Enterprise Forensics Enriched with Threat Scanning Capability by FireEye iSIGHT Intelligence

Introduction

FireEye Forensic Products (PX and IA Series) working together with FireEye Detection and Protection solutions (such as Network Security and the NX Series) is the best overall solution for incident response engagements and compromise assessments. For instance, PX continuously records network data in a lossless manner and provides the packet captures for deeper investigations.

FireEye iSIGHT Intelligence offers a proactive, forward-looking way to qualify business disrupting threats based on the tools, and the intent and tactics of the attacker. FireEye iSIGHT Intelligence is comprehensive intelligence that delivers visibility beyond the typical attack lifecycle, adding context and priority to global threats before, during and after an attack. FireEye iSIGHT Intelligence also helps mitigate risk, bolster incident responses, and enhances your overall security ecosystem.  

The Missing Pieces

We recently released PX 4.5.0 and IA 1.3.0, both of which now work with FireEye iSIGHT’s suite of motivation-based threat intelligence subscriptions. One way this integration with FireEye iSIGHT Intelligence helps an organization is by scanning for attacks as they occur – a feature called “Threat Intel Integration.” PX integrated with FireEye iSIGHT Intelligence can trigger alerts when threats are observed, including those posed by spear phishing emails or even unintentional activity by legitimate users.

How to Get Started

The first step towards implementing the iSIGHT integration is to subscribe to FireEye iSIGHT Intelligence (contact us today for more information). Once the API keys are acquired by obtaining a subscription to FireEye iSIGHT Intelligence, you’re ready to go.

As seen in Figure 1, PX has a simple configuration menu for entering this API key. Follow these steps to configure FireEye iSIGHT Intelligence on PX:

  • Log in to PX Clish as npadmin/admin user with your credentials.
  • Enter “configure isight” command to configure FireEye iSIGHT Intelligence.
  • Press 1 to enter the API key and press 4 to enter the Secret Key.
  • Press 2 to configure the Retention period of intelligence rules on the system.
  • Press 3 to enable or disable the Rule loader.
  • Press “X” to save and exit the configuration changes.

Figure 1:  FireEye iSIGHT Intelligence configuration menu on PX

As seen in Figure 2, the configuration menu for IA is similar, but it provides users with some more options. Follow these steps to configure FireEye iSIGHT Intelligence on IA:

  • Login to IA Clish as npadmin/admin user with your credentials.
  • Type “enable” command to enter privilege mode, and type “configure system” command for entering configuration mode.
  • Type “threatintel” command to configure FireEye iSIGHT Intelligence.
  • Press “K” to enter the API Key and Secret Key, respectively.
  • Press “L” to configure the Search look back period in days.
  • Press “T” to configure the search trigger time.
  • Press “I” to enable or disable the IOC search to be run on available metadata.
  • Press “X” to save and exit once you are done with the configuration.

Figure 2: FireEye iSight Intelligence configuration menu on IA

IA has a comprehensive GUI page as well for scheduling the download of IOCs. Figure 3 is a screenshot obtained from the IA GUI > MANAGE > iSIGHT Scheduling page.

Figure 3: IA’s iSIGHT scheduling page

Once the FireEye iSIGHT API keys are validated on PX and IA, they will start downloading Indicators of Compromise (IOC) as per the scheduled time. Both PX and IA can download the IOCs twice a day.

What Intelligence is Added?

Unlike other vendors that provide raw threat data, FireEye delivers high-fidelity intelligence derived from numerous sources across the globe, including human intelligence, open sources, active community engagement, connections to the threat underground and criminal marketplaces, and real-time data collected from a variety of technical sources.

The following are some of the major IOCs we can download and scan/alert on:

  • Network: A list of blacklisted IPs throughout the world.
  • File MD5: A list of Malicious file MD5sums.
  • URL: A list of malicious URLs.

PX downloads the IOCs in SNORT rule format. IA downloads the IOCs as list and stores them as TERM LIST.

Figure 4 shows an example alert rule downloaded on PX.

Figure 4: An example alert rule

Figure 5 is a screenshot of IA’s iSIGHT scheduling page and shows the actual IOC table that IA received from FireEye iSIGHT API.

Figure 5: Recent IOCs table on IA

If the administrator feels that certain rules are too noisy and generating too many alerts, they have the option to suppress the alerts.

How Does Detection Happen with the Help of IOCs?

Ideally, PX is deployed close to the Edge router or Entry/Exit point of the network to capture the entire network’s ingress/egress traffic. As soon as the IOCs are downloaded, they will start looking for the IOC pattern match on the live traffic and trigger an INTEL Alert in case of a match.

What if malicious traffic has entered the network even before PX downloaded the IOCs? Despite being a problem, IA can help with this tricky issue. IA pitches in here to do a retrospective search that explores the indexed L7 metadata against the IOCs. This search can be configured to look back 30 days.

Both PX and IA generate an INTEL Alert in case of an IOC match, and this alert is indexed in IA’s Alert store. Figure 6 shows the actual IA Alerts page with a few INTEL Alerts populated in the table.

Figure 6: IA’s Alert page showing INTEL Alerts

The alert table shown in the Figure 6 gives additional details about the alert, including the actual alert trigger time, the device from which the alert is generated, and more.

Figure 7 and Figure 8 show more context about the INTEL Alert.

Figure 7: The Details tab gives more information and context about the alert

Figure 8: The Intel tab gives more information and context about the alert

The Reconstruct button shown in Figure 7 can be used for reconstructing the application session from the available packets of PX’s PCAP store. If more information regarding the alert is required, it can be obtained by clicking on the “Download Full Report” button.

Figure 9 shows an actual report downloaded from FireEye.

Figure 9: Snippet from FireEye’s Malware Intelligence report

Conclusion

FireEye iSIGHT Intelligence feeds are rich in context and, as a result, are able to help organizations fight attackers and stay ahead of threats.

Our PX and IA series products have done a wonderful job identifying potential and actual attacks, and now they have now been made even stronger through the new “Threat Intel Integration” feature.

Learn more about PX and IA, and about iSIGHT Threat Intelligence.