Crossfire

Demo Labs
Contacts, Links, Process
Crossfire Overview

The Crossfire labs provide SEs with an environment

to test attack scenarios, new features, use cases
and customer-facing demos/workshops.

The labs are separated geographically to ensure

redundancy and regional based access, bound to
SSO authentication via Okta.

The following document will outline interaction,

support, and contacts for the Crossfire labs.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 2

Crossfire Overview
There are several Crossfire Labs to choose from:

SFO, ORK, TYO:

 Standard demo labs

 Contain mix of automated/dynamic
scenarios and static demos.
 2+ instances of each spoke product
 Each Helix-specific scenario feeds into a
particular Helix demo instance
(endpoints can still connect to any Helix
instance)
 Some controllers are limited to read-only
to preserve fixed demo scenarios.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 3

Crossfire Overview
Helix demo scenarios and lab traffic map to specific Helix instances

Helix Demo 1

Important Note:
Helix Demo 2
Helix login creds are completely
separate from Crossfire creds.
Please contact fireeye-se-helix-
Helix Demo 3 admin@fireeye.com for help with
enrolling in the Helix demo
instances.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 4

Crossfire Overview
DXB:
 Special break/fix lab.
 All controllers are wide open, no restrictions.
 Runs on hardware that is EOL and can no
longer be updated.

Alliances:
 Deprecated experimental lab, not used
publicly except in special circumstance.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 5

QUICK LINKS
Support:
xfire-support@FireEye.com

The Crossfire Labs are maintained by Neil Roxburgh, Mostafa Altantawy, Kevin Burk, and Jeff Yeutter. The xfire-support@fireeye.com
distro list is the fastest way to contact the team for help with technical issues, workshop queries, or feature requests.

Demo Guides:
See “SE Bootcamp Materials” Teams channel or
https://fireeyeinc.sharepoint.com/:f:/s/SENewHireBootcampmaterials/EqqulMH2BVJItJEjCmFdqNIBC-Ze9_iFVCxCjZwU5Rnfsw?e=d48Rh9

Demo scenario guides are available in the SharePoint space listed above. For demo scenario/specialized product questions, please
contact the GPS product specialist team at fireeye-se-gps@fireeye.com.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 6

 CROSSFIRE
FAQs

Copyright
Copyright © 2017, FireEye, © 2017,
Inc. All rights FireEye,CONFIDENTIAL
reserved. Inc. All rights reserved. CONFIDENTIAL
 Crossfire FAQ
1) Logging into systems

In general, the Crossfire labs credentials are located

at the top of the dashboard next to your user name.
These creds are NOT used for Helix logins.

However there are scenarios where a custom user/pass may need to be used. In these
events, please check for any notes or a padlock icon next to the link

Example: HXTools requires a custom user/pass

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 9

Crossfire FAQ
2) Missing items / Missing Access

Crossfire is bound to Okta, however there are scenarios where users are
bound to a default account and not receiving the default SE Role in
Crossfire. This is almost always caused to your Okta account not being
added to the “XFIRE-SE” Okta group.
If you are having difficulty, please email xfire-support@fireeye.com. You
may be instructed to submit a ticket to Service Desk to request that they
add you to the appropriate Okta group.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 10

Crossfire FAQ
3) Locked Settings

Crossfire in general is built upon the concept of Scenarios, guided cases

where SEs can demonstrate value add-via live interactions with FireEye
technologies.

Due to the nature of scenarios, the integration between many systems

and dependencies on policies, it is necessary to lock some
settings/features from being changed (e.g. detection policies) on some
controllers.

To remedy the situation, DXB and “02” controllers are unrestricted.

Scenarios have been decoupled and systems will remain stand-
alone, and all settings on the controllers can be freely changed. All
users in DXB and “02” controllers in SFO/ORK/TYO are granted
Admin rights.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 11

Crossfire FAQ
4) Victim VMs and Persistent VM Options

The Victim VM dropdown list allows you to create up to four

simultaneous instances of your own private VMs to generate alerts in
NX/EX/HX/PX. Load whatever kind of malware you’d like here.

These VMs will automatically power off after eight hours, and will
automatically be wiped after two weeks of inactivity.

If you’d like to have some persistent VMs of any operating system for
workshops or to build your own demo scenarios, please send an
email to xfire-support@fireeye.com and we can set you up.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 12

Crossfire FAQ
5) Lab Email

Lab Mailbox can be used to email malicious attachments/URLs to

yourself, either here in the Crossfire Dashboard or through
Illuminator.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 13

Crossfire FAQ
6) Scenarios

Scenarios automatically start scripted attack sequences to demo

across the complete FireEye platform. Step by step demo guides are
provided here as well.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 14

Crossfire FAQ
7) Illuminator

• Repository of malicious docs

• Includes .doc, .docx, .xls, .ppt
.pptx, .pdf.
• Shows list of behaviors for each
OS.
• Shows detections in AX, AV, and detected
Behaviors.
• Samples can be directly downloaded, or can
generate a download URL (NX) or send a
phising email with URL or attachment delivery
(EX). Note that customer’s existing email
may already be blacklisting these domains.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 15

Crossfire FAQ

8) Malware Barn

• Repository of malicious executables

and dlls.
• Files scraped from VirusTotal feed.
• Shows comparison table of all anti-
Virus engine detection vs Malware
Guard, Bitdefender, and MVX.
• Search bar allows users to include
or exclude specific engines.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 16

Crossfire FAQ
9) Shared Drive for Victim VMs

• Windows: CTRL-ALT-SHIFT
• Mac: Shift-Control-Command

Each lab provides you with individual storage space that can be shared
across all your Windows VMs. There are 2 ways to copy files in and out
of this shared space. For the first, bring up the proxy overlay by typing
Ctrl-Alt-Shift. Click the Shared Drive button below the clip board.

This will bring up a listing of the files in your storage area if any currently
exist.

To add files, click the "Upload Files" button, and select a file from your desktop. It will be added to the list. To download files from your lab storage
area, double click the file in the Shared Drive listing. This brings up a new overlay window in the lower right of your RDP session. Click the file in this
window and you will be prompted to download it.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 17

 Crossfire FAQ

10) Shared Drive for Victim VMs

• Drag and drop files from laptop to G:\Downloads folder

This also highlights the second way to get files in and out. You can drag and drop a
file directly from your desktop into the Download folder on the G: drive. When
complete, the file will be moved up a level to appear under G:. Similarly, any file
dragged from within the VM to the Download folder will result in the File Transfer
box popping up which again allows you to download the file to your desktop.

File transfers into a Linux based VM are not currently supported. However VMs can
talk to each other so it is possible to transfer a file to a Windows VM and then to the
Linux VM using something like WinSCP.

Copyright © 2017, FireEye, Inc. All rights reserved. CONFIDENTIAL 18

THANK YOU