RetroHunt

RetroHunting is the process of hunting back in time for the presence of malware, ransomware, exploits and other end user-induced security issues. It is not enough to add the latest detection and prevention signatures and rules against fresh traffic. SOCs must also root out previously undiscovered malware that has already bypassed your refreshed defenses. Historically, this has been difficult, laborious, and time-intensive - only achievable by the most skilled and experienced threat hunters. FDR RetroHunting provides a set of automated features that precipitously speed up and simplify this effort.

Session and File Level Search

Historically, retrospective analysis by security personnel is performed by pouring over logs collected from a variety of sources. Log data can then be coupled with a network traffic capture solution that collects full PCAPs - essentially a 'network flight recorder' which stores every observed bit traversing the wire. But analyzing logs and PCAPs is both costly and resource intensive. Further, while full, raw PCAPs provide value for forensic analyses, they lack the contextual detail needed by threat hunters. Further data processing (beyond simply extracting headers and metadata) and reconstruction is needed to expose the intricate layers that threat hunters rely upon, such as embedded logic, semantics, and metadata. FDR automates contextual data processing and provides searchable access to both session data (network session information, headers, metadata) and file data (original file and all DFI rich content expansion).

Automated Retrospective Analysis

Automated RetroHunts are initiated whenever new threat intelligence is added to FDR - either by InQuest Labs via regular threat intelligence updates, or by FDR users through the addition or import of user-defined signatures. An example would be how retrospective analysis automatically detects 0Day vulnerabilities. A 0day (zero day) is defined as a vulnerability or exploit that was discovered in the wild, and for which no patch exists. When a 0day is discovered, InQuest Labs goes to work analyzing the vulnerability and capturing sample exploits from the field to generate both generic and specific rules for threat mitigation. Once these new rules are released to customers via a threat intelligence update, an automated RetroHunt is triggered and will reveal if the InQuest customer has been targeted by that 0day threat. SOC analysts can augment this automated trigger with a manual trigger if they wish to look back further than FDR's default lookback window.

Tunable Retrospective Window

FDR's default lookback window for automatic RetroHunting is set to two weeks. It can, however, be configured by customers or disabled entirely.

Retrospective Data Leak Discovery

A variety of general patterns for sensitive and personally identifiable information (PII) are bundled within FDR. These include SSN, classified document watermarks, financial information, and more. Forethought, however, will never cover all data leakage. In cases where sensitive information was leaked and defenders want to tie that data back to a related network stream, RetroHunting can help. A user-defined signature with the relevant leaked keywords can be added to FDR. If these keywords are found anywhere in semantic or meta layers, an alert is produced. WIth FDR, keyword searches include images. If keywords are found within an image, e.g. a handwritten SSN, FDR uses Optical Character Recognition (OCR) to detect and alert on lexicon matches.

Validate Detection Logic

Analysts and threat hunters can further leverage FDR to test the efficacy of a signature on production grade data without causing network degradation, or overwhelming security staff with false positives. Candidate signatures may be added to FDR and tested against real-world captured data for consideration. Results from the test can be iterated (reviewed, logic tweaked, then re-run) until the signature is accurate and generates true positive events. While this design/test process is commonly used by IDS/IPS signature developers, not every organization has the resources to do so. FDR provides a fast, easy and cost-effective validation check for custom signatures. As an example, a SOC analyst or threat hunter can manually invoke a RetroHunt. If a vulnerability is identified, the user will need to start the time-consuming process of writing a rule/signature. FDR helps in several ways. First, all file content - both original and the more expansive body of DFI-derived content - is searchable. This, alone, significantly speeds up and simplifies the analyst work of writing YARA-compatible rules which combine strings, bytes patterns, and regular expressions via flexible conditional logic. Second, FDR allows rules to be saved, edited, versioned, even shared with other FDR users.