FireEye (platform)

FireEye is means of protecting from threats, it is intended for dynamic detection and blocking of cyber attacks in real time.

The FireEye platform - powerful the solution of data protection of cyber attacks of the next generation:

• modern malware,
• the attacks operating vulnerabilities of "zero day"
• address APT attacks.

Modules FireEye, 2014

The FireEye platform uses the mechanism of the behavioural analysis of potentially dangerous objects which are at the same time started on a large number of the special virtual machines (submitting different versions of the Windows operating system with different versions of the application software). Such analysis reveals threats which are implemented on different vectors of the attacks – by means of access for the user to the compromised website, by e-mail, at file exchange, etc. In addition to suppression of attempts of invasion into network of the company, the FireEye system analyzes outgoing network traffic for detection of already infected nodes in network where earlier the malicious code receiving control instructions from the Internet and/or transferring in the hidden mode outside the confidential information collected in network was set.

The FireEye platform serves as addition to traditional and modern firewalls, the IPS systems, antivirus software and gateways. It helps to create a protective framework for the integrated protection of the next generation against multivector threats in an Internet environment, by e-mail, at file exchange and in mobile applications.

The platform of protection against threats of FireEye reflects modern cyber attacks which aggressively bypass all means of protecting on the basis of signatures and most the operating networks endanger.

Features of FireEye:

• The FireEye Multi-Vector Virtual Execution (MVX) mechanism helps to detect cyber attacks of new generation

• "Cloud" of FireEye Dynamic Threat Intelligence participates in search of the threats of anonymous origin revealed in an analysis result on the MVX model

• Interaction concerning security with an extensive ecosystem of the partners using the standardized metadata of the malware and the application programming interfaces FireEye is provided

FireEye is complete family of the hardware and software systems and services developed for fight against modern threats on the Internet and e-mail with the resident malware on the general file resources and in mobile applications of modern times.

HSS of FireEye, 2014

As a part of the platform:

• The system of web protection against the malware Web Malware Protection System – the solution for web security intended for fight against the modern attacks arising when viewing websites or upon transition according to the URL links which are contained in e-mail messages.

• The system of protection of e-mail against the malware Email Malware Protection System – the solution for security of e-mail intended for protection against the modern attacks, such as target phishing.

• The system of protection of files against the malware File Malware Protection System – the solution for security of files intended for detection and destruction of the resident malware on the general file resources.

• The system of the expert analysis Malware Analysis System – the solution for the automated expert analysis of the malware.

• The central management system of Central Management System – the solution for local data exchange about threats in real time and the unified management of deployment of the corporate software.

• Cloud solution for dynamic analysis of threats of Dynamic Threat Intelligence – the solution for global data exchange of the analysis of threats in real time for decrease in danger of the modern attacks.

History

2015: 666 - critical vulnerability of FireEye

On December 16, 2015 Securitylab announced with reference to the Google Project Zero command existence in the products FireEye of critical vulnerability^[1].

The gap allows to compromise internal networks by means of one electronic message.

Researchers from the Google Project Zero command Tavis Ormandy and Natalie Silvanovich detected critical vulnerability in FireEye devices. The gap allows malefactors to hack corporate networks using specially created e-mail messages.

The error received the name "666" in honor of the assigned sequence number. The problem exists because of an error in the module of passive monitoring and mentions devices FireEye NX, FX, AX and EX.

FireEye devices are installed in internal network of the organization and make passive observation of all traffic. All operations on file transfer (for example, on FTP or e-mail) are controlled – within monitoring the transferred files open and checked regarding the malware. If the user receives the letter with a harmful investment, the monitoring system will try to check the received files and will be infected. The malefactor can get access to corporate network.

Vulnerability can be operated on devices with factory defaults. FireEye released corrections for FireEye NX, FX and AX. In connection with the developed circumstances technical support appears to all clients, including users with the expired service contracts.

In networks with the infected devices malefactors can abduct confidential information, intercept or redirect traffic, set rootkits or the self-extending net worms.

FireEye EX

FireEye EX is the solution for protection of the organization against the directed phishing mail bombs which bypass reputation and an antispam technology. The attacks of the directed phishing use methods of social engineering for creation of plausible messages which force the user to follow the link or to open an investment that in an effect gives the chance to the cybercriminal to receive control over a system.

EX makes the analysis of each investment for sending to a quarantine of messages of the directed phishing which are used at the organization advanced the directed attacks, using bezsignaturny Multi-Vector Virtual Execution (MVX) technology which safely and precisely detects zero day attacks. EX does not use signatures or reputation bases, and each investment on a cross-bar matrix of operating systems, applications including various web browsers and plug-ins, such as Adobe Reader and Flash "detonates". The administrator can send the harmful message to a quarantine or at all delete it.

Idea of operation of the FireEye NX device, (2014)

Because APT of the attack in the multi-vector penetration strategy in network of the victim often use the directed phishing, EX is often used together with the solution on protection of network of Web of the attacks (FireEye NX), and also the console of centralized operation (FireEye CM). At such scenario of deployment, the client receives not only protection against harmful URL in real time but also an opportunity to keep track of interrelation at the mixed attacks.

Features:

• Installation up to 60 minutes – The place appointment, In-Line (blocking \monitoring), out-of-band is developed as the MTA, SPAN device or BCC (only monitoring)
• The quarantine of messages with Zero-day threats in real time – use of FireEye MVX technology allows to block advanced the directed attacks (ATA) the archives getting through the infected images, the PDF files, Flash or ZIP/RAR/TNEF
• Integration with NX for a stop of the mixed attacks – sending to a quarantine of messages with infected with URL and tracking of the web attack which source is the letter of the directed phishing
• Gain of control of the existing mail infrastructure – multilevel, dynamic analysis of malware and investments the antispam and anti-virus gateways eliminates defects of a static signature method of detection of threats
• Dynamic creation of profiles of threats – FireEye EX performs capture of coordinates of callback and characteristics of communications for protection of a local network, and also extends them globally by means of cloud service DTI
• Support of YARA rules – allows analysts of security to configure rules at the byte level and to provide the fast and effective analysis of subjects of electronic messages regarding threats specific to your organization
• Integration with AV-Suite – harmful objects which are detected anti-virus solutions can be sent for deeper analysis for more exact prioritizing of a response to an incident

Notes