Category Archives: FireEye

  • 0

Breach Resilience

Category : FireEye

Join Jeff Berg, Sr. Manager of Cyber Threat Intelligence, and Brad Bell, Mandiant Principal Consultant, as they share the role of cyber threat intelligence in strategic security consulting services and why services based on compliance-based best practices and industry standards may not be an effective way to protect your organization against a rapidly evolving threat landscape.

Key takeaways:

• The role cyber threat intelligence plays in strategic security consulting services
• Why services rooted in compliance-based best practices and industry standards aren’t effective
• Case studies where different types of intelligence added value to service portfolio


  • 0

Devising a Suitable End State of Your CTI Program

Category : FireEye

The shift to an intelligence-led security program can seem daunting. When implementing Cyber Threat Intelligence (CTI) capabilities, there may be a degree of uncertainty across the organization. We’ve seen this happen many times with client teams who initially were not cyber security savvy; however, after the adjustment period, when CTI is fully integrated into their technology and business processes, we continuously see that customers are satisfied with the results.

While managing this shift is challenging, it is not insurmountable. To be successful, it’s important to have a vision for the end state of your program. This vision will help to plot the planned shift, define its true value, and identify opportunities afforded by those who carry out implementation.

When defining a program’s vision, it is important to cover the following four high-level areas:

  • Mission & Strategy: Define a clear mission that enables communications and justifies go-forward action items. Ultimately, focusing on the enhanced ability to manage risk within the organization using a requirements-based intelligence approach is crucial. Establishing the expected resulting capabilities ensures the end-state business objectives, goals, and outcomes are clearly identified and agreed upon.
  • Implementation Roadmap: Employ a clear game plan that addresses the changes in people, processes, and technologies. A smart roadmap provides guidance on order of events and scale of effort required to execute properly. This roadmap will also enable communication of budgetary requirements to senior leadership over the course of the program’s buildout.
  • Conceptual Organizational Design: Construct an end-state organizational design aligned with the mission, approved by executives, and agreed to by peers. This will ease the creation and integration of new teams and transition of any existing ones. While the actual end state may play out differently, the buy-in achieved at the onset of your program evolution will keep your major players moving in the right direction.
  • Metrics: Decipher a key set of metrics that will be used to evaluate the success of your program. This will be critical when determining whether or not the end state is a success, and will also enable you to easily identify wins as the program begins to take shape. Metrics should evaluate the individuals responsible for carrying out the mission, the intelligence sources, the technology supporting the program, and the program’s overall health. The true value of intelligence can be complex to assess; however, the proper level of granularity can help point out if the value is being delivered, and where any breakdowns may transpire and are occurring.

All said, the success of an operational transformation is truly grounded in the strategic legwork done before execution begins. Proper planning ensures that key stakeholders and senior leaders are in agreement with respect to the direction of the overall security operations, as well as the expected value provided. This in turn will motivate executives and other key stakeholders to help shepherd the program through its pending shifts, and into a position where everyone in the organization will see its true potential.

Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence capabilities.


Author: Jeff Compton, Jeff Berg

  • 0

Breach Resilience Technology. Intelligence. Expertise

Category : FireEye

We understand the challenges and complexities that you face as you try to protect your organization against ever-evolving threats. FireEye offers a three-pronged approach, that combines innovative security technologies, world-renowned expertise, and deep threat intelligence capabilities, to combat the shortage of security experts, inefficient processes, complex technologies and multiple siloed point products.

Attend ‘Breach Resilience: Technology. Intelligence. Expertise’ virtual summit to find out how to address the entire security operations lifecycle — every critical issue before, during and after an attack.

October 24, 2017 5:00am EDT

oin the discussion with experts, visionaries and leaders at one of the webinars below. Don’t miss your opportunity to have your questions answered in these live presentations!

Upcoming webinars

October 24, 2017 5:00am EDT

A session presented by: Stuart Davis, Director, Mandiant

October 24, 2017 7:00am EDT

A session presented by: Igors Konovalovs, Strategic Account Manager, GSI Sales

October 24, 2017 10:00am EDT

A session presented by: David Grout, Director, Southern Europe Systems Engineering, FireEye

October 24, 2017 11:00am EDT

A session presented by: Gareth Maclachlan, Vice President, Product and Market Strategy, Global Services and Intelligence

October 24, 2017 12:00pm EDT

A session presented by: Paul Nguyen, Vice President and General Manager of Helix and Orchestration

  • 0

FireEye Endpoint Security (HX) 4.0 – Bringing Advanced Protection to Endpoint

Category : FireEye

A constant concern about Endpoint Protection Platforms (EPP) is that they miss a number of threats, forcing organizations to spend an exorbitant amount of time trying to find and clean up damage. And even when an endpoint protection product does successfully stop a threat, it doesn’t capture details on the incident. Traditional endpoint protection can’t find out what an attack or attacker was attempting to do, so an analyst can’t inspect or review threat activities to determine the exact scope of the threat.

To address the wide variety of threat types and methodologies organizations are constantly facing requires integrated capabilities. Important components include automated threat protection to address the overwhelming volume of threats, along with integrated threat intelligence and endpoint visibility. This enables analysts to gather details on high-risk threats so they understand the threat and can quickly determine an effective response.

FireEye Endpoint Security 4.0 is the next generation of endpoint protection. Not only can it help detect what anti-virus detects, but also what it misses. Its comprehensive endpoint visibility and threat intelligence enables analysts to adapt their defense based on real-time details to deploy informed, tailored responses to threat activity. FireEye Endpoint Security delivers protection beyond a single limited methodology. It enhances overall threat protection by integrating key security mechanisms within a single agent and threat management workflow system.

For analysts to scale their capabilities requires comprehensive endpoint visibility to quickly and confidently determine the who, what, where and when of a threat. This must be delivered within an integrated and automatic threat detection and prevention system that is tightly coupled with threat intelligence and detailed threat visibility. With this advanced platform, analysts can build their own localized intelligence knowledge base to better understand and respond to threats and suspicious activity.

FireEye Endpoint with malware protection (anti-virus) and detection, now with prevention and remediation, is unique not only because of its integrated multiple detection and prevention capabilities, but also because of its behavior and exploit analysis in Exploit Guard and threat intelligence and visibility – all within a single system and threat data analysis workflow.

Register for our upcoming webinar, “The Next-Level of Smarter Endpoint Security: Going Beyond AV Products”, to learn more about our comprehensive endpoint solution.


Author: Dan Reis

  • 0

The CyberAvengers Playbook

Category : FireEye

The Non-Technical, No Nonsense Guide For Directors, Officers, and General Counsels

Cybersecurity, as many organizations practice it today, is broken. Everybody is feeling the pressure as competitors and partners alike dread a breach. Leadership can’t be left in the dark due to technobabble, a lack of resources, or excuses as to why cyber risk cannot be measured.

FireEye is proud to support the new eBook, The #CyberAvengers PlaybookDoing the Little Things (and Some of the Big Things) Well (2017 Edition). This short guide is designed to give you actionable items that could help any organization improve its cybersecurity posture.

Download the eBook and pick up the following tips from the #CyberAvengers:

  • Oversight duties: Learn to view risk from an enterprise perspective in an era where accountability and fallout costs are surely going to grow.
  • Cyber risk: Why it matters and how to wisely spend your limited resources.
  • Communication gaps: Cybersecurity is not an IT-only issue, so do not be afraid to speak your mind. We show you which questions to ask.
  • Response and continuity: Even the best-tested plans can go out the window during a time of crisis. Learn to minimize the fallout.
  • What’s happening in 2017 and what to expect in 2018: From the ransomware scare to the General Data Protection Regulation (GDPR) coming into effect, business is becoming more expensive. We try to help you save wherever you can.

  • 0

FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY

Category : FireEye

FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.

FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch to address the vulnerability and security guidance, which can be found here.

FireEye email, endpoint and network products detected the malicious documents.

Vulnerability Used to Target Russian Speakers

The malicious document, “Проект.doc” (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads multiple components (details follow), and eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).

FINSPY malware, also reported as FinFisher or WingBird, is available for purchase as part of a “lawful intercept” capability. Based on this and previous use of FINSPY, we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes. Additional detections by FireEye’s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017.

CVE-2017-8759 WSDL Parser Code Injection

A code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method ( – System.Runtime.Remoting/metadata/wsdlparser.cs,6111). The IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to inject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.

Figure 1: Vulnerable WSDL Parser

When multiple address definitions are provided in a SOAP response, the code inserts the “//base.ConfigureProxy(this.GetType(),” string after the first address, commenting out the remaining addresses. However, if a CRLF sequence is in the additional addresses, the code following the CRLF will not be commented out. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start method call is injected. The generated code will be compiled by csc.exe of .NET framework, and loaded by the Office executables as a DLL.

Figure 2: SOAP definition VS Generated code

The In-the-Wild Attacks

The attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the CVE-2017-0199 documents we previously reported on. The malicious sampled contained an embedded SOAP monikers to facilitate exploitation (Figure 3).

Figure 3: SOAP Moniker

The payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL parser, implemented in of .NET framework, parses the content and generates a .cs source code at the working directory. The csc.exe of .NET framework then compiles the generated source code into a library, namely http[url path].dll. Microsoft Office then loads the library, completing the exploitation stage.  Figure 4 shows an example library loaded as a result of exploitation.

Figure 4: DLL loaded

Upon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a HTA script named “word.db” from the same server. The HTA script removes the source code, compiled DLL and the PDB files from disk and then downloads and executes the FINSPY malware named “left.jpg,” which in spite of the .jpg extension and “image/jpeg” content-type, is actually an executable. Figure 5 shows the details of the PCAP of this malware transfer.

Figure 5: Live requests

The malware will be placed at %appdata%\Microsoft\Windows\OfficeUpdte-KB[ 6 random numbers ].exe. Figure 6 shows the process create chain under Process Monitor.

Figure 6: Process Created Chain

The Malware

The “left.jpg” (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames. This variant runs with a mutex of “WininetStartupMutex0”.


CVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017. These exposures demonstrate the significant resources available to “lawful intercept” companies and their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used against other targets.

It is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors.


Thank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE Team and FireEye iSIGHT Intelligence for their contributions to this blog. We also thank everyone from the Microsoft Security Response Center (MSRC) who worked with us on this issue.


Author: Genwei Jiang, Ben Read, James T. Bennett 

  • 0

The Next Level of Smarter Endpoint Protection: Going Beyond Anti-Virus Products

Category : FireEye

Antivirus (AV) protection has been the foundation for endpoint security for decades despite its known gaps. To address evolving threats, organizations need an integrated endpoint solution that can fortify their defenses.

On September 26, Jim Waggoner, Sr. Director, Product Management for FireEye will detail:

  • Why endpoint security products have not provided complete protection
  • Capabilities required for a comprehensive endpoint protection solution
    • AV with threat intelligence
    • Detection and response
    • Behavior and exploit analysis
    • Visibility and automation
  • How the latest FireEye Endpoint Security solution enables you to go from detection to investigation and remediation quickly, all with a single agent

Attend this webinar as the first step toward a smarter, more adaptive approach to endpoint security.

PRESENTER Jim Waggoner, Sr. Director, Product Management
SCHEDULED TIME Sep 26 2017 11:00 am  
DURATION 60 mins


  • 0

Tomorrow’s Endpoint Protection Platforms

Category : FireEye

Why common endpoint security can’t beat modern threats

Although endpoint protection platforms (EPP) continue to rely on the decades-old technology that was part of their original design, cyber threats are forcing a change. You cannot afford to settle for standard endpoint security products.

As attack methodologies have evolved, endpoint security has continued to adapt based on several insights:

  • The static, reactive approach of signature-based security and machine learning programming are no longer sufficient.
  • Encryption, vulnerability assessment and data loss prevention (DLP) capabilities add value, but don’t close the security gap.
  • Comprehensive visibility, intelligence, behavior analysis and automation are critical to the future of endpoint security.

The FireEye whitepaper, “Tomorrow’s Endpoint Protection Platforms,” discusses how EPPs are changing, and explains what EPP capabilities might be best for your needs.

Register now.

  • 0

FireEye Summer Demo Series August 15 – September 28

Category : FireEye

Innovative FireEye technologies continue to set the standard for cyber security. Now you can see how simple and effective these solutions are.

The FireEye Summer Demo Series provides a firsthand experience of our new security operations platform and recent major enhancements to both endpoint and email solutions.

These 15-minute live demos, followed by Q&A sessions, are delivered by seasoned FireEye engineers.

Solution Demo Date Time
Endpoint Security Every Tuesday 12 p.m. ET,
9 a.m. PT
FireEye Helix Every Wednesday 12 p.m. ET,
9 a.m. PT
Email Security Every Thursday 12 p.m. ET,
9 a.m. PT

Reserve a spot for your preferred demo today.

  • 0

Comparing the Push for Anti-Encryption and Cyber Sovereignty

Category : FireEye

An unintended consequence of the push for government access to encrypted communications in the West might be the justification of cyber sovereignty laws (state control over the internet within its borders), which to date have largely been viewed in the United States as a means to restrict civil liberties. At its core, both these efforts are the result of governments seeking to address the disruptive nature of an international, borderless domain that overlays across national boundaries.

Similar reasoning related to internal security appears to be fueling the pushback from governments in the West against encryption, as well as the advocacy for cyber sovereignty in Russia and China. Within the West, the United States is not alone in advocating for backdoors in encrypted communications. Australian Prime Minister Malcolm Turnbull recently spoke against end-to-end encryption saying, “We need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law.” Additionally in June, the German government announced plans for a law that would allow the government the ability to conduct telecom surveillance on communications prior to encryption.

In contrast, President Trump instructed the office of the United States Trade Representative to determine whether to initiate an investigation into acts, policies or practices that harm intellectual property, innovation and technology belonging to American corporations doing business in China. In this case, the White House is pushing back on China’s desire for cyber sovereignty with its own arguments in favor of the right of United States’ companies to encrypt or otherwise protect their proprietary information. Corporations claim that they lose up to $600 billion per year to intellectual property theft and data disruption. However, a cornerstone of Chinese cybersecurity law is the “secure and controllable” standard that stresses China’s need for cyber sovereignty. Among other things, the Law forces companies operating in China to disclose critical intellectual property to the government and requires that they store data locally. Even before this Chinese legislation, software piracy was a substantial problem in China. Now, despite the new law, or because of it, some American companies fear that they may be even more vulnerable to misappropriation of their proprietary data.

While pressing issues like terrorism may make backdoor access to encrypted messaging apps desired from a government point of view, it may increase the difficulty for Western businesses to expand abroad when they are faced with similar requests. Much like the ongoing debates around supply chain security and data sovereignty, how policy is formed on these issues in the West will have global ramifications for businesses..


Author:  Luke McNamara, David Lisi