FireEye Analysis & Control Technology (FACT)
FireEye appliances utilize a real-time, multi-protocol analysis engine called the FireEye Analysis and Control Technology (FACT). Inbound targeted attacks and modern malware are stopped using a range of detection techniques coupled with virtual machine deep packet inspection. Suspicious traffic flows are replayed into virtual machines that have in-depth instrumentation enabling accurate malware analysis. Outbound network traffic is analyzed for unauthorized callback destinations alerting administrators to previously, or off-network, infected PCs.
- Inbound/Outbound traffic analysis to identify new, targeted attacks and previously compromised PCs
- Targeted attack detection of known and zero-day malware
- Outbound, callback analysis to identify infected PCs communicating to criminals servers
- Virtual machine analysis enables accurate detection of sophisticated malware while eliminating false positives
- Malware profiling dynamically generates new security content like signatures, heuristics, and callback coordinates
Inbound/Outbound traffic analysis
Modern malware utilizes such a range of obfuscation, evasion, and disruption techniques that security defenses must also incorporate a range of analysis capabilities. FireEye analyzed inbound traffic across multiple protocols (including HTTP, FTP, SMTP, IRC) and confirms an attack within virtual machine deep packet inspection. Also, outbound traffic is analyzed for unauthorized callbacks to criminal servers indicating an infected PC is within the corporate network.
Inbound targeted attack detection
The multi-stage detection process unifies virtualization and network security to very accurately identify targeted malware that do not belong in the network. From a high level, there are two core steps:
- Identify suspicious network activities — Using signatures, heuristics, anomaly detection, and other techniques, suspicious Web and network traffic is gathered for further analysis in phase 2
- Confirm malicious impact — Using virtual victim machines, the suspicious Web and network traffic is replayed within the virtual machines to confirm a real attack, known or unknown, is taking place
Virtual Machine (VM) analysis
Virtual machines are highly instrumented and used to detect zero-day, targeted attacks in real-time. FireEye's virtual machines fully replicates a PC environment with operating system and applications. Each virtual victim machine has specially built-in security instrumentation to analyze memory, CPU, network interface, and all other aspects of data and control flow within the virtual PC. The virtual victim machine runs licensed operating systems like Microsoft Windows™, for example.
Malware Profiling
FireEye's virtual machine analysis enables confirmation of zero-day malware as well as capturing malware installation characteristics, such as EXE locations, new registry keys, corrupted OS services. In addition, once the malware is fully installed in the virtual machine, outbound, callback destinations are captured and shared via the MAX network.
How FACT is Unique
This technique is unlike traditional dark-IP honeypots or honey-clients (e.g. malware crawlers), that expose themselves to malicious traffic and directly terminate attack traffic streams. FireEye virtual machines are transparent to the production network since FireEye appliances are deployed out-of-band. These virtual victim machines are dynamically created and destroyed on-the-fly to examine traffic flows between production systems on the network.
In contrast to behavioral analysis or anomaly detection, FireEye's transparent virtual victim machines can identify malicious code, regardless if the PC vulnerability (or exploit technique) was unknown by researchers and developers.
FireEye technology works equally well to detect attacks targeted at server-side applications that use listening services (e.g. MS RPC-DCOM or MS LSASS) as well as attacks targeting client side applications (e.g. Web browsers).
Contact us to get an online demo!
