FireEye Technology Overview
The FireEye Analysis & Control Technology (FACT) engine forms the core of FireEye security appliances.
The FACT engine unifies virtualization and network security to very accurately identify malware and botnets that do not belong in the network. The FACT engine:
- Identifies suspicious network activities — Flags suspicious traffic from potentially infected machines for further analysis
- Confirms malicious impact — Potentially damaging network traffic is sent into the virtual victim machines to confirm it results in a real attack, known or unknown
Now, analysis of dynamic, polymorphic malware can be reliably automated to create new signatures, extract C&C locations, capture botnet command structures, and confirm bot propagation attacks.
Virtual Victim Machine (VVM) analysis
FireEye has pioneered the use of invisible virtual victim machines, operating at the network level, to detect novel attacks and to analyze malware/botnet infections in real-time. FireEye's virtual victim machines utilize virtualization technology (proprietary) that fully replicates a real PC complete with operating system and applications. Each virtual victim machine has specially built-in security instrumentation to analyze memory, CPU, network interface, and all other aspects of data and control flow within the virtual PC. The virtual victim machine is able to and does run licensed operating systems like Microsoft Windows™, for example.
How FACT is Unique
This technique should not be confused with traditional dark-IP honeypots or honey-clients (e.g. malware crawlers), that expose themselves to malicious traffic and directly terminate attack traffic streams. FireEye virtual victim machines are invisible to the production network. These virtual victim machines are dynamically created and destroyed on-the-fly to examine traffic flows between production systems on the network. Because these virtual victim machines analyze traffic between sets of active (or "lit") IP addresses, some refer to this as a "lit IP" honey-net, as compared to legacy dark-IP honey-net technology.
Also, in contrast to behavioral analysis or anomaly detection, FireEye's transparent virtual victim machines can identify malicious code, regardless if the PC vulnerability (or exploit technique) was previously unknown and never before seen.
FireEye technology works equally well to detect attacks targeted at server-side applications that use listening services (e.g. MS RPC-DCOM or MS LSASS) as well as attacks targeting client side applications (e.g. Web browsers).
