Call a Specialist Today! 844-294-0776

FireEye Dynamic Threat Intelligence Cloud
A Real-Time Global Exchange of Threat Data Helps Preempt Emerging, Zero-Day Attacks



Overview:

The FireEye Dynamic Threat Intelligence cloud interconnects FireEye appliances deployed within customer networks, technology partner networks, and service providers around the world. This worldwide cloud efficiently shares auto-generated malware security intelligence, such as covert callback channels, as well as new threat findings from the FireEye Malware Intelligence Lab.

How FireEye Combats Today's New Breed of Cyber Attacks

When an appliance confirms an attack locally, it generates a dynamic and anonymized signature of the attack and distributes it through the Cloud to warn other users. Threat intelligence includes:

  • Malware attack profiles, including identifiers of malware code, exploit URLs and other sources of inbound infections and attacks
  • Analysis of email attachments and URLs
  • Fully qualified malware callback destinations (Destination IP address, protocols used, ports used) that identify malicious websites and email sources
  • Malware communication protocol characteristics, such as custom commands used to instantiate transmission sessions
  • Third-party threat intelligence feeds from many different sources, which are then automatically validated using FireEye technology and added into the DTI cloud subscription feed

Unlike reputation and risk-based threat intelligence networks, which make assumptions about potentially risky code and broadcast signatures that may either falsely block or falsely allow traffic, FireEye systems confirm malicious activity. The assessments captured by the FireEye systems are conclusive because suspicious code is fully tested in a virtual execution environment.

Features and Benefits:

This Internet cybercrime watch system provides subscribers the latest intelligence on zero-day attacks and unauthorized malware callback destinations.

Real-time sharing of global malware intelligence
The FireEye MPC interconnects FireEye appliances deployed within customer networks, technology partner networks, and service providers around the world. The MPC serves as a global distribution hub to efficiently share auto-generated malware security intelligence such as new malware profiles, vulnerability exploits, and obfuscation tactics, as well as new threat findings from the FireEye Malware Intelligence Lab and verified third-party security feeds. Throught the MPC, FireEye appliances are more efficient at detecting both known malware as well as the zero-day, hightly targeted attacks used in cybercrime, cyber espionage, and cyber reconnaissance.

How it works: stopping advanced targeted attacks
The FireEye Web MPS, Email MPS, File MPS, and MAS appliances analyze across major threat vectors - Web, email, and files - for advanced targeted attacks. Within each appliance, the Virtual Execution (VX) engine creates dynamic security content based on the analysis of suspicious Web traffic, email attachments, and files. The FireEye Central Management System (CMS) is then used to distribute the dynamic security content locally to each appliance to provide real-time protection throughout the entire FireEye deployment.

Organizations that subscribe to the MPC will receive threat data from, and can opt-in to send threat data to, the global subscriber base to stop emerging threats.

Dynamic analysis protects against unknown, zero-day attacks
The multi-phase VX engine captures, replays, and confirms zero-day malware and targeted attacks by executing suspicious binaries and Web objects against a range of browsers, plug-ins, applications, and operating environments. The VX engine is instrumented to confirm an attack is underway tracking vulnerability exploitation, memory corruption to facilitate arbitrary code execution, and other definitive malicious actions. As the virtual attack plays out, it captures dynamic callback channels used by the zero-day attack and then creates blocking rules for that channel.

By integrating MPS inspections across multiple threat vectors, customers get comprehensive threat analysis of OS, Web-based, email, and application threats. This integrated approach enables the most comprehensive protection against known and zero-day malware used in advanced targeted attacks. By sharing real-time local detections subscribers contribute to and gain from the global Malware Protection Cloud to mitigate the ongoing threats targeting organizations worldwide.

Detailed intelligence on emerging threats
Threat intelligence includes:

  • Malware attack profiles (MD5s of malware code, network behaviors, obfuscation tactics) that identify confirmed and known attacks
  • Analysis of file share objects, email attachments, and URLs
  • Fully qualified malware callback destinations (destination IP address, protocols used, ports used) used to exfiltrate data and deliver cybercriminal commands
  • Malware communication protocol characteristics, such as custom commands used to instantiate transmission sessions

Blocks based on facts to avoid false positives
Unlike reputation and risk-based threat intelligence networks, which make assumptions about potentially risky code and broadcast signatures that may either falsely block or falsely allow traffic, FireEye systems confirm malicious activity. The assessments captured by the FireEye systems are conclusive, because suspicious code is fully tested in a virtual execution environment. An example demonstrates the value of real-time intelligence updates:

  1. A FireEye appliance identifies a malicious IP address serving as a command and control (C&C) system and begins to block outbound calls to that address
  2. The appliance automatically notifies the FireEye MPC of the destination IP address, port, and malware protocol used in the attempted connection
  3. MPC subscribers' FireEye appliances pull down regular updates and block connections to that IP address that use the same port and malware protocol
  4. Compromised systems at all MPC subscriber sites are cut off from contacting the botnet C&C system

Documentation:

Download the FireEye Dynamic Threat Intelligence cloud Datasheet (PDF).