InQuest FDR passes threat research to and from multi-AV and sandbox platforms, threat intel sources, and our own signature development team - all of which constantly interacts with machine learning.
Threat Intel Updates
Coupled with FDR DFI, InQuest Labs curates and publishes threat intelligence updates on a weekly (or as-needed) basis. These updates cover changes in IP, domain, and SSL certificate Indicators of Compromise (IoC) intel, as well as additions/modifications/removals to the InQuest threat-detection and data-loss signature knowledge base - all of which are central to keeping FDR accurate, complete, and current for the most productive analysis efforts.
Machine Learning (ML) applications require good baseline data models. FDR good data is generated by our proprietary DFI technology - a static-analysis engine that inspects far beyond OSI Layer 7 - essentially automating the work of a typical SOC analyst / security researcher. Once DFI post-processed data is gathered, it is passed to four FDR classifiers. Our current machine learning endeavors have resulted in the creation and implementation of two different ensembles - supervised and unsupervised - for classifying malware based on pattern recognition and anomaly detection, respectively. There are three supervised classifiers (logistic regression, random forests, and gradient boosting) and five unsupervised clusters (TLSH, SSDeep, K-means, DBSCAN, and OPTICS).
Zero-Day/ N-Day Vulnerability / Exploit Protection
The InQuest Labs team sources threat intelligence through a variety of methods and origins, including proprietary harvesting methods, commercial feeds and partnerships, unique partnerships, and open source intelligence (OSINT). Our membership in the Microsoft Active Protections Program Advanced Notification Service (MAPP ANS, which provides five day early visibility to vulnerability information, and 0-day exchange with Exodus Intelligence ensure InQuest customers receive thorough and accurate protections on the day of patch release (n-day) for all Microsoft and Adobe products. Additionally, MAPP provides an ecosystem for threat indicator exchange with which InQuest Labs actively engages. Through Exodus, InQuest customers receive protection against 0day vulnerabilities and bleeding edge exploitation techniques.
We define "intelligent" orchestration as the ability to both provide data-to and ingest results-from third party intel sources including reputation feeds, SIEMs, AV Consensus and Sandboxes. Iterative cross-pollination of intelligence between FDR platform and cloud-based reputation services is vital to FDR IQScore efficacy. For example, weights and filters applied atop of antivirus results - driven by empirical observations drawn from InQuest Labs' daily R&D efforts and mass ingestion of malware - help keep the IQScore fresh at all times. Intelligent Orchestration plays a key role in fulfilling our ethos that 'a rising tide lifts all boats'. As we enrich third party intelligence with our own value add, this sharper intelligence is shared outside of FDR via optional turnkey integrations with a variety of complementary technologies.
Key to both automated retrohunting and manual retrohunts are retrospective alerts. As an example, Microsoft supplies FDR with 0day intelligence via MAPP. InQuest Labs then writes a signature and releases it to customers. If a customer was hit with that 0day, perhaps a week ago, FDR will notify analysts immediately. RetroHunt alerts are displayed in a dedicated section of the FDR UI/UX. RetroHunt alerts are shown in session/file detail views directly below real-time alerts and are fully searchable.
FDR provides full visibility of all inbound and outbound enterprise network traffic flow to determine if a breach has occurred. It is capable of identifying Command and Control (C2) activity associated with advanced persistent threats (APTs) by performing behavioral analytics and leveraging unique Indicators of Compromise (IoC) - acquired and curated by our InQuest Labs research team. The system is designed to rapidly detect/prevent the C2 activity of sophisticated actors across multiple post-compromise stages - ultimately to identify and prevent data leakage or exfiltration.