In this installment of the Tips and Insights series, Fayyaz Rajpari shares a tip on the intelligence and context that an alert can provide. Using Helix, an intelligence led platform, an analyst can both provide and receive details on every alert whenever there is intel context available.
Hi my name is Fayyaz Rajpari and I am a Solutions Architect at FireEye. In this video I’d like to share a tip on the intelligence and context that an alert can provide. Helix is an intelligence led platform that allows the analyst to provide and get additional details on every alert whenever there is intel context available. So in this scenario I’m going to jump into alerts and look at my high risk alerts. And I’ll go and pick a specific alert here. This one I’m choosing is a alert that came from a Cisco pix firewall. And what you can see here is that anytime our analyst can do attribution back to the bad guys, we will show those in specifically in red brackets with a black hat or in the situation a white hat next to them. When you click on that specific artifact or indicator of compromise, you will see some specific intelligence led details. In this situation, t his alert has attributed threat actors to APT1, otherwise known as Comment Team. I can further drill deeper into this specific report and show this detail here. So this provides additional strategic intelligence to the analysts so then when they’re going back into Helix and searching for artifacts they are aware of what to search for. So as you can see here I’ve got a description of Comment Crew, the affected industries, aliases, related malware. I can further pivot into specific aliases when needed and get additional context on this specific threat actor group. So now that we’ve pivoted into the APT1 threat group profile we’re reading into APT1’s executive summary and it seems like they like to engage in cyber operations where their goal is intellectual property theft. They’re specifically located in China and we believe that APT1 is the 2nd Bureau of People’s Liberation Army. As you scroll down it provides me more details around the specific threat and infected industries that APT1 likes to target. As well as the countries that have been targeted. Down to data theft and then down to the industries and context and implications of APT1. So that wraps up how you can gain context about an alert and give you the intelligence you need to further hunt for your adversary. Check back for more product tips and insights from FireEye.