In this installment of the Tips and Insights series, Jason Forcht describes how to investigate callback alerts in the FireEye Network Security system.
Hello I’m Jason Forcht and I’m a Consulting Systems Engineer at FireEye. I’d like to give you a quick tip on how to investigate callback alerts in FireEye network security. This is particularly important because it signifies that a device within your network may be communicating with command control outside of your network.
Callback events are a particularly important type of alert that you need to look out for because they signify that a device within your network is calling back to command and control somewhere else in the world. This can signify that they’ve already been compromised and that they are sending back either corporate information that they’re making that contact to download additional information or just let them know that they are online. So let’s get into the FireEye network security dashboard and we can see what these alerts look like.
When we open it up in the middle of the FireEye and network security dashboard we see the callback events right in the middle of the screen. These are the events that occurred in the past 24 hours. To get into all of the alerts we go to the alert screen and the alerts tab. Once we’re inside here we can see all the alerts or callback activities which is separated out from the rest of the alerts. Here we could see the alerts that have come up over the past 24 hours. And if you take a look at the first one we could see the command and control server. This is the actual IP address out there in the world that machines within your network are talking back to. As you scroll across the screen we see the number of events. This signifies that twice within the past 24 hours machines have called back and here are the number of machines that have called back. So it’s not a single machine in this instance calling back to this command and control server. It’s two separate machines calling back,each one time, back to this command and control server. We expand the alert. We could see the two IP addresses within the network that are calling back. Stay tuned for more FireEye products tips and insightsStay tuned for more FireEye products tips and insights