Leveraging Intelligence with FireEye Network Forensics

Introduction

Despite the deployment and use of multiple security products and technologies to combat breaches, organizations struggle with how to quickly respond to the myriad of alerts and security incidents that arise daily. Capturing and analyzing network data packets is an essential requirement of a strong security incident investigation strategy. The network data store is often the primary starting point for investigating security incidents, which can provide critical context of an attack.

Given the need to capture packets, there are limitations to how much traffic can be retained. To maximize storage efficiencies, organizations may choose to filter packets and flows and not to store them based on the nature of the data. For example, video streaming data or encrypted traffic may not be helpful in an incident investigation, and excluding them from capture and analysis results in improved network forensics performance and quicker analyst response times.

Intelligent Capture

FireEye Network Forensics addresses this problem-set with a new feature named “Intelligent Capture (IC)”. IC enables selective filtering of the captured data, freeing the device from performing additional analysis and storage on unnecessary data. Administrators can choose to either discard the packets, the Layer 7 metadata, or both. For instance, selecting to record the packet metadata, while discarding the packets themselves, provides a cost-effective solution for maintaining visibility for protocols that cannot be analyzed, without wasting disk space.

Administrators have additional flexibility to select and configure the filtering parameters for Intelligent Capture. The following parameters can be configured as filtering options:

  • MAC Address
  • IPv4/IPv6 Address
  • Port number
  • Ether type
  • Protocol values

For example, as a simple filter, an administrator can create a filter to discard all the traffic that is destined to port 443.

Configuration of Intelligent Capture (Packet-Filter)

Intelligent Capture filters are configured on the PX command-line with the “configure packet-filter” command. The following example configures all the traffic from source IP 192.168.77.149 to destination IP 192.168.77.164 on the respective ports 54063 and 80 to be discarded from full-packet capture.

In this example, the packets will be discarded only if all of these conditions match.

Metadata Filter and DNS Aggregation

As part of the FireEye Network Forensics solution, FireEye Investigation Analysis (IA) appliances consume L7 metadata generated by FireEye PX appliances and index it for faster search and traffic context visualization. Administrators depend heavily on real-time visibility into network traffic behavior, and with the application of metadata filters to discard unwanted metadata, administrators gain efficient insights to the specific traffic that they want to see.  

In addition to the Intelligent Capture filtering, metadata filters can be constructed to provide additional per-protocol filtering capabilities.

To configure a metadata filter in an IA device, log in to the IA GUI, and navigate to the MANAGE > PX Filters page.

Figure 1 shows an example metadata filter.


Figure 1: PX Filter screen from IA

As an enhancement to the standard metadata logging and filtering, FireEye Network Forensics now contains DNS flow aggregation. This feature significantly reduces DNS-related traffic by aggregating the flows that originate from and are destined to the same set of IP addresses. DNS flow records are aggregated every minute and streamed to FireEye IA devices for additional analysis.

To configure this filter, log in to the IA GUI, navigate to the MANAGE > PX Filters page, and toggle the ‘View By’ tab.

Figure 2 shows an example of a DNS Aggregation Filter.


Figure 2: PX Filter screen showing the DNS Aggregation option in IA

Conclusion

Having a smart and flexible network forensics solution in place is critical to maintaining a balance of strong security. By adding intelligent handling of protocol metadata and packets, FireEye gives security analysts additional firepower to quickly address the alerts that matter, while reducing the time it takes to investigate and respond to cyber threats.

All features and improvements are included in the FireEye Network Forensics (PX) 5.0.x release, and the FireEye Network Forensics Investigation Analysis (IA) 1.4.x release.