Automatic correlation of FireEye red team tool countermeasure detections

Sumo Logic has reviewed the announced breach on December 8, 2020 by FireEye and their subsequent public release of over 300 countermeasure rules. We are continuing to analyze the available information and would like to share this update to all existing and prospective customers interested in how our Sumo Logic services can assist with this development.

If you are concerned about potential attacks stemming from the hacked red team tools, we recommend evaluating and implementing the publicly-provided rules to your existing security monitoring systems. As of this writing, FireEye has provided 312 rules and signatures, including Snort and Suricata IDS rules, YARA rules, OpenIOC indicator collections, and ClamAV antivirus signatures. Alerts generated by these monitoring systems are automatically analyzed, visualized, and correlated by Sumo Logic’s Cloud SIEM solution similar to all other supported data sources. This provides your SOC team with central visibility of attempts to use these tools against your enterprise, correlated against alerts from other diverse data sources across your on-prem and hybrid cloud environments.

For customers using Sumo Logic Cloud SIEM Enterprise, you have the ability to import YARA rules directly from the FireEye GitHub countermeasure repository into the platform. Please review our documentation for further instructions or reach out to your Sumo Logic Technical Account Manager if you need assistance in implementing these rules.

Sumo Logic’s Security Content team is evaluating the full rule set for detections that are relevant for the platform. New detections that are useful and compatible will be added over time, so please review our Cloud SIEM content release notifications for further details as we often update our rules multiple times each week.

Finally, all customers of Sumo Logic’s SpecOps services have received a detailed situational awareness brief on the incident including additional analysis and recommendations. This team of threat hunters are available for questions at any time or during your next scheduled briefing.