Session Reconstruction is the icing on the cake for Network Forensics

Introduction

The FireEye cyber security products are well known in the industry for being highly effective at detecting attacks and advanced persistent threats. FireEye’s PX series appliances are instrumental in forensics analysis and help to gather vital information about attacks, including:

  • The length of the attack.
  • The lateral spread of the attack.
  • The extent of the damage.

PX performs lossless packet capture in the deployed network and stores them in PCAP format. Stored packets can be retrieved for analysis from PX GUI by starting a simple, time-based search.

PX 4.4.0 has a revamped Session Analysis feature that can search for packets and reconstruct the application/network sessions on the provided search time window. Session results table lists down the different application sessions and detailed information about each of the sessions. Files available in the session can also be downloaded with a single click.

How does Session Reconstruction add value?

Consider a case of “Email with malicious attachments is transmitted to victim's computer and FireEye’s NX series appliance has detected this attack.” A Forensic analyst has been called for investigation of this incident.

The analyst starts the analysis by logging into PX and starting a session search for approximate time duration in which the incident took place. PX presents the session results table with the suspicious email session along with other application sessions on the time period.

The analyst can select the suspicious session and obtain more details about the session, such as the sender of the email, when was it sent, who were the recipients of the email, and information about the file attachments [file type, file size, md5sum, etc.]. The analyst can then download the PCAP or attachments for further analysis.

Figure 1 represents the actual session information that will be shown to the analyst.

Figure 1: PX’s Session Results table with Email session information highlighted

The ‘Download File’ link for attached Files is highlighted in Figure 2.

Figure 2: PX’s Session Results table with Download File option highlighted

What is so unique about it?

There can be millions of transactions in the network at any given point of time. It is a daunting task to identify the packets belonging to the same flow and reconstruct the sessions. PX does this job through a single search request with search depth selected as ‘session’.

If a user finds too many relevant flows, further filtering is possible by applying various display filters.

The following are the key differentiators of PX when compared to others:

  1. PX’s search engine does lossless capturing of the network traffic.
  2. PX indexes the packets in such a way that it can be retrieved faster (PX can even search and retrieve a million connection records in a few minutes!).
  3. PX’s session analysis feature is very intuitive and user friendly.
There is more to it with Session Reconstruction!

The IA series Network Forensics Platform allows for centralized searches across all connected PX appliances. IA is integrated with other FireEye appliances such as NX, EX, AX and CMS on the latest release 1.2.0.

IA gives the flexibility of using L7 metadata for searching the packets. For example, on the aforementioned suspicious email example, the analyst can search using sender email id, receiver email id, suspicious filename, file MD5, etc., and IA lists the corresponding results for the search.

The analyst can then select the connection events of interest and initiate Session Reconstruction. IA pulls the relevant packets from PX and reconstructs the session.

If IA is integrated with AX, IA can send the reconstructed file/attachment to AX for sandbox analysis and results will be posted on the IA. This simplifies the forensics part even more, by adding sandbox analysis!

Figure 3 shows the IA Summary page with Email id and Filename based search result.

Figure 3: IA Summary page showing L7 Metadata-based search

Figure 4 shows the IA Malware page with sample analysis report for the reconstructed file.

Figure 4: Malware analysis page of IA

Conclusion

PX and IA Series appliances are purposefully built for Network Forensics. Network Forensics is crucial to find the history of an attack. It is also important to complete the analysis as fast as possible. Session Reconstruction certainly helps analysts wrap up the process faster.