So what I WAS going to talk about was the FireEye hack last week and threat modeling... but as I sat down to write this my Twitter and Slack was blowing up about the SolarWinds hack.

Let me bring you up to speed. FireEye's Red Team tools were stolen last week by an advanced adversary. This means that some group out there has a whole bunch of very sophisticated and advanced hacking tools. Similar to when the NSA got hacked several years ago. They did a good one though and published signatures and countermeasures for their tools.

Now it turns out the SolarWinds's Orion product got hacked as early as March. How did it happen? They got into their software updates, so when everyone updated they got the infected versions of the software.

SolarWinds is used by major networks and enterprises all over the world. It's used by AWS even FWIU. It seems to mean that an adversary out there had some sort of a foothold into tons of networks globally. :(

The details are still coming out, but it is so bad that CISA Issued an Emergency Directive. If you are using this product, shut it down and activate your IR plans.

What does this mean? Well, this is a good lesson for proper Threat Modeling and Defense in Depth. It's also goes back to the assumption: Assume your network is compromised already. These are huge terms and I apologize for not explaining them here, but I will in the future or see my articles on ZeroTrust and Reflection from the Twitter Hack.

Looks like I need a long article on Threat Modeling.

That's it for now. Stay safe.

Ayman

ps. Regarding last week's recommendation for setting up a catch-all email, just want to note it's YMMV. If you are large enterprise, it might not be worth it for you and may even cause more spam/noise for you and your teams. Thanks to the reader for the reminder!

If you liked this email, forward it to a friend! I'd appreciate it.