hunting, Scirius Enriched Hunting may be configured to auto classify "fireeye" alerts, allowing for rapid identification and classification of these events.

Finally, the Stamus Networks Threat Research team have developed a dedicated threat named “FireEye” and a set of associated threat vectors for Stamus NDR which will identify a “Stamus Threat” if any of your assets are attacked by the stolen tools. This new threat intelligence is available immediately and will be delivered to all customer systems that are configured for automatic updates.

Schedule a Demo of Stamus ND or Stamus NDR


Related posts

Uncovered with Stamus Security Platform: Raiz0WorM

Using Stamus Security Platform to Uncover Raiz0Worm on the Network 

In this series of articles we...

Introducing Stamus Security Platform Release U38

Today I want to give you a brief tour of what’s new in Update 38 of the Stamus Security Platform...

Join Stamus Networks at Cyber Security Summit Miami

With two Cyber Security Summits already behind us, we are ready for the next one. On 7 April 2022,...