This course is designed to prepare analysts to triage and derive meaningful, actionable information from alerts on FireEye File Protect.
In a hands-on lab environment, learners will be presented with various alert types and real-world scenarios in which they will conduct in-depth analysis on the behavior and attributes of malware to assess real-world threats.
Learning Objectives
After completing this course, learners should be able to:
- Recognize current malware threats and trends
- Understand the threat detection and prevention capabilities of your FireEye Security Solution
- Locate and use critical information in a FireEye alert to assess a potential threat
- Examine OS and file changes in alert details to identify malware behaviors and triage alerts
- Identify Indicators of Compromise (IOCs) in a FireEye alert and use them to identify compromised hosts
Instructor-Led Training
Seats for our public ILT sessions can be purchased online; refer to our public training schedule for more information.
Private training sessions are available for teams of 5 or more. Please contact your FireEye account manager for availability and pricing.
Who Should Attend
Security professionals, incident responders and FireEye analysts.
Duration
1 day
Prerequisites
A working understanding of networking and network security, the Windows operating system, file system, registry, and use of the command line interface (CLI).
Course Outline
Instructor-led sessions are typically a blend of lecture and hands-on lab activities.
- FireEye Core Technology
- Malware infection lifecycle
- MVX engine
- Appliance analysis phases
- Threats and Malware Trends
- Malware overview and definition
- Motivations of malware
- Mandiant Attack Lifecycle
- Types of Malware
- Threat Management
- Features and functions of the FireEye File Protect
- Appliance Web UI
- Alert overview
- OS Changes
- APIs
- File and folder actions
- Code injection
- Processes
- Muteses
- Windows registry events
- Network access
- User Account Access (UAC)
- Malware Objects
- Malware object alerts
- BOT Communication Details
- OS Change Details for malware objects
- Malware object origin analysis
- Malware Analysis Basics
- MVX Engine Review
- Static anlysis
- Dynamic Analysis
- MVX Malware Analysis
- Custom Detection Rules (optional)
- Yara Malware Framework File Signatures
- YARA on FireEye Appliances
- YARA Hexadecimal
- Regular Expressions
- Conditions
- Snort Rule Processing
- Enabling Snort Rules
- Creating a Snort Rule