FAQ:  FireEye Overview

Version 3

    DOC-6473

     

    This article provides an introduction to FireEye and FireEye's unique technology, and to answer questions often posed by prospective buys interested in FireEye's products. Partners and current FireEye customers can find more detailed product information in the Support Community and Support Knowledge Base.

     

     

    What does FireEye Threat Prevention do?

     

    FireEye provides a platform to combat next generation cyber threats. The FireEye Platform does this with a multi-faceted approach to security – Prevent, Detect, Contain, Resolve.

    • Prevent - Prevention must enable real-time, proactive blocking and provide rich and actionable intelligence to better understand the nature of attacks for continuous improvement of the security posture.
    • Detect - Today’s advanced threats require an architecture that is aware of the multi-stage and multi-vector nature of attacks. The security solution should be able to detect known and unknown threats in real time and be able to scale with the demands of the network.
    • Contain - Effective containment demands real-time validation of threats coupled with the ability to rapidly stop the impact of an attack on compromised systems.
    • Resolve - To limit exfiltration and serious business impact, security incidents must be investigated, scoped, and resolved in a timely and cost effective way. 
The FireEye Platform provides products, people, and intelligence to deliver the industry’s first continuous threat protection model. The global, real-time platform prevents, detects, contains, and resolves advanced threats to help secure brands, intellectual property, and data.

     

    The FireEye Platform provides products, people, and intelligence to deliver the industry’s first continuous threat protection model. The global, real-time platform prevents, detects, contains, and resolves advanced threats to help secure brands, intellectual property, and data.

     

    How is FireEye different? 


     

    Legacy firewall, proxy, IPS and AV solutions use pattern-matching techniques to identify malicious attacks. Those techniques have proven to be limited when it comes to detecting modern Malware suing multiple vectors to target their victims. FireEye detects the complete Malware lifecycle by identifying the exploit, dropper and CnC communications. FireEye can detect obfuscated and embedded JavaScript exploiting previously unknown software vulnerabilities as well as encrypted, disguised or unknown binaries across multiple data streams. FireEye’s MVX environment identifies attacks using a combination of email, web and file infection vectors. FireEye also detects and blocks outbound callbacks. Additionally, FireEye provides unique ability to contain and remediate the compromise. Finally, FireEye provides effective collaboration with its Dynamic Threat Intelligence cloud enabling organizations share threat intelligence to protect against threats targeting their industry.

     

    Is FireEye MVX a Sandbox?

     

    No, FireEye is not Sandbox.

     

    The purpose of sandboxing is to prevent malicious behavior from infecting the examining system. Traditional sandbox technology examines a file within a sterile environment without any external influences. Examining a single file within a sandbox is insufficient if that file contains obfuscated or encrypted code.

     

    Common sandbox technology is well known to malware writers who can test for the presence of various indicators that the file is being run within a debugger or virtual environment and cease to function.

     

    FireEye not only performs deep analysis on the file, but will have also captured the original exploit, which may contain the decryption keys for the malware.

     

    Due to the patented and proprietary hypervisor, FireEye will not give away any indications that the file is being run in our VXE and so the execution and subsequent monitoring of that file will continue.

     

    How does FireEye detect malware without signatures?

     

    FireEye uses a 2-stage process:

    • Stage 1, Capture, is a wire speed scanner looking for suspicious content and containers using pattern matching, heuristics, known signatures and other tools. Suspicious data streams might include obfuscated JavaScript, JavaScript in conjunction with a binary or files containing embedded objects such as JavaScript or compressed code (zlib). Stage 1 is aggressive and might submit valid traffic for further analysis if there is any doubt about the content.
    • Stage 2, Analysis, is a MVX Core Environment incorporating a purpose built Hypervisor and web cache with extensive logging and analysis tools. Using the headers of the original requests one or more MVX environments are selected and loaded with the suspect DataStream. By logging and analysing every action, the MVX engine accurately identifies malicious events.

     

    What is DTI? 


     

    The FireEye Dynamic Threat Intelligence Cloud (DTI) is used to share and distribute IOC coordinates generated by all active FireEye appliances enabled 
to communicate. This is a best practice that allows wire speed blocking of zero 
day malware.

     

    Why can’t event zero be blocked?

     

    The first incidence of a new threat cannot be blocked until deemed malicious or without adding unacceptable latency (FireEye appliances perform real-time analysis in parallel to prevent latency).

     

    Note that not every organization will see the first incidence of a new malware. FireEye's Dynamic Threat Intelligence Cloud allows all FireEye appliances to block malware just as soon as any contributing appliance has deemed a sample malicious and submitted the new signatures.

     

    How can I tell if a host is infected?

     

    A Red Severity Indicator means it is very likely an attack was successful and the host is infected. Callback activity would confirm this.

     

    An Amber Severity Indicator means it’s unlikely to have been successful because the FireEye had to serve a dummy binary, known as the Honey binary, in place of the original but missing binary. This will be shown in the event logging.

     

    The absence of any callback activity would confirm this.

     

    In addition, with HX agent deployed on host, infection detected on the network can be pro-actively verified on the agent without waiting for callback (consequence of successful infection). Once verified, HX agent can isolate the host from the network to avoid lateral movement.

     

    Does FireEye depend on any 3rd parties to maintain software?

     

    No, FireEye retains all the source code and maintains all developments and transitions internally.

     

    How often do new software versions get released?

    • New major software releases come out approximately every 6-9 months.
    • Patches come out every 4 to 6 weeks.
    • Guest images releases come out every 6 to 8 weeks.
    • SSL is not common for initial infections from a web page.
Infected https redirection is rare because it's impossible for the malware to remain transparent to the user and, considering how successful obfuscation and JavaScript decryption are, adds significant complexity without any benefit.
    • Links to dedicated infected https sites are socially engineered targeted attacks and usually distributed via email. The FireEye Email MPS Appliance detects these threats.