In this installment of the Tips and Insights series, Chris Schreiber uses FireEye Helix’s analytics modules to hunt for weak indicators in an environment to suss out potentially compromised user accounts.
Hi I’m Chris Schreiber and I’m a Solutions Architect with FireEye’s Global Pursuit Specialist Team. Today we’re going to talk about how you can use Helix analytics modules to hunt for weak indicators in your environment. Specifically looking for potentially compromised user accounts. So we’ll start by just pulling up the class analytics and this would be what analysts do if they were actually starting to hunt within your environment. So we did an initial group by application. So this gives you an idea of all the different types of analytics modules that we actually have inside the Helix platform. And one of the ones that we’re going to focus today is non-vpn geo-infeasibility, which is a little bit of a mouthful. But basically what this particular analytics module does is it helps to identify user accounts that are logging in from more than one geographic location within two short of a time frame. So let’s go ahead and run the search and we’ll keep it over the last seven days just to get a little bit broader cross-section. And what you see pop up here, these are actually hits that are coming out of the analytics module of Helix. So this is not generated by an alert. It’s not generated by any external tool. This is actually Helix analyzing your log in records that are sent in as a sim type event. And here you see a description of why this particular user was flagged. So in this case a user named Anonymous logged in 27 minutes apart but they were 5,463 miles apart. So the computer decided that that was too far of a geographic distance and too short of a time for this to be a real log on. So let’s go ahead and do a group by username and this will help you see which usernames are actually getting flagged in your environment. You see Anonymous as the top one that’s probably not much you can hunt in there. Probably just FTP type activity. But let’s take a look at the second one where there’s an actual name here. So we’ll add this username to the search. Here you see that it was actually flagged nine times over the last week. So this seems to be happening fairly frequently. And this would give you an idea of a user account that you might need to go search deeper, possibly determine if their credential has been compromised and is being misused. Then you can actually take action to disable that account or force a password reset. So that gives you a brief introduction to how you can hunt in your environment using Helix analytics modules. Stay tuned for more FireEye product tips and tricks.