FireEye Goes on the Offensive With New Red Team Services

Best known for its incident response services and detection technologies, FireEye enters the penetration testing security market with Red Team Operations.


When protecting an enterprise from cyber-threats, sometimes the best defense is a good offensive. The attacker approach is one that security firm FireEye is now taking with the launch of its Red Team Operations services.

FireEye is well-known in the market for its portfolio of security technologies as well as its incident response capabilities, gained via the $1 billion acquisition of Mandiant in 2014. As part of its experience investigating breaches, including some of the most well-known ones in recent years, FireEye has gained insight into attacker methods and tactics. FireEye's new Red Team Operations services make use of the company's experience with the world's worst security breaches to help organizations understand the real security risks present.

"When we say penetration testing, we're talking about breaking into applications," Marshall Heilman, vice president and executive director of incident response and Red Team Operations at FireEye, told eWEEK.

As part of penetration testing, Heilman said that insider threat assessment, as well as looking at mobile and system risks, is all part of the exercise. The "Red Team" idea goes a level deeper, taking an attacker position in an attempt to breach an organization through any means possible. FireEye's Red Team will sit down with a customer to try to first determine up to five worst-case scenarios, he said.

"So we model out what the biggest fears are for the business, and we take a no-holds-barred approach to accomplishing those objectives," Heilman said.

In contrast, in a typical penetration test, organizations put constraints on the terms of engagement, such that only certain systems, during specific hours and conditions, are targets, he said. While a regular penetration test has its merits, Heilman said, the Red Team approach more closely resembles the real world, in which attackers have no limits on what they can choose to attack.

The market for penetration testing services is an increasingly competitive space. Among the leaders is Rapid7, which also is the lead commercial sponsor behind the widely used Metasploit penetration framework. Like everyone in the industry, FireEye uses Metasploit in its Red Team and penetration testing efforts, according to Heilman, adding that the company also uses the Cobalt Strike application, which provides adversary simulations and threat emulation.

Beyond commercially available or open-source tools, FireEye's Red Team Operations also make use of custom-built tools, including backdoor and malware tools. FireEye has actually open-sourced a tool that it built called egress assess that can help emulate attack traffic, Heilman added.

Although FireEye is now formally announcing the new Red Team services, it has already engaged with some of its customers—with interesting results so far.

"Our Red Team has never failed at accomplishing its objective," Heilman said. "At first glance, that makes it sound like the organizations we attacked didn't have good security in place, but that's not necessarily the case."

Most organizations think about security from a defensive mindset—that is, they are concerned with the items that need to be protected, he said. So, for example, with a database there could be a firewall that is placed in front for protection.

Just because there is a properly configured firewall in front of a database does not mean an attacker will go away. Rather, Heilman said an attacker will instead seek a person who can authenticate to the firewall so that the rules can be changed. The challenge, he said, is that most organizations don't look at the entire attack life cycle.

Another example cited by Heilman about how the attacker viewpoint on security is different has to do with two-factor authentication (2FA). The purpose of 2FA is to provide an additional layer of security beyond just the use of a single password to secure an account. While 2FA is often recommended as a best practice for security, Heilman noted that FireEye's Red Team can potentiality bypass it.

"Just because you have two-factor authentication doesn't mean that a really good attacker can't get around it," he said.

That said, two-factor authentication is still the right approach for any organization or IT user, according to Heilman. Without two-factor authentication, attackers have an easier job of gaining unauthorized access. Bypassing two-factor security is not trivial and is often "noisy" in Heilman's view, which should alert an organization to a potential threat.

FireEye's Red Team Operations services include an assessment service where a full attack is conducted as well as security operations services that work alongside an organization's incident responders to help them find and detect a Red Team attack.

"If they can catch us, then they can catch most attackers out there," Heilman said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.