IQ Score

InQuest FDR continuously extracts artifacts, processes files through its DFI engine, and provides file-related artifacts to optional third-party / in-cloud services - ultimately producing a single, all-encompassing threat or data-loss score per artifact. Scores are based on both confidence and severity, where severity ranges from 0 - 10, 10 being the most severe.

Threat score contributors include:

  • File Entropy
  • Joe Sandbox
  • Maware Discovery Engine
  • Threat Discovery Engine
  • OPSWAT Metadefender Core
  • Archive Recursion
  • Backlist
  • Cloud Reputation
  • Cloud Threat Exchange
  • DFI IOC Reputation
  • Header Content Analysis
  • InQuest Cloud File Whitelist
  • InQuest MultiAV
  • InQuest Pairing Modifier
  • Valid Authenticode
  • Whitelist
  • C2 Domain Destination
  • Cuckoo Sandbox
  • Falcon Sandbox
  • FireEye AX
  • URL Entropy
  • VirusTotal
  • VMRay Analyzer
  • Wildfire Sandbox

FDR IQ Score has distinct value-add properties for SOCs. As an example, one can submit a file to VirusTotal for an instant score based on the number of security vendors and sandboxes that have flagged the file as malicious. It could be that there are no flags. It could be that there are 10's of flags - resulting in a high threat score. But should each security vendor and sandbox be treated equally? Do they each have the same track record of success? Of course not. And that is but a single file analysis source. Now imagine that there is a lab of seasoned security analysts who can delve far deeper into third-party tool scores, the power of Deep File Inspection, and their own wisdom - all packaged into an advanced algorithm that produces a far more efficacious score - in terms of severity and confidence.

This is IQ Score. It is the essence of what we call the “analyst in a box":

  • Driven by all available intelligence
    • Discrete, heuristic, and ML score contributors
  • Avoids time-wasting score inflation
  • Escalating gradient from 0 to 10
    • (Far more ones than twos, than threes, etc.)
  • Threat receipts show intel sources at-a-glance
  • Signature pairings for "heating" and “cooling"