In this installment of the Tips and Insights series, Dan Smithson reviews the four major alert types presented within the FireEye Network Security interface.
Hello my name is Dan Smithson and I am a System Engineer with FireEye. Today we are going to review four major alert types presented within the FireEye Network Security interface. From this perspective we’re going to take a look at the CM dashboard rather than the NX sensor interface because most environments would actually be using a Central Management console to manage multiple network sensors. Understanding that the network sensors can be both physical and virtual, most environments will have multiple sensors. So let’s take a look at this from the alerts perspective. When I hover over the “ALERT’S” tab you can see the different appliances and subcategories being managed by the CM. As I move down you can see the NX category and the alert’s subcategory. I’m going to click there. From the screen now you can see the host’s list which we’re going to click on an individual host to take a look at its overall view. Within the host details we can verify the severity of the threat. We can verify that endpoint it was validated as compromised. This is actually a correlation event based upon our endpoint. We can also see additional information about threat information. As I moved down I can click on the malicious capabilities observed in the VM which will show me what took place on the actual virtual machine relative to the attack. Clicking here on malicious behavior as you can see is highlighted as yes we saw suspicious flash activity suspicious code injection activity. If we would like to see what took place in the virtual machine across the operating system we can actually click on OS change summary and we can view that there are a number of things that took place from this IP. When we click on that IP. We can actually see the CNC server that was used in this particular attack. We can see the port and we can see when it was first seen as well as any VM verified hosts on which this actually was connected to. Moving to the alerts tab we’re going to take a look at the subcategories of how we view our alerts. Starting from the top we’re going to sort by the malware subcategory. This will allow us to see an ordered list of the sub categories of alerts we saw. Over on the left side if I click on alert type it’s going to do the same thing but by alert type. These are the four categories we are going to discuss specifically today. An infection match is referring to a specific instance where we have validated that a piece of information in our intel pool has correlated with an attack that took place on an actual endpoint through the network sensor. The infection match denotes that we in fact did see something that correlated and therefore an attack is probable on that particular device. If we move further down we can see malware callback and beside the malware family we see DTI callback. This is referring to the fact that our DTI Cloud shared a data point that was utilized to detect that specific callback to what was a known command and control server based upon our intel pool. A malware object. When we see malware object as alert type this denotes that a known object within our data pool has been seen based upon the object itself. Not based upon the IP or the CNC server it’s connecting to the object that was sent over the wire. This could come in the form of a malware object executable as is represented here in the file type. It could also come in the form of a malicious spreadsheet or some other object that is just flying over the wire or being downloaded from some website. Further down we can see web infection. This is the final category that we’re going to discuss today and this is denoting that an attempt was made through a web connection. Through a browser. In most attacks there are multiple phases involved in the attack cycle. One of these phases is typically some form of exploitation of the endpoint to try and gain credential access and escalate privileges within that environment. This allows the attacker to execute malicious code on those endpoints. If they do not initially create that exploit and access they cannot necessarily do that final step. That concludes our walk through of the four major alerts within FireEye Network Security. Thank you for watching and check back for more tips and insight videos.