The FireEye Dynamic Threat Intelligence cloud interconnects FireEye appliances deployed within customer networks, technology partner networks, and service providers around the world. This worldwide cloud efficiently shares auto-generated malware security intelligence, such as covert callback channels, as well as new threat findings from the FireEye Malware Intelligence Lab.
When an appliance confirms an attack locally, it generates a dynamic and anonymized signature of the attack and distributes it through the Cloud to warn other users. Threat intelligence includes:
- Malware attack profiles, including identifiers of malware code, exploit URLs and other sources of inbound infections and attacks
- Analysis of email attachments and URLs
- Fully qualified malware callback destinations (Destination IP address, protocols used, ports used) that identify malicious websites and email sources
- Malware communication protocol characteristics, such as custom commands used to instantiate transmission sessions
- Third-party threat intelligence feeds from many different sources, which are then automatically validated using FireEye technology and added into the DTI cloud subscription feed
Unlike reputation and risk-based threat intelligence networks, which make assumptions about potentially risky code and broadcast signatures that may either falsely block or falsely allow traffic, FireEye systems confirm malicious activity. The assessments captured by the FireEye systems are conclusive because suspicious code is fully tested in a virtual execution environment.