Home >
Enterprise >
Participants >
FireEye > Carbanak+FIN7 Configuration
|
FireEye Configuration
Product Versions
- FireEye Endpoint Security 5.0.1 with agent 32.30.12
- Helix Security Platform 2020.6.1
Name | Version | Purpose |
---|---|---|
AMSI | 1.0.0 | Detection of script-based attacks |
Enricher | 1.3.5 | Automated analysis of files via FireEye Intelligence and FireEye Detection on Demand |
Event Streamer | 1.1.7 | Streaming of Windows event log data to Helix Security Platform |
Logon Tracker | 0.4.4 | Detection of lateral movement |
Process Guard | 1.4.1 | Detection of LSASS credential dumping |
Process Tracker | 1.2.4 | Detection of unique file execution for submission to Enricher |
UAC Protect | 1.0.9 | Detection of UAC bypass attacks |
Product Description
FireEye Endpoint Security:
FireEye knows that not all breaches can be prevented; attackers are constantly changing to find new vectors and exploits. Breaches can be mitigated by detecting early and responding to the breaches that matter. These breaches are seen every day through the incidents to which Mandiant responds. FireEye Endpoint Security brings the knowledge and experience of these responders to all of our customers. Using a best practices defense in depth, Endpoint Security combines both Endpoint Protection and Endpoint Detection and Response into a single agent.
Endpoint detection and response (EDR) capabilities are enabled through a real-time Indicators of Compromise (IOC) engine that uses current, frontline intelligence to identify advanced threats and enable response. This defense in depth strategy helps protect organizations by both preventing and reducing detection time of attacks. Native forensic capabilities and the ability to rapidly search EDR data and operating system artifacts at enterprise scale empower analysts and investigators to efficiently search for compromise, determine the scope of attacks and resolve incidents.
Protection is provided by three built-in protection engines; filtering out the known malware using a signature-based engine, blocking unknown and advanced malware with our machine learning engine, MalwareGuard, and stopping business application and browser exploits with our behavior-based analytics engine, ExploitGuard.
To create new protection engines and add new features, FireEye introduced Modules for Endpoint Security. These modules are created to respond to a new threat vector or create new features outside of a normal release cycle. By using modules and the Host Sets, protection and alerting can be customized to the endpoint based on likelihood and impact of an attack. Additionally, modules can be deployed based on events, such as when an incident response is in process, certain modules can provide key data for investigators. Modules are provided for protection, detection and response and for additional management features. All modules are available from the FireEye Market.
Although MITRE did not evaluate MSSP coverage in this year’s evaluation, Endpoint Security can be enhanced through a managed detection and response (MDR), Mandiant Managed Defense. Managed Defense combines industry-recognized cyber security expertise, FireEye technology and unparalleled knowledge of attackers to help minimize the impact of a breach. Our battle-savvy security analysts provide a comprehensive assessment of attacker activity along with customized response recommendations, delivering the context needed to understand threats, assess risk and take definitive action.
Even with the best protection, breaches are inevitable. To ensure a substantive response that minimizes business disruption, FireEye Endpoint Security provides tools to:
- Search for and investigate known and unknown threats on tens of thousands of endpoints in minutes
- Identify and detail vectors an attack used to infiltrate an endpoint
- Determine whether an attack occurred (and persists) on a specific endpoint and where it spread
- Establish timeline and duration of endpoint compromises and follow the incident
- Clearly identify which endpoints and systems need containment to prevent further compromise
Primary Features:
- Single agent with four engines for protection, detection and enabling response.
- Single integrated workflow to analyze and respond to threats
- Triage Summary and Audit Viewer for exhaustive inspection and analysis of threats
- Enterprise Search to rapidly find and illuminate suspicious activity and threats
- Customer downloadable modules for enhanced protection, detection and additional features
Product Configuration
Malware protection, MalwareGuard, Exploit Guard and Real-time Indicator Detection were enabled for the test. AMSI, Event Streamer, Process Tracker, Enricher, Logon Tracker, UAC Protect and Process Guard modules were also enabled. All engines were enabled in detection-only mode, per test requirements.
FireEye Endpoint Security allows customers to create and upload their own security content (in addition to what we provide them). To showcase this capability, we used our production security content, as well as all ATT&CK specific security content. FireEye has released the ATT&CK security content to our customer Marketplace as Endpoint Security Supplementary IOCs.