Skip to main content

Advanced Support for the SOC Hunter

Posted on 2019-09-24 by Josiah Smith

Avatar

An Interview with InQuest CTO


This interview with Ed Amoroso (EA) was featured in the 2020 TAG Cyber Security Annual: Outlook for 50 Cyber Controls.

The SOC hunter has increasingly become a more central player in the detection and response process for enterprise cyber security. This follows the increasingly complex assortment of vulnerabilities and attacks that must be addressed, along with the constant need to hone and improve the configuration of automated tools in the enterprise. Both lend well to a SOC team performing hunt actions – but a proper support platform is obviously required. InQuest provides an automated platform for SOC hunter that includes powerful means for inspecting files to detect the presence of malicious code. The platform ingests network data and then goes through a variety of analytic functions resulting in an effective risk score. Pedram Amini (PA), CTO of InQuest, was kind enough to spend some time with us explaining how the platform and associated process work for the SOC team supporting enterprise risk analytics and response.


EA: Tell us about the InQuest platform and how it supports the SOC hunter.
PA: At the end of the day, our platform aids human analysts through its actions as a tireless mechanized SOC analyst. Data is collected from a variety of sources at scale, exposed and analyzed with human-level scrutiny, scored with consideration from numerous sources, and made available to the human analyst through robust search. Described by one of our customers as “Network God Mode,” the InQuest platform empowers the SOC hunter to pose questions that she otherwise could not answer without tremendous manual labor. The depth of data exposure through technology we coined “Deep File Inspection” is the true differentiator here for the SOC hunter. Providing the ability to analyze in real-time or leverage the power of hindsight through retrospective analysis or “retro-hunting,” as we call it. The most common file-borne malware carriers include Microsoft and Adobe office documents, compressed archives, and applet code (Java, Flash). Each of these file formats is complex, ever-changing, and requires a specialized skill-set to dissect and interpret. InQuest removes this barrier to analyze liberating the SOC hunter to focus on the threat, instead of wasting precious cycles focusing on the encapsulated delivery package.

EA: How does your Deep File Inspection technology work?
PA: Deep File Inspection, or DFI for short, is a core tenet of our solution. A static-analysis engine that peers deep into layer 7 of the OSI model. Essentially automating the expert system that is your typical SOC analyst/security researcher. Regardless of the novelty of nesting employed by an attacker, DFI will rapidly dissect common carriers to decompile/expose embedded logic (macros, scripts, applets), semantic context (ex: data in cells of the spreadsheet, words in a presentation or document), and metadata (ex: author, edit time, page count). Images discovered to be embedded are processed through a machine vision layer (OCR, perception hashing), adding to the semantic context extracted from the original file. Common evasive characteristics and encoding mechanisms are automatically discovered and decoded. The DFI process typically results in four times the amount of analyzable content. For example, 8MB of data may be extracted from a 2MB file, resulting in 10MB of total inspectable data. A general frustration voiced by SOC analysts and information security researchers is the restrictive resources available for detection analytics. In the case of IPS, resources are limited to only nanoseconds of time and kilobytes of analyzable data. IDS systems can typically delve deeper, given the addition of milliseconds of time and additional kilobytes of data. The next step up with regards to time-vs-analysis trade-off is behavioral monitoring or sandbox solutions. Capable of detonating a sample in a virtualized environment and annotating the behavior of the system for threat detection... this takes minutes. The InQuest platform addresses the time-vs-analysis gap with Deep File Inspection (DFI), that typically completes its analysis in seconds and provides megabytes of analyzable data from a variety of sources.

EA: Your platform assigns a threat score to ingested data. Can you tell us how this would be used?
PA: No single solution is sufficient on its own. There’s no “silver bullet” so to speak. In support of that mantra, we play nice with others. Leveraging our experience with a variety of security solutions to stack together complementary tools in a robust manner. We use the term “intelligent” orchestration here to highlight the fact that InQuest supplies data to, receives results-from, and then interprets those results before factoring them into the threat score. Just as a human analyst leans on their knowledge and experience with vendors and results, our threat scoring engine does the same, capturing the intuition of a seasoned analyst to apply an accurate threat score. Data sources that drive our threat score include IP/domain/SSL reputation, mail/web header analytics, signature/signature-less threat detection, multi-antivirus consensus, behavioral analytics, and more. With so many factors in our analysis, a single digestible threat score is the most concise way for analysts to prioritize their research on the InQuest platform.

EA: What is the impact of cloud architectures on how your platform is deployed to the enterprise?
PA: Whether data flows are analyzed on-premise or in-cloud, the delivery mechanism for malware is largely the same in both environments. The vast majority of malware is delivered within a file, destined to an end-user, and delivered via e-mail as an attachment or URL. InQuest Deep File Inspection can be deployed in a SaaS model to protect corporate e-mail and/or integrated to into the corporate web proxy. The explosion in popularity of file-sharing platforms ranging from Dropbox to Salesforce adds complexity for threat hunters in the lack of a centralized repository for assets. A cloud deployment of InQuest can be leveraged as a aggregation and analysis point.

EA: Any near- or long-term predictions about security analytics and SOC operations?
PA: There’s a large gap in the talent pool requisite for working in the SOC environment, and it’s only getting larger. Simultaneously, data flows and malicious behavior are continually on the rise. This trend will compound into two results. First, an increase in the application of automated solutions including AI/ML and orchestration. Second, an increase in outsourcing to vendors in the MDR and MSSP. Data consolidation across multiple industry verticals provides these vendors with a wider scale global view that can be leveraged to improve and scale automated solutions.

threat-hunting about-inquest