In this installment of the Tips and Insights series, Steve Woodward demonstrates how to get started with the SmartVision feature of FireEye’s Network Security system.
Hello I’m Steve Woodward Channel Systems Engineer at FireEye. I’d like to show you how to get started with the SmartVision feature of FireEye’s network security product also known as NX. SmartVision is our new network traffic analysis feature that detects lateral movement within your network adding East-West monitoring to our traditional North-South focus. The first thing I want to point out is that SmartVision is not running. We see that if we go to alerts in the drop down there is no SmartVision listed. So first thing we’re going to do is turn it on. So we log into CLI and we’re going to enable. And then config t. Terminal. And we’re going to show SmartVision to show that it isn’t off just to double confirm. So shows SmartVision status and we see the detection. No. So the way to turn it on is to SmartVision enable. And then we can show status again and we’ll see that it is yes.
And we come up to our alerts and now we should see if we do a refresh.
We now have SmartVision alerts. Well they’re empty because we just turned it on. So let’s go ahead and create a SmartVision alert. So to do that I’m going to go into Kali and I’m going to do a little subset of my pass the hash demo. And we’re going to go into the impacket Python samples. We do a directory of that. What we’re going to do now is a python version of psexec. So what we’re going to do is make a psexec connection. We’re using pass the hash. So this is the hashes that we previously collected via our attack. So now we’re trying to do lateral movement into the network onto this machine at dot 80. This is a domain member. So away we go. And now we do have shell access on the windows machine. We can do a directory. So forth and so on. This is one example of the kind of things that were monitoring with SmartVision. So let’s go back to Smart Vision. Our NX console. So this is a footprint of impacket. Take a look at the details and we see some very interesting things here. We actually see that this is a combination of four individual events. So we’re correlating these events. We know that when impacket psexec is used by an attacker it has this kind of footprint. So we correlate these things. And then you can look at it graphed. And this gives us five minutes before five minutes after of the network traffic that’s happening in the environment. So we can go see what might have been something pre assessing and following the particular event we’re seeing here. And we can also see indication of if this machine,and this represents the Kali box, is it going to a lot of different machines. Is it trying to log in to my whole network. It’s going to be a much more interesting diagram if it’s doing more. Here we’re just going to one machine and we’ve got a couple things that are happening to the router. And the DNS server. And the broadcast ASP. And this is the one where it’s actually go into that machine which has a few more packets and that gives us that indicator. So this is SmartVision in action detecting lateral movement in my small little test network here.
Thanks for watching and stay tuned for more FireEye tips and insights.Thanks for watching and stay tuned for more FireEye tips and insights.