The FireEye malware protection system sets up virtual machines to profile a malware attack and then disrupts the exploit before it can do network damage.
A lot of protections are built into most federal and corporate networks these days. Between firewalls, intrusion prevention systems, port monitoring and even desktop antivirus, you would think security is pretty air tight.
Yet major breaches such as the recent hack of the Sony PlayStation Network and other high-profile attacks show bad guys can still find ways to get through sophisticated defenses, especially if they are patient and target attacks specifically at an agency or group.
The FireEye malware protection system, the GCN product of the month for June, has an unusual approach to these exploits. It uses a unique system of virtual machines that lets malware do whatever it wants, and then shuts it down on the real network. As such, no signatures are needed and even new attacks are caught before any significant damage occurs.
The FireEye is deployed in three components as appliances. There is an e-mail monitor, an Internet traffic monitor and a control device that lets those two systems communicate with each other and work together to stop threats.
The FireEye team came into the GCN Lab to show what happens during a type of attack that most current protections would miss. In this example, we used the same type of technique that was performed in the recent Aurora attack, considered an advanced persistent threat that targeted several high-tech firms in 2009-2010.
In that event, hackers patiently stalked hand-chosen victims for months, gathering data on corporate security before sending e-mail messages and instant messaging notes that appeared to come from friends. In many cases, the attack was tweaked to specifically get around whatever security was in place. Most attacks were delivered as a malicious binary file designed to look like a normal .jpg. Once the .jpg was in place, it called home and downloaded encrypted packages of malware that were designed to steal data and cripple networks.
Gears of a virtual machine
When a similar program was sent into a network protected by FireEye, the malicious binary began to do its dirty work like it was programmed to do. But it didn’t know that FireEye had moved it over to a virtual machine and not to an end-user’s computer. FireEye watched as the program phoned home and gathered more malware components from compromised systems. It didn’t matter that the incoming malware components were encrypted to get around traditional virus scanners, because for the bad programs to activate, they had to un-encrypt themselves. And when they did, FireEye watched the process unfold.
After the details of the attack were known, ports and IP addresses were blocked to prevent the malware from working its evil on the actual network. The FireEye e-mail scanner and the Internet traffic scanner worked together to stop anything bad from happening. In a sense, FireEye creates a virtual honey pot for malware, lets it do what it wants, but only on the virtual and easily purged machine. Then it prevents the same things from hurting the real network.
A very detailed report is generated showing exactly who inside the network was targeted, what files were used and how dangerous the threat actually is to overall security. Copies of all the malicious files are kept and stored in case administrators or analysts want to further examine them to learn more about the hackers. That data could be used to prevent future attacks, or even prosecute the guilty parties since the hackers’ digital fingerprints will still be all over the captured files.
If an attack is delivered by e-mail, FireEye can stop it from ever reaching the network, because the mail can simply be delayed while the virtual machines examine anything suspicious. However, if the attack is delivered in real time, such as through a corrupted Web page, one user in the network will likely be infected because code will be executing on their computer at the same time as the virtual machine. Calls out for new malware will be blocked, since FireEye monitors both inbound and outbound traffic, but one person will still have the corrupted files sitting on their computer. The good news is that administrators are immediately told exactly who is infected and how they got that way, and the infection is sealed up on that single machine.
FireEye also works if someone brings a keydrive with malware into the network directly without first passing through the FireEye Scanner. In that case, the malicious activity would be caught because of the outbound traffic that is being scanned, which can also be run through a virtual machine for processing.
Pricing for the FireEye components seems reasonable given that it will even stop attacks where hackers have invested months or even years specifically targeting an agency. For a unit that is able to scan 50 megabits/sec of Internet or mail traffic, the cost is about $50,000. A unit that can scan a full 1 gigabit/sec costs $100,000. FireEye officials say they’re working on machines with even higher capacity.
Given the sophistication and malicious nature of hackers these days, a product like FireEye that can be easily plugged into existing network security to protect against both widespread and narrowly targeted attacks arrives none too soon. And seeing how most federal agencies have targets on their back, having FireEye watch over them is a no-brainer.