Datasheet

Malware Protection Cloud

A Real-Time Global Exchange of Threat Data Helps Preempt Emerging, Zero-Day Attacks

Highlights Global sharing of anonymized intelligence on emerging Web-, email-, and file-enabled threats Appliances can pull data feeds on zero-day malware and advanced targeted attacks to prevent cybercriminal infiltration of the network Ongoing callback destination updates block malware communications and data exfiltration Subscription and publishing of threat intelligence are optional, so sites can decide how much to share

The FireEye Malware Protection Cloud (MPC) is a global network connecting Malware Protection Systems (MPS) into a real-time exchange of threat data on confirmed, zero-day attacks.
This Internet cybercrime watch system provides subscribers the latest intelligence on zero-day attacks and unauthorized malware callback destinations.

Real-time sharing of global malware intelligence The FireEye MPC interconnects FireEye appliances deployed within customer networks, technology partner networks, and service providers around the world. The MPC serves as a global distribution hub to efficiently share auto-generated malware security intelligence such as new malware profiles, vulnerability exploits, and obfuscation tactics, as well as new threat findings from the FireEye Malware Intelligence Lab and verified third-party security feeds. Through the MPC, FireEye appliances are more efficient at detecting both known malware as well as the zero-day, highly targeted attacks used in cybercrime, cyber espionage, and cyber reconnaissance. How it works: stopping advanced targeted attacks The FireEye Web MPS, Email MPS, File MPS, and MAS appliances analyze across major threat vectorsWeb, email, and filesfor advanced targeted attacks. Within each appliance, the Virtual Execution (VX) engine creates dynamic security content based on the analysis of suspicious Web traffic, email attachments, and files. The FireEye Central Management System (CMS) is then used to distribute the dynamic security content locally to each appliance to provide real-time protection throughout the entire FireEye deployment.

The FireEye Malware Protection Cloud helps share dynamic threat intelligence between FireEye researchers and appliances

Within seconds of a potential compromise the FireEye appliance tells us exactly what we need to know, and it allows us to focus our resources on what is important. The benefits, not only to my own organization but to all the scientists and engineers, have been invaluable.
Lead Analyst, Cyber Defense, Government Agency

Datasheet

Organizations that subscribe to the MPC will receive threat data from, and can opt-in to send threat data to, the global subscriber base to stop emerging threats.

Fully qualified malware callback destinations (destination IP address, protocols used, ports used) used to exfiltrate data and deliver cybercriminal commands Malware communication protocol characteristics, such as custom commands used to instantiate transmission sessions

Dynamic analysis protects against unknown, zero-day attacks The multi-phase VX engine captures, replays, and confirms zero-day malware and targeted attacks by executing suspicious binaries and Web objects against a range of browsers, plug-ins, applications, and operating environments. The VX engine is instrumented to confirm an attack is underway tracking vulnerability exploitation, memory corruption to facilitate arbitrary code execution, and other definitive malicious actions. As the virtual attack plays out, it captures dynamic callback channels used by the zero-day attack and then creates blocking rules for that channel.
By integrating MPS inspections across multiple threat vectors, customers get comprehensive threat analysis of OS, Web-based, email, and application threats. This integrated approach enables the most comprehensive protection against known and zeroday malware used in advanced targeted attacks. By sharing real-time local detections, subscribers contribute to and gain from the global Malware Protection Cloud to mitigate the ongoing threats targeting organizations worldwide.

Blocks based on facts to avoid false positives Unlike reputation and risk-based threat intelligence networks, which make assumptions about potentially risky code and broadcast signatures that may either falsely block or falsely allow traffic, FireEye systems confirm malicious activity. The assessments captured by the FireEye systems are conclusive, because suspicious code is fully tested in a virtual execution environment. An example demonstrates the value of real-time intelligence updates:
1. A FireEye appliance identifies a malicious IP address serving as a command and control (C&C) system and begins to block outbound calls to that address 2. The appliance automatically notifies the FireEye MPC of the destination IP address, port, and malware protocol used in the attempted connection 3. MPC subscribers FireEye appliances pull down regular updates and block connections to that IP address that use the same port and malware protocol 4. Compromised systems at all MPC subscriber sites are cut off from contacting the botnet C&C system

Detailed intelligence on emerging threats Threat intelligence includes:

Malware attack profiles (MD5s of malware code, network behaviors, obfuscation tactics) that identify confirmed and known attacks Analysis of file share objects, email attachments, and URLs

2012 FireEye, Inc. All rights reserved. FireEye is a trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. DS.MPC.022012

FireEye, Inc. | 1390 McCarthy Blvd. Milpitas, CA 95035 | 408.321.6300 | 877.FIREEYE (347.3393) | info@fireeye.com | www.fireeye.com