Complete Artifact Inspection
While the primary ingestion artifact is file data, FDR also associates any available session-level metadata (such as mail and web headers) with captured files. The complete pool of captured artifacts is stored, processed, and analyzed. Artifacts include domains, files, hashes, headers, IPs, SSL certificates and URLs.
Deep File Inspection™
FDR Deep File Inspection (DFI) is a static-analysis engine that rapidly peels apart a file, enabling digital inspection deep beyond Layer 7 of the OSI model, effectively automating the work of a typical SOC analyst or security researcher. Attacker nesting creativity becomes irrelevant. DFI rapidly dissects common carriers to expose embedded logic (macros, scripts, applets), semantic context (spreadsheet cells, presentation words, etc.), and metadata (author, edit time, page count, etc). Common evasive characteristics and encoding mechanisms are automatically discovered and deciphered. The DFI process is so thorough in its analysis, it typically results in 4X the amount of analyzable content relative to original file size. For example, 6MB of data may be derived from a 2MB file, resulting in 8MB of total inspectable content.
Embedded images are discovered and processed through a machine vision layer, which leverages optical character recognition (OCR) and perception hashing. Findings are then added to the DFI semantic context extracted from the original file.
Normalized Detection Engineering
A general frustration voiced by SOC analysts and information security researchers is the limited availability of context for detection analytics. For example, intrusion prevention systems (IPS) are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems (IDS) delve deeper - taking additional milliseconds of time to expose further data but often so voluminous as to be difficult to quickly and accurately decipher false positives from false negatives. Next, we have behavioral monitoring and sandboxes. This class of solutions detonate samples in a virtualized environment, annotating the behavior of the system for threat detection. While providing far more context than IPS/IDS solutions, the workload is both compute and time-intensive, taking minutes to analyze each sample. This simply does not scale. FDR DFI overcomes the 'time-vs-analysis' gap by performing deep static analysis in 2-4 seconds and subsequently providing megabytes of contextual content through a variety of sources and methods. DFI's data-depth and data-normalization significantly speeds up signature development for InQuest Labs analysts, customer SOC analysts, and heuristic signature-less based detection solutions.
DFI contains a tailored dictionary list used to attempt the decryption of password-protected files, as well as detect other hidden malware. This additional detection capability augments proprietary threat intelligence with insight into emerging threat campaigns, new TTPs, and evolving malware families. As part of FDR's email security solution, the full context of the email (body, OCR, etc) is analyzed to identify passwords that can be used to peer into the encrypted layers.