How FireEye Uses Censys in its Mission to Fight Adversaries:
FireEye is an enterprise information security company, offering threat intelligence and security solutions (network, endpoint and email) to help organizations prepare for, respond to and prevent breaches. As you might imagine, the security team at a cybersecurity vendor of this caliber is hyper aware that they have a target painted on their back, because they’re the protectors of some of the biggest corporations in the world – more than 45 percent of the Forbes Global 2000 to be exact. We spoke with Technical Director, Ben Withnell, from the FireEye Advanced Practices team about how they’re using Censys to fight threat actors.
Tying together sets of Infrastructure
Originally, FireEye was looking at internet scanning services to capture metadata about attacker infrastructure. “We’re a threat intelligence company, so historically, most of the infrastructure analysis we did was around domain resolutions and things of that sort,” said Ben.
“As attackers started getting better with some of their tradecraft, we realized we needed to start looking for other pieces of data that we could use to tie together sets of infrastructure. That was the sort of intel we were hoping to get when we were evaluating scanners.”
Censys provided the Advanced Practices team with the data they needed to track the sophisticated adversaries targeting their customers. Open source tools provided a good foundation in FireEye’s adversary tracking needs, but scan and certificate data that could handle complex searches was harder to come by.
“We evaluated other scanning solutions,” he said, “but as we started getting beyond the simple things, nothing else compared to Censys’ search capabilities. Censys also helped my team uncover complex patterns across infrastructure that allowed us to create resilient detections across our products to protect our customers. None of the other tools really gave us the breadth of data and complex search capabilities necessary to effectively find and fingerprint adversary infrastructure.”
He explains, “the first step was taking the adversary infrastructure that we observed at our clients and looking at what data Censys had on those properties. Over time, as we started pulling that data into our analysis tools we started noting trends across different sets of infrastructure. Those trends helped us start building more complex queries using Censys tools to do proactive infrastructure discovery, and in turn, getting and staying ahead of the adversary.”
Using Censys’ for Adversary Infrastructure Tracking
Ben’s team uses Censys primarily for adversary infrastructure tracking. “My team is focused on adversaries’ methodologies. We want to know how the threat actors are standing up their infrastructure or how are they operate in a particular environment.”
As FireEye discovers new infrastructure relating to adversaries of interest, the company will use Censys to build a profile of that adversary’s infrastructure, and then use Censys’ powerful search tools to discover new, and potentially related infrastructure that matches that profile. This enables them to get ahead of the adversary and deploy protections to client environments before the adversary ever uses that infrastructure.
The team is also able to focus on attacker attribution using Censys data. Ben shared an example where they found nation-state attackers were using scripts to generate SSL certificates as part of their intrusion preparation. Once this fingerprint was identified, they used Censys to continually search for the infrastructure affiliated with these attackers, which allowed FireEye to prevent the attacker(s) from successfully compromising their customers.
The Business Impact of Using Censys
Armed with the Censys data needed to find, locate, and validate adversaries, FireEye has seen significant improvements in their ability to proactively discover adversary infrastructure, which they then use to protect all their customers around the world.
“The impact has been huge,” Ben said. “A lot of the attacker profiles we’ve found using Censys have been for significant threats that have the potential to be disastrous for our clients.”
As a security vendor, FireEye always wants to be able to test their detection theories in as many ways as possible before pushing them out to customers. Censys data is one way in which they can validate methodology network detections based on their command-and-control server profiles.
“Being able to validate a lot of the attacker profiles that we’d want to build detections for has been immensely valuable,” said Ben. “A lot of the threat groups you’d read about in the news, such as Russian threat groups and similar groups, we were able to profile and validate with the help of Censys data, before deploying detections to our products and services customers.”
Adversary tracking starts with having comprehensive and actionable data about attacker methodologies. Censys can provide the data you need to secure your organization and prevent future attacks from known (and newly discovered) adversaries.