Fundamentals of Network Traffic Analysis using FireEye Network Forensics

This course covers the fundamentals of network flow analysis, session analysis, application metadata analysis, and reconstruction of data from full content utilizing the FireEye Network Forensics (PX Series) and Investigation Analysis (IA Series) appliances.

Hands-on activities include using both PX and IA to perform search queries and filtering, as well as following alerts from integrated FireEye appliances.

Learning Objectives

After completing this course, learners should be able to:

  • Describe the deployment of PX and IA in the context of FireEye products and services that may be part of the environment used for network traffic monitoring and analysis.
  • Define connection, packet, and session data in context of network traffic analysis.
  • Perform network traffic analysis using the PX and IA.
  • Reconstruct files or artifacts from full network packet data from resulting session data events using PX and IA.
  • Follow threat alerts from integrated FireEye systems (EX, NX, HX, PX) and intelligence feeds (iSIGHT and other) that aid in the breach investigation and hunting processes.

 

Who Should Attend

Network security professionals and incident responders who must work with FireEye Network Forensics and Investigation Analysis appliances to analyze cyber threats through packet data.

Prerequisites

A working understanding of networking and network security, the Windows operating system, file system, registry and use of the command line interface (CLI).

Duration

1 day

Instructor-Led Training Instructor-Led Training

Courses cannot be purchased or accessed from this site.

If you would like to register for this course, please contact your FireEye account manager.

Thank you.

Course Outline

Instructor-led sessions are typically a blend of lecture and hands-on lab activities.

  1. PX and IA Appliance Overview
  • What is PX and IA and their purpose
  • PX Hardware ports
  • PX storage considerations
  • Basic PX/IA components

2.   Network Traffic Analysis Environment

  • Network core deployment
  • Network edge deployment
  • PX with NX deployment
  • PX with IA deployment
  • PX and IA relationship
  • IA distributed deployment
  • PX and IA and FireEye integrations
  • Customizing IA dashboards
  • Setting up lists
  • Query lists

3.   Network Traffic Analysis with PX

  • Traffic flow analysis
  • Connections
  •  Searching with BPF and XPF
  • The Web UI
  •  Filter Builder
  • Packet analysis
  • Data flow in the OSI model
  • TCP/IP Protocol Suite model
  •  PX Session data
  •  Storing searches
  • Pivot to PX

4.   Searching and Filtering with IA

  • IA query tools
  • Constructing queries
  • Search types
  • Grouping
  • Escaping special characters
  • Regular expressions
  • Subnet searches
  • What is metadata?
  • IA metadata and networking models
  • Query results
  • Visualizing query results
  • Aggregating results of multiple fields
  • Saving and reusing searches
  • Reports for scheduled queries
  • Adding a filter
  • Applying filters
  • Applying filters to PX systems
  • Pivot to PX

5.    Reconstructing Network Data

  • Network reconstruction
  • Data reconstruction on PX
  • Downloading a reconstructed file
  • Reconstructing packet data in IA
  • Follow the stream
  • Carving a file from steam data
  • Applying encoder/decoder chains
  • Reconstructing HTML
  • Reconstructing Email
  • Reconstructing artifacts

6.   Threat Alerts and Intelligence

  • Threat hunting
  • FireEye alerts
  • IA alerts Web UI
  • Filtering alerts
  • Alerts tools for investigation
  • Generating a query from an alert
  • Working with rulesets
  • Threat intelligence
  • Threat intelligence alerts on IA/PX
  • The Mandiant Attack Lifecycle