FireEye’s multi-vector virtual machine traps attacks before they can do their harm

Today’s advanced persistent threats are purpose-built to steal intellectual property and other sensitive data. It takes a next generation purpose-built security solution to detect and stop these kinds of attacks before the perpetrators get what they came for. FireEye’s multi-vector virtual machine protects the weakest link in the enterprise: the user at an endpoint.

IT security professionals have to be pretty sharp these days. Much has changed in the past few years in terms of who is attacking enterprise networks, as well as why and how they are doing their dirty work. That means the strategies and tools used to fend off attacks have to be brought up to date to fight today’s attacks, not yesterday's.

Today’s attacks are orchestrated by people who are well organized and very smart about what they do. Breaking into networks and stealing sensitive data and intellectual property is not just an adventure; it’s a job. These adversaries are well funded, often by nation-states, and they know what information they want to get from specific targets. They are patient in their efforts. They take the time to understand who they are going after and what weaknesses exist. And they use sophisticated malicious software that changes frequently.

It’s this shift in how attackers and their tactics have changed that has rendered weak the legacy security solutions that most companies have deployed. This includes traditional antivirus and traditional web and email gateways. The problem with the technologies of yore is that they require prior knowledge of the malware or the vulnerabilities – in other words, a signature – in order to look for it to block its entry to the network. In today’s attacks, the same malware is usually not seen again after the first hour of its life. Attackers change it to prevent detection by the traditional security solutions.

Next generation security technologies are being designed with the ability to detect attacks without having any prior knowledge of what the attack code would look like.

FireEye, Inc. ( is taking that approach with its defense against advanced persistent threats and other forms of cyber attacks. FireEye senior vice president Manish Gupta describes four phases of a modern day attack:

1. The Exploit Phase –The purpose of this phase is to initially drop a few lines of malicious code on an endpoint device. This could be done through an email that has a weaponized document attached, through visiting a compromised website, or through copying a file, such as from a thumb drive.

2. The Communications Phase – Once the malicious code has been executed, a backdoor is created on the endpoint through which the hacker reaches out through the Internet to some command and control (C&C) server. The malware connects to the C&C server to receive further instructions on what to do next.

3. The Binary Download – The C&C server sends instructions via a binary download. These instructions could include recording all keystroke activity, or turning on the PC’s camera to record all activity in its vicinity, or to send the hacker all the files that match a certain description. The kinds of instructions that could be downloaded are endless.  

4. The Data Exfiltration Phase – In almost all cases of these modern advanced threats, the end goal is to capture intellectual property or valuable data and send it back to the attacker.

FireEye’s security solution has the ability to detect the four phases of the modern day attack across different attack vectors, including email, web, files and mobile. It does so with a multi-vector virtual machine (MVX), a purpose-built appliance that activates and analyzes all user activity that involves visiting a web page, viewing email, or opening a file. All of this activity takes place within a virtual machine that replicates each user’s endpoint environment as best as possible. FireEye can detect when a web page has malicious content, when an embedded link or email attachment is malicious, or when a file is harmful—by testing what it does before giving the user actual access to the web page, message or file. I’ll further explain this with an example.

An attacker identifies a specific person within a company that he wants to spear phish. Let’s call our intended target Joe Schmo. The attacker sends a phish to Joe’s email address. Before it ever gets to Joe, FireEye intercepts the message and sees there is an embedded link. FireEye revs up a virtual machine that replicates Joe's Windows 7 PC with Internet Explorer version 10. FireEye detonates the email in the virtual environment and follows the embedded hyperlink to a website. This webpage includes HTML code, Flash files, Java files, and a few PDF documents. FireEye does a thorough scan of all the content on this page, looking for exploits. It turns out a Flash file is poised for a drive-by download of malware. Having detected this dangerous scenario, FireEye ultimately blocks the original email message from ever getting to good old Joe Schmo.

The scenario above demonstrates how FireEye works across two common attack vectors: email and web. All of this is done in a very quick and comprehensive manner without creating lag time for the users. FireEye can operate in protective mode, in which case it prevents endpoints from getting infected, or detect mode, in which it identifies that a device just got infected and notifies an administrator to quarantine the machine.

FireEye’s MVX has numerous instrumentations that can force a piece of code to show its true colors. For example, if some code is set to wait an hour before executing – a common tactic attackers use to hide the nature of malware code – FireEye can trick the code into believing it has waited that hour, even though only a fraction of a second has elapsed. This time delay trick is only one of many instrumentation mechanisms FireEye brings to bear in its hypervisor.

To cover even more bases, FireEye has partnered with other security vendors to bring added value to its solution. FireEye leverages its visibility into the threat landscape to allow technologies from companies like Imperva and Bit9 to make more intelligent decisions. These multi-layered solutions help to provide defense-in-depth to an enterprise. Given the new threat landscape and what’s at stake, companies need to up their game when it comes to defending the home turf.

Linda Musthaler is a Principal Analyst with Essential Solutions Corporation.  You can write to her at


About Essential Solutions Corp: Essential Solutions ( researches the practical value of information technology, and how it can make individual workers and entire organizations more productive.  Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10