In this installment of the Tips and Insights series, Fayyaz Rajpari explains how to use FireEye Helix’s Investigative Tips feature to answer the question “Now What?” after receiving an alert from your networked device.
Hi my name is Fayyaz Rajpari and I’m a Solutions Architect at FireEye. Today, I’ll be talking about the investigative tips feature, and how it can help analysts answer the “Now What?”. Every alert in Helix provides you the capability to be able to answer the What Now by giving you some questions around the alert and answers back for that specific alert. So in this situation, we’re looking at an NX alert that came from a network device. Questions always get asked by an analyst where they’re looking at an NX alert, or any alert it could be, and they really don’t know what to do from there. So in this situation we’ve got a virus, back door.generic, a destination IP, a source IP, a destination port, and some other information that would be called indicators of compromise. But what do I do from here? The analyst many times wants those questions answered. So in order to answer that Now What you want to go into investigative tips. So I can collapse all these queries, which I have already collapsed, and what you’ll see here is specific questions asked from specifically that alert. Every investigative tip may be different with different questions provided, depending on the vector of attack, so you may have a different set of questions that were asked if it was a network-based alert versus an endpoint or versus an e-mail. Think of this as having an actual Mandiant incident responder helping you with the incident, providing you some questions and then you can use Helix to provide the answers back. So let’s look at these questions here. So, were there any other rules that were fired for the source IP? It sounds like there was. We’re looking at a 60-minute time offset and there was specifically four other detect rules that were fired off around that timeframe. There are some other questions here. We’ll jump into the ‘were there any other related AV hits?’ and there were other specific AV hits as well. So we’ve got some other evidence that you may want to pivot off of, and then we’ll move down into the actual host connected to the command and control host. Looks like there’s two here. And then lastly, the ‘what are other hosts who were found with the same threat?’. You’ll find that there is three specific IP addresses with virus backdoor.generic. So it looks like that it’s definitely not just one host in question here. There’s a couple of hosts. Looks like those two or three different hosts that you may want to look at and we can then pivot into those specific hosts and do further hunting for evil once you go into the platform and start searching for that data. So, now that you have the answers to the Now What, you can successfully kick out the adversary from and insights from FireEye.