Use Cases

Data Acquisition and Delivery

Use Case Description

High-speed, distributed computing environments present significant challenges to perform network-based monitoring to identify file-based threats and data leakage exposures. Establishing complete visibility of all files and associated objects to perform static and dynamic analysis as well as content inspection has become increasingly difficult due to the continuing rise of network throughput.

Our Solution

InQuest has developed multiple native capture and analytical tools to network analysts can leverage to improve visibility into the traffic passing through their network at speeds ranging from megabits to multi-gigabit speeds. These tools and tools provided by third-party vendors are integrated into a platform that allows these tools to be centrally managed and their results aggregated into an accessible reporting format and an automatically generated threat score for the user.

To optimize use of the InQuest system, it is important to understand how data flows through the system and how to best deploy it to meet organizational needs. Here, data flow through the InQuest framework is described through the collection, analysis, and reporting phases.


The collection phase encompasses the original points of entry of different types of data into the InQuest system. Data can be provided by InQuest, uploaded by clients, derived from traffic currently passing through the network, analysis of past network traffic, or exchanged between InQuest users.

Network Monitoring

InQuest provides a Collector appliance designed to natively capture network traffic via a TAP or SPAN. The Collector monitors all traffic passing through the network and reassembles/reconstructs it into aggregated sessions for further analysis. These sessions are passed to the Artifact Extractor, which extracts embedded files, connection information (domains, IPs, ports, URLs, etc.), and metadata (hashes, etc.) from the session. By default, InQuest passes this information to several built-in post-processing functions. From there the files and associated objects are then passed to several analytical InQuest Engines:

  • InQuest Threat Discovery Engine: Uses installed signature packs to identify known threats
  • InQuest URL Analyzer: Analyzes URLs for suspicious features
  • InQuest File Analyzer: Examines file variables and metadata and determines threat score

This information is then passed on to a threat scoring engine, which aggregate the results to generate a threat score for the session.

RetroHunt Historic Threat Discovery Engine

InQuest also supports historical analysis of past traffic (set to two weeks by default). Using RetroHunt’s retrospective analytical capabilities, traffic from the target date is scanned with the current signature set. This allows threats that became public knowledge after the attack to be retrospectively identified and handled.

InQuest Threat Exchange

The InQuest Threat Exchange is an opt-in cloud-based forum for information sharing between network defenders. Analysts can upload or download information on IP addresses, domains, URLs, and file hashes, which can be used in the automatic generation of threat scores.


The analysis phase consists of deriving further information from artifacts already inside the InQuest system. Primarily, this focuses on analysis of files by sandboxes, automated malware analysis engines, and recursive file dissection. File hashes can also be uploaded to cloud-based reputation databases to determine if they represent a known threat.

Sandboxes and Automated Malware Analysis Engines

InQuest provides the ability to integrate several sandboxes and automated malware analysis engines. Possibilities include Cuckoo Sandbox, FireEye, Joe Sandbox, VxStream Sandbox. These tools perform in-depth, dynamic analysis of malware in a controlled environment, extracting characteristics that may be hidden from static analysis of the files. Tools can be configured to be enabled, disabled, or only to run for certain filetypes. Results are automatically fed into the InQuest Threat Score Engine for score calculation and assignment.

Malware Scanning

OPSWAT Metadefender core is a hardware appliance that uses multiple malware engines to scan files. This tool can be integrated into InQuest and have files automatically submitted to it through the data acquisition that the InQuest Collector provides. The results of these malware engines is then passed to the InQuest Threat Score Engine for score calculation and assignment.

InQuest MultiAV and VirusTotal

InQuest MultiAV and VirusTotal allow users to submit the hash of a suspicious file and receive information on the file’s reputation and other metadata. The InQuest Threat Score Engine allows users to automatically pull data from one or the two and incorporate it into the generated threat scores.

Recursive File Dissection

InQuest has developed a file dissection engine designed to remove wrappings and obfuscations designed to conceal malware and useful intelligence information (IP addresses, domains, etc.). File dissection occurs recursively, with each level of extracted content passed through the analysis engines mentioned in previous sections to determine if they are a threat. If an embedded component is identified as a potential threat, the parent file is labeled as a threat as well.


Rather than force an analyst to review the results of several systems to derive a complete picture about a suspicious artifact, InQuest automatically runs the appropriate analysis tools (based on user configurations) and calculates a threat score for each network session and file passing through the network perimeter.

The InQuest User Interface provides a user-friendly method of accessing the reports generated for any session or file. The results of each analysis tool are collected on a single page along with the aggregate threat score. Users can also perform database queries to explore relationships or drill more deeply into an identified threat.

N-Day Attack Coverage

Use Case Description

N-Day threats are the most commonly used attacks targeting both the private and public sectors. The first step in defending a system against a known attack is defining the threat. Once malicious traffic can be reliably identified, it can be detected and/or prevented.

Our Solution

InQuest provides two methods for adding threat signatures to the database: automated and user-defined.

Malware Signature Development

The first step in defending a system against an attack is defining the threat. Once malicious traffic can be reliably identified, it can be located and removed on the system. InQuest provides two methods for adding threat signatures to the database: automated and user-defined.

Inquest Automated Updates

One service that InQuest provides to its users is an automated feed of code, signature, and intelligence content through InQuest Automatic Cloud Updates. InQuest’s intelligence originates from internal experience derived from daily real-world attack prevention, private partnerships with Exodus Intelligence and other research organizations, and public intelligence collected and aggregated using web crawlers from public sources into a single database. Based upon this intelligence, InQuest develops signatures of emerging threats and provides them via Automated Updates to protect their clients’ networks.

InQuest signature packs are also available to their clients for manual upload. This provides clients within restricted environments the ability to perform necessary security checks prior to importing them into their systems.

User-Defined Signatures

InQuest provides their clients’ internal security teams with the ability to define signatures for threats targeting their organizations. Through the User Interface, an administrator can add, enable, and disable policies to tune the InQuest system to the needs of their environment.

Inquest MultiAV, Threat Exchange, and VirusTotal Integrations

InQuest provides multiple methods by which an analyst can gather information regarding suspicious traffic passing through their computing environments. InQuest MultiAV is a cloud-based hash analysis engine. By providing the hash of a suspected file, analysts can determine whether or not the file in question is known to be malicious. InQuest also offers integrations with VirusTotal’s cloud-based API, which allows antivirus reports to be retrieved based on the hash of a file.

InQuest Threat Exchange allows analysts to communicate with the InQuest cloud-based threat score database to request and provide information regarding suspicious IP addresses, domains, URLs, and file hashes. During a distributed attack, this allows analysis at various InQuest client sites to pool their information and respond more rapidly to the threat.

Reviewing Past Events in RetroHunt

InQuest provides the ability to retrospectively analyze past network traffic and files using the RetroHunt functionality. When dealing with an attack using a new signature, it’s important to scan past traffic to determine if the network has been previously attacked and potentially infected. Using RetroHunt, hidden threats within the network can be identified and mitigated.

Threat Actor Infrastructure Detection

Use Case Description

Threat actors often use a variety of command-and-control servers to evade detection and improve resiliency of their attack campaigns. Attacks with a single point of failure (like WannaCry’s kill switch) run the risk of having this point identified and disabled, bringing the lifespan of an attack campaign to an abrupt end. Use of a single set of command-and-control nodes also runs the risk of an accidental denial of service (DOS) of these servers by a highly successful attack campaign. For these reasons, threat actors often use multiple command-and-control servers to distribute and communicate with their malware.

Identification of the infrastructure used by a threat actor in an attack is valuable to a network defender for many reasons. If all of the communication channels used by malware are identified and blocked, the threat posed by the malware is essentially eliminated. Identification and correlation of command-and-control servers used by multiple attack campaigns suggests a link between them, which may aid in analysis and accelerate deployment of appropriate defensive countermeasures.

Our Solution

InQuest has developed and integrated many in-house and third-party solutions for the discovery, detection and prevention of threat actor infrastructure. Several of these tools are useful in the identification and correlation of components of threat actor infrastructure used in various attack campaigns. Through the extensive research methodologies of InQuest Labs, they have been able to identify and mitigate malware campaigns designed to leverage threat actor infrastructure stood up specifically for the targeting of their clients.

Real-Time Network Traffic Monitoring

InQuest provides real-time monitoring of network traffic passing through the protected network perimeter through the use of a Collector passively collecting traffic via a TAP or SPAN. Sessions are reconstructed and analyzed using several proprietary InQuest native capture tools.

Automated Signature Scanning

InQuest provides their clients with the capability to import InQuest Labs provided signatures either manually or automatically. Users are also able to define and upload their own signatures and enable or disable them via Policy definition to meet their needs. The InQuest Threat Discovery Engine (TDE) uses these signatures to identify malware entering the network, providing a starting point for mapping a threat actor’s attack infrastructure.

DNS monitoring for known bad domains

Included in InQuest’s feed packs is a list of currently known malicious domains scraped from a variety of internal, private, and public sources. Each DNS request made from within a protected network is checked against this list and an alert is raised in the event of a match. Identification of an infected machine allows analysts to identify the malware and infection vector of the machine and analyze this data for further clues about the threat actor’s operations (IP addresses, domains, etc.).

InQuest Artifact Extractor

InQuest Collectors include a built-in network traffic artifact extraction engine which extracts metadata from network sessions passing through the network perimeter. This metadata includes IP addresses, URLs, domains, files, and file hashes and can be invaluable in identifying and associating various malicious content and different aspects of the same attack campaign.

Recursive File Dissection

InQuest has developed a recursive file dissection engine designed to unwrap the layers of obfuscation employed by hackers to mask and protect their malicious code. Hackers do not wish for their malicious content to be commonly known (since they would be promptly added to blacklists), so they often hide this information within files and/or objects in a variety of ways, forcing analysts to spend valuable time verifying that they have identified all of the infrastructure that the malware may contact. InQuest’s file dissection engine automatically unravels the protections placed around this information, accelerating the pace at which the threat actor’s infrastructure is identified and mitigated.

Sandboxes and Automated Malware Analysis Engines

InQuest provides seamless integration of multiple third-party sandboxes and automated malware analysis engines, including Cuckoo Sandbox, Joe Sandbox, VxStream Sandbox, and FireEye. These tools are valuable for extracting hidden information from malware. They allow the malware to execute in a protected environment and identify files, domains and IPs that the malware attempts to contact. This intelligence can be correlated with information gained from other sources to provide greater visibility into a threat actor’s infrastructure.

InQuest Automatic Updates

InQuest collects threat intelligence from a variety of sources. Internally, experience from dealing with real-world attacks on a daily basis provides knowledge regarding current attack trends. Private information is shared through a network of partnerships with Exodus Intelligence and other research organizations. Public information is collected and aggregated through crawlers that search public intelligence repositories. This information is available to InQuest clients via InQuest Automatic Updates. These code, signature, and intelligence updates from the InQuest cloud are available for manual download as well.

InQuest Threat Exchange

The InQuest Threat Exchange is a cloud-based forum for collaboration between InQuest clients across the globe. This cloud-based threat score database stores information regarding suspicious IP addresses, domains, files, and hashes and enables defenders to collaborate to quickly build a map of the infrastructure supporting a given attack.

InQuest User Interface

InQuest is designed to simplify the network defender’s experience. The InQuest User Interface (UI) provides a high degree of control to the user and powerful search and data correlation capabilities. Behind the scenes, every network session passing the network boundary is analyzed and labeled with a threat score. Once an indicator of an attack campaign is identified (a file, URL, domain name, etc.), the UI can be used to identify related information and trigger and access the results of integrated tools. Signatures based on extracted information can be easily defined and scanned against within the UI. The UI also allows scanning in RetroHunt mode to detect attacks performed before signatures had been developed.

Zero-Day Attack Coverage

Use Case Description

Intrusion detection and prevention systems largely identify threats to a network by matching against signatures of known attacks, which is largely ineffective against zero-day attacks. InQuest leverages partnerships, in-house capabilities, and third-party tools to build a comprehensive picture of potential threats passing through a protected network boundary. Using this information, a threat score is automatically applied to all network session and probable threats are highlighted to analysts, allowing rapid detection, triage, and remediation of network threats.

This Use Case describes the threat detection and alerting functionality provided by InQuest and how it can be applied to the detection of zero-day threats entering a protected network.

Our Solution

InQuest draws from a variety of intelligence sources, shares this intel with the users through manual or automatic updates, and provides a plethora of information via the InQuest User Interface for discovery and analysis of zero-day threats.

InQuest Intelligence Sources

InQuest collects intelligence from a variety of internal, private, and public sources. Internally, InQuest uses hands-on experience gained from dealing with daily, real-world attacks to identify, triage, and develop signature for malware. InQuest partners closely with Exodus Intelligence and collaborates with other research organizations. Using web crawlers and aggregation tools, InQuest collects data from a variety of public sources into a single database. These data feeds are integrated to provide InQuest with a comprehensive view of potentially new or unknown threats targeting their clients.

InQuest Automated Updates

InQuest offers an optional, automated update service, providing code, signature, and intelligence updates. By enabling this service, InQuest systems can be kept up-to-date on the current threats that they may face and provide protection against attacks evolving in real time.

Automated Threat Scoring and Alerting

InQuest provides a variety of built-in and integrated solutions for assigning threat levels to network traffic passing through the perimeter of a protected network. Here, details of tools helpful in the detection of zero-day attacks and methods for accessing the results of these tools will be displayed.

Known Malicious DNS Domain Monitoring

It is not uncommon for malware authors to use the same command-and-control or download servers for a variety of malware campaigns. InQuest provides an automated monitoring service for any resolution attempt of known malicious domains. If a new malware variant uses known command-and-control or download servers, an alert will be generated for the malicious traffic, allowing a network administrator to shut down even zero-day attack traffic.

InQuest URL Analyzer

InQuest provides an integrated URL analysis engine. Based upon the structure of observed URLs, the URL Analyzer determines the probability that traffic is malicious. Even if a zero-day attack uses unknown command-and-control or download servers, if the URL shares common properties with other malicious sites, an alert will be raised to draw attention to the suspicious traffic.

InQuest File Analyzer

Malware authors commonly embed malicious code within a benign file in order to increase the probability that it will be able to enter the network perimeter and entice users to execute the malicious functionality. It is not uncommon for a zero-day attack to include some previously-known malicious code (for example, a new exploit that installs a common malware backdoor or downloader). InQuest’s file dissection engine recursively unwraps the levels of obfuscation around malicious code and tests each level using best-in-breed, third-party analysis tools, maximizing the probability that even a zero-day attack will be detected when entering the protected network.

SIEM Integration

InQuest offers seamless integration with several third-party tools to provide robust antivirus, sandboxing, reputation checking, and automated malware analysis capabilities. While not enabled by default, the following tools can be painlessly configured to improve detection of even zero-day attacks:

  • InQuest Automatic Updates: Enables InQuest cloud connectivity for automatically retrieving and applying code, signature, and intelligence (C2) updates.
  • Cuckoo Sandbox: Sandbox that performs dynamic malware analysis.
  • VxStream Sandbox: Automated malware analysis system.
  • FireEye: Hardware appliance that performs dynamic analysis of files.
  • InQuest Eyelet Reputation: Cloud-based reputation database
  • InQuest MultiAV: Provides cloud-based hash analysis.
  • InQuest Threat Exchange: Enables communication with the InQuest Cloud-based threat exchange which provides shared threat information on IPs, domains, URLs, and file hashes.
  • Joe Sandbox: Sandbox for deep malware analysis
  • OPSWAT Metadefender Core: Hardware appliance that leverages multiple AV engines to scan files.
  • VirusTotal: Online service used to look up AV reports for known-bad hashes.
InQuest User Interface

Based upon the information gathered by InQuest’s built-in and integration threat analysis capabilities, the system automatically generates a threat score for each session and file entering or leaving the network. These threat scores are displayed via the InQuest User Interface (UI), which highlights probable threats against the protected network. The UI also supports a wide range of queries against collected data, allowing an analyst to explore relationships and extract details regarding threats against their network.

Sandbox Integration for Dynamic File Analysis

Use Case Description

Information about the capabilities and communication paths used by a malware sample is invaluable for removing an infection and developing usable indicators of compromise for network detection. Malware authors commonly attempt to conceal this information, making static analysis of a sample to extract indicators extremely time consuming and resource intensive.

Through execution of malware on a target system, these indicators can be easily collected through observation of the effects of the malware on the system and host network. Multiple vendors have developed sandbox systems to allow dynamic analysis of files and objects in a contained environment.

Our Solution

To provide InQuest users with the best possible information about suspicious samples, InQuest has provided built-in integrations for several of the best and most popular sandbox solutions, including Cuckoo, FireEye, Joe, and VxStream sandboxes.

Cuckoo Sandbox

Cuckoo Sandbox is an open-source dynamic malware analysis engine. It performs API call tracing and can be used in conjunction with Volatility for analysis of the memory space of malicious processes. It includes support for Windows, Linux, Mac, and Android.

InQuest interfaces with Cuckoo Sandbox via the Cuckoo Sandbox API. Once an instance of Cuckoo Sandbox is set up and running, the administrator can set the hostname or IP and port of the Cuckoo Sandbox API and whether or not to use global proxy settings. Administrators can also configure InQuest so that files are submitted automatically to Cuckoo Sandbox and if an alert should be generated from Cuckoo those results are returned to InQuest for Threat Score consumption.


FireEye provides a hardware appliance that acts as a sandbox for dynamic analysis of suspicious files. The FireEye sandbox monitors from system level changes to file systems, memory, and registries by the operating system or installed applications. Using the FireEye Multi-Vector Virtual Execution (MVX) engine, FireEye executes code through the entire attack chain to provide a more comprehensive view of its capabilities. Network traffic generated by the sample is captured to allow analysis of URLs and embedded code. The FireEye appliance supports Windows and Mac.

Integration of a FireEye appliance requires an administrator to specify the API URL and proxy settings and uses a username/password authentication scheme. Users can specify the operating system to be emulated (defaults to Windows XP SP 3), whether files should be submitted automatically to the appliance for analysis, and whether an alert should be generated when a report is received from the appliance.

Joe Sandbox

Joe Sandbox is a malware analysis tool that provides capabilities for static, dynamic, hybrid, and graph analysis of suspicious files. It employs instrumentation, hooking, hardware virtualization, and emulation and supports Windows, Mac, iOS, and Android.

Integration of Joe Sandbox requires a Joe Sandbox API key and appropriate proxy settings. Administrators can also specify whether files should be submitted automatically and whether an alert should be generated when a report is received.

VxStream Sandbox

The VxStream Sandbox is an automated malware analysis system developed by Payload Security (which was acquired by Crowdstrike). It analyzes runtime behavior and the memory space of malicious processes. VxStream Sandbox also extracts strings and API calls from analyzed malware. Support for defeating common anti-VM techniques and kernel-mode monitoring (to conceal itself from user-mode malware) is also included.

VxStream Sandbox communicates over the tool’s API and requires setting the host URL and proxy settings, but it also requires an authentication key and authentication secret for the API. The environment variables for running samples in VxStream can also be configured. VxStream can also be set to run automatically for each file and to generate an alert when results are received.

Identify Malware Through Automated Dissection and Inspection

Use Case Description

A significant challenge for malware authors is how to actually deliver their malware through perimeter network defenses and entice a user to execute it on their system. Many network-based intrusion detection and/or prevention systems are signature-based and will alert and/or block known malware from successfully entering a network. In addition to the perimeter defenses, the continuing rise of security awareness through user training has made it increasingly challenging to entice a user to open a file that has been sent to them from an untrusted source. In order to overcome these challenges, malware authors use a variety of tactics and techniques such as compression, encoding, and obfuscation to evade detection.

Our Solution

InQuest’s platform represents a next generation solution for detecting and stopping malware. Our components are designed to peel back the layers used by threat actors to disguise their activity and to reveal the malware hidden within. InQuest’s threat detection solution locates these frequently disguised malicious applications and unmasks them through automated post-processing. By thoroughly dissecting and inspecting session data and file content the solution provides you with a robust resource for identifying and thwarting sophisticated attackers.

InQuest scrutinizes files downloaded over the web or received via email to detect malicious code in-transit. We apply innovative post-processing techniques to live monitored network traffic which enables us to provide insights from even the most cleverly masked malware. Additionally, integrations are available for a number of antivirus and sandbox technologies that serve as complementary functions to InQuest’s analytics. Here, each stage of the process will be explained along with information about how you can set up InQuest to protect your network against these types of evolving threats.

Data Collection

The InQuest Collector is designed to identify and display network sessions and associated files and objects that are entering and leaving your network regardless of whether or not they are malicious. By allowing a Collector to natively capture your network traffic via a network TAP or SPAN, all files entering and leaving your network are reconstructed from the network streams and retained for further inspection. Network traffic saved as a pcap as well as raw files can also be fed to the Collector or Manager for offline traffic analysis and content inspection.

File & Object Dissection

InQuest has developed a post-processing layer that parses common file types and identifies locations where other files or code can be embedded within the file that was originally captured. For example, Microsoft Office documents can include VBScript encoding macro functionality. Additionally, support is available for decompressing common archive file formats (zip, gzip, etc.), decompiling byte code, reversing common encodings and stripping other methods of obfuscation.

InQuest identifies embedded content within a file and recursively dissects files to find hidden content that could potentially be malicious. Each piece of extracted content is passed back through InQuest’s Threat Discovery Engine (TDE) in order to identify embedded malware.


Rather than attempting to reinvent the wheel, InQuest is designed to integrate best-of-breed in-house and third-party solutions for sandboxing, antivirus, and feature-based file reputation lookups. These types of integrations consist of the following:

  • InQuest Automatic Updates: Enables InQuest cloud connectivity for automatically retrieving and applying code, signature, and intelligence (feed) updates.
  • Cuckoo Sandbox: Sandbox that performs dynamic malware analysis.
  • VxStream Sandbox: Automated malware analysis system.
  • FireEye: Hardware appliance that performs dynamic analysis of files.
  • InQuest Eyelet Reputation: Cloud-based reputation database
  • InQuest MultiAV: Provides cloud-based hash analysis.
  • InQuest Threat Exchange: Enables communication with the InQuest Cloud-based threat exchange which provides shared threat information on IPs, domains, URLs, and files.
  • Joe Sandbox: Sandbox for deep malware analysis
  • OPSWAT Metadefender Core: Hardware appliance that leverages multiple AV engines to scan files.
  • VirusTotal: Online service used to look up AV reports for known-bad hashes.

InQuest is designed to make the integration of these products painless for the administrator to configure and the operator to monitor. Operators can specify which products should be used and which filetypes should be analyzed by each of the respective static and dynamic analysis systems.


Using the output of the analysis stage, the InQuest User Interface (UI) calculates and displays a threat score as well as the events that were generated for each network session and its associated files. Analysis results and metadata regarding the session as well as the file are also provided to give an intrusion analysis or incident responder a complete picture of the incident.

Support for the Consumption of Numerous Data, File and Protocol Formats

Use Case Description

Malware can be embedded in a variety of different files and formats. In many cases, commercial-off-the-shelf (COTS) security products are incapable of scanning and supporting all relevant file and protocol formats when inspecting data in-transit leaving you blind to the potential threats.

Our Solution

InQuest systems support a wide array of file formats and have special processing routines designed to extract the data that can be concealed within each one. Here, the intended and malicious functionality of different types of files are highlighted and a sample of the relevant file types that InQuest supports are listed.

Compressed Files

File compression is intended to allow files to be stored or transmitted in a format that requires less memory than their standard structure. This functionality is often leveraged by hackers to conceal malicious functionality as a signature of an uncompressed file will not match the compressed version of the file. InQuest natively supports decompression of a variety of common compressed file types including the following:

  • 7z
  • AR
  • ARC
  • ARJ
  • BZIP2
  • CAB
  • CPIO
  • DEB
  • FLAC
  • GZIP
  • ISO
  • LZMA
  • RAR
  • RPM
  • TAR
  • XZ
  • ZIP
Document Files

Document files include Microsoft Office file formats, Portable Document Format (PDF) files and similar. These files can contain embedded malicious code that the visible contents of the document encourage the user to execute. For example. Microsoft Office documents support the use of macros which, if executed, have the ability to install malware on the user’s machine. PDF readers have historically contained vulnerabilities that allow malicious code to execute if the document is even opened. InQuest supports a variety of common document formats and identify and extract embedded content for further analysis. Supported file types include, but are not limited to, the following:

  • DOC
  • DOCM
  • DOCX
  • PDF
  • PPS
  • PPSM
  • PPT
  • PPTM
  • PPTX
  • XLS
  • XLSM
  • XLSX
Executable Files

The Portable Executable (PE) format is a data structure specifically built to support Windows operating environments to load and manage the executable code. An unexpected executable entering the network perimeter is always a cause for suspicion since they are designed to be lightweight and trivial to execute. Executable file types vary based upon the base operating system. A sample of the ones supported by InQuest include the following:

  • EXE
  • DLL
Flash Files

Flash files provide animation and video capabilities to applications, web pages, etc. Since code is needed to execute the video, it is possible to create a malicious Flash file consisting of the actual video and some code that runs in the background. InQuest systems search for embedded code in Flash files and support the following formats:

  • FLA
  • FLV
  • SWF
Script Files

Script files are files containing code intended to be executed within a certain environment. On the web, PHP and JavaScript are commonly used scripting languages. Microsoft Office documents support Visual Basic for Applications (VBA) scripting to allow the automation of repetitive tasks. Execution of untrusted script files is dangerous as they have the ability to install malware on the affected computer. InQuest natively supports many scripting filetypes including the following:

  • JS
  • PHP
  • PL
  • VBA

SIEM Integration

Use Case Description

Security software that doesn’t effectively communicate or integrate with other solutions in your environment can leave significant gaps in your overall coverage. When security incidents or events occur, this information needs to be rapidly communicated to your SOC staff so they can take action. As a result, robust SIEM integration is an essential component of all Security Operations.

Our Solution

InQuest’s software offers a number of strategic integrations to provide a comprehensive security solution. We are not shy about leveraging the ability of other vendors to improve the coverage our solution offers. InQuest currently has integrations with OPSWAT, VirusTotal, FireEye, Joe, Cuckoo, VMRay, ArcSight, Splunk, and more. Users have the ability to interface with all of InQuest’s data and backend functionality through numerous SIEM integrations.

We have a deep familiarity with integration points and that enables us to maximize the value of our SIEM integrations through either a push or pull data ingest. InQuest uses its analysis engine in combination with active integrations to provide a single, intelligently weighed, easily digestible threat score which is easily made available to all third-party SIEM solutions.

Identify Command-and-Control Communications

Use Case Description

Malicious software often seeks to gain control of your systems and establish command-and-control communications to initiate processes such as exfiltrating valuable data. If a zero-day exploit has been used, there is typically no signature that can be utilized to identify the exploit and stop it before it compromises your systems. Detecting anomalous command-and-control communications is key to dealing with attacks of this type to provide your SOC staff with the information they need to quickly deal with the compromise.

Our Solution

InQuest’s platform constantly monitors command and control (C2) communications (DNS and IP) for signs of anomalous activity. Keeping abreast of the latest C2 nodes through threat intelligence is key for detecting this activity. Our C2 detection engine alerts you if any of those nodes are seen touching your network, so we not only focus on what is being said but also who is saying it. The InQuest Labs Team publishes daily updates of known C2 IP addresses and domains globally which are then flagged in our UI for further investigation.

Identifying anomalies in C2 communication quickly enables your SOC staff to rapidly respond to prevent exfiltration of sensitive information such as company proprietary information, account credentials, PII, etc.

Malware Hunting & Retrohunting

Use Case Description

Identification of malware present within a network is the first step to containing and eradicating an infection. If malware can be identified at the perimeter, it can be blocked from entering the network at all, ultimately eliminating the threat of an infection. However, if malware manages to enter and execute on a network, the infection can spread as well as take action to conceal itself and increase the difficulty of removal.

Our Solution

The InQuest platform provides powerful functionality to network defenders hunting for the presence of malware on their networks. In this section, we describe the features relating to the identification of malware, extraction of unique characteristics, and performing real-time and historical searches for artifacts matching these or similar characteristics to identify malware on the network.


InQuest is capable providing network protection at various strategic positions within your network. This can be achieved either in real-time through the deployment of a Collector off of a network TAP or SPAN to perform native network traffic capture or after the fact using file and/or packet capture upload capabilities manually through our UI or programmatically through our APIs. This network traffic is reassembled and reconstructed by InQuest into artifacts (Session information, Files, Objects, etc.) which are then analyzed to detect indications of malware.

InQuest Automatic Updates

InQuest provides the option to customers to subscribe to automatic updates from InQuest Labs. These updates include code updates, intelligence information, and signature packages for detecting recent threats. Updates are also available for manual upload to InQuest systems. InQuest labs collects data from internal research and experience, private partnerships, and crawling of public repositories and collates it to provide customers with a comprehensive view of the current threat landscape.

Enabling automatic updates maximizes the probability that InQuest will alert on malware entering a protected network, allowing defenders to react rapidly to a potential infection. If an infection is detected or suspected on a host, upload of a packet capture of the host’s traffic to the InQuest system enables scanning the traffic for indicators of known malware variants. This provides a jumping-off point for a malware hunting operation.

InQuest Blacklisting

In addition to the static analysis that InQuest performs, InQuest also provides the ability to blacklist file hashes. Checks against this blacklist are automatically performed on InQuest systems for all files captured and this aids in the detection of malware variants that have been previously identified but may otherwise go undetected.

InQuest URL Analyzer

Certain characteristics of a URL may indicate that a given domain is a command-and-control node or a drive-by download server. InQuest systems perform URL analysis and generate alerts when internal computers request URLs that appear suspicious or potentially malicious. Reviewing these alerts allows an analyst to identify computers that warrant a more in-depth analysis.

Artifact Characteristic Extraction

Once potential malware is identified on the network, any information that can be extracted from the sample can be valuable in determining the scope of the infection on the network. Properly classifying the malware can confirm that it is malicious and provide insight in regards to its potential capabilities. In-depth analysis can provide indicators to aid in identification of malicious traffic, related malware, and artifacts left on the infected system.

InQuest provides several tools and available integrations to aid in extracting actionable data from collected malware samples. Available tools are a mix of InQuest-developed programs and third-party vendor software. The applications of these tools to malware hunting is described in this section.

Recursive File Dissection

InQuest has developed a proprietary file dissection utility. Malware authors commonly compress, encode, obfuscate, and embed their malicious code and data within other files in order to avoid scrutiny and detection by network defenders and antivirus engines. InQuest’s tool performs recursive file dissection, extracting each piece of hidden content and submitting it to other post-processing utilities and back to itself to provide a comprehensive view of the content within a suspect file.

The information most valuable to malware hunters (dropped files, executable names, command-and-control nodes and IP addresses, etc.) is exactly what malware authors work the hardest to conceal. InQuest’s file dissection utility automatically locates and extracts this hidden information, making it readily available to analysts.

External Integrations

The InQuest Platform enables a user to leverage the capabilities of a variety of InQuest-developed and third-party vendor tools for analysis of files and objects captured on the network. Several sandboxes, automated malware analysis engines, antivirus engines, and file analysis engines can be painlessly integrated with InQuest to provide best-in-breed capabilities in all aspects of file analysis.

Sandboxes and Dynamic File Analysis Tools

InQuest systems provide seamless integration with a variety of third-party vendor solutions for automated dynamic analysis and characteristic extraction of files. Available tools include Cuckoo Sandbox, FireEye, Joe Sandbox, and VxStream Sandbox. Integration with these tools provides a malware hunter with a wealth of information regarding the behavioral characteristics of a suspected malware sample.

InQuest Threat Exchange

The InQuest Threat Exchange is a cloud-based database for InQuest clients to exchange information on suspicious IP addresses, domains, URLs, and file hashes. With this component enabled on the local InQuest deployment, automated checks are performed against the Threat Exchange database to determine if network and/or file artifacts have been previously identified as suspicious and/or malicious.

OPSWAT Metadefender Core

OPSWAT Metadefender Core is a hardware appliance that automatically scans a suspicious file using over thirty different antivirus engines. This scanning allows a malware hunter to proceed with confidence that a given sample is or is not a known threat and provides classification information regarding the malware family and its associated capabilities.

InQuest MultiAV

InQuest MultiAV is a cloud-based hash analysis engine. With this component enabled on the local InQuest deployment, automatic hash checks are performed against the cloud-based database providing users with information regarding the probable maliciousness of the file.


VirusTotal is an online repository of data regarding suspicious files, URLs, and IP addresses. By searching for a certain hash, users can access results from many antivirus engines, behavioral information from dynamic analysis of the malware, and other users’ comments and notes on the malware. VirusTotal is integrated with InQuest to provide users with the ability to programmatically access VirusTotal’s data through their API.

User-Defined Signature Development

Beyond the InQuest-developed signatures provided via InQuest Automated Updates, InQuest empowers their users with the ability to define their own signatures in YARA format. Signatures can be directly entered or added in batches via a file upload option within the UI. Users also have the ability to set the confidence and severity of a signature (or batch uploaded via file upload) and to enable or disable certain signatures for scanning. Once the signature or signatures are defined, the users will have the ability to perform a RetroHunt using the newly defined signature against a configurable timeframe of historical data.

InQuest User Interface

The InQuest system provides a robust and user-friendly User Interface (UI) to aid analysts in network monitoring and threat hunting. Each network session and file captured by InQuest is automatically assigned a threat score based upon the output of the enabled post-processing tools and integrations. These threat score and tool outputs are available to the user via an intuitive interface. Malware hunters can also perform queries on the database to explore relationships between different sessions or files or to drill down into a suspicious incident.

RetroHunt Retrospective Analysis

InQuest also provides analysts with the ability to perform threat discovery on past network traffic via the RetroHunt Historic Threat Discovery Engine (TDE). By default, the RetroHunt TDE automatically performs RetroHunts or retrospective analysis across the past 14 days (configurable) of captured data (files, sessions, etc.). All of the enabled post-processing operations are applied to the historic traffic in RetroHunt mode using the most recent signature sets. This allows previously undiscovered/unidentified malware in-transit to be identified and analyzed.

Import YARA Signatures

Use Case Description

YARA is a tool developed to assist in the identification and classification of malware. It performs pattern matching against file content using a wide range of strings and/or regular expressions with varying conditions.

Our Solution

The InQuest platform allows for the manual or automated import of YARA signatures either programmatically or directly through the InQuest User Interface (UI) via manual input or csv import.

Multi-Scanning Engine Integration for Malware Detection

Use Case Description

Traditional AV solutions may not be able to detect all of the ever-increasing variants of malware in action at any one time. Additionally, different security software products may specialize in various types of malware identification. To mount a comprehensive defense, an approach that allows for multi-scanning across various engines is essential.

Our Solution

InQuest uses innovative post-processing techniques to monitor live network traffic, enabling our platform to provide insights into even the most creative combinations of obfuscation. InQuest combines its scrutiny of raw network data with proprietary security checks, giving you the ability to integrate it with your existing security infrastructure. Integrations are currently available for a variety of antivirus and sandbox technologies that work in a complementary capacity with InQuest’s platform. This enables multi-engine scanning of all files in-transit on your network for potential security issues.

Most modern anti-malware solutions have limitations when it comes to the detection, inspection, and mitigation of embedded file content. This results from the tendency of malware to be nested in multiple layers of an application, making its detection extremely difficult. InQuest’s platform enables users to create and apply custom static analysis signatures leveraging the same performance and deep analytics benefits as the rest of the platform. This allows for multi-engine scanning using the latest information about emerging malware threats.

In addition to the onboard, multi-scanning that InQuest provides from numerous Threat Discovery Engines, we also have an external integration with OPSWAT’s Advanced Threat Prevention Platform. OPSWAT pioneered the concept of combining the scanning results of multiple antiviruses to produce a more accurate determination of the probability that a given file is malicious. The OPSWAT Metadefender Platform is a hardware appliance that scans a file using over thirty major antivirus engines to maximize the probability that known malware is correctly identified. Integrated antiviruses include AVG, AhnLab, Avira, Bitdefender, ESET, IKARUS, K7, nProtect, and Zillya!.

InQuest systems allow a Metadefender appliance to be seamlessly integrated into the Threat Detection Engine, allowing users to confidently determine if a file entering the network is malicious. Integration requires an administrator providing an API key, IP address, port number, a syslog IP address and port, the API URL, and a timezone offset.

Multitenancy Support

Use Case Description

Multitenancy or Multiple Tenant Support is when a system is capable of supporting the independent management of multiple disparate entities, groups or organizations within a shared computing environment. Common examples of Multitenant environments would be that of larger enterprises with numerous business units such as Managed Security Service Providers (MSSPs), Government Organizations, etc.

Our Solution

InQuest provides support for multiple organizations to share the resources of a single InQuest deployment. InQuest devices can be configured so that their customers’ data, policies, permissions, and users can be logically separated and managed using shared resources. This allows organizations to pool their resources to achieve protection beyond the capabilities of their individual resources while maintaining complete control over their data and users as well as how their policy is enforced against their Areas of Responsibility.

Data Loss Prevention (DLP)

Use Case Description

With the recent explosion of data breach reports, data loss prevention (DLP) has become an area of focus for many organizations. If an attacker gains access to a protected network and begins exfiltrating sensitive information, the longer the breach goes undetected, the greater the damage to the organization. To evade detection of data leaks, hackers commonly obfuscate and embed stolen data within benign files and network flows. It is essential that data exfiltration be detected as soon as possible to minimize financial, reputational, and intellectual property damage and exposure.

Our Solution

The InQuest platform provides functionality that empowers analysts with the ability to easily and efficiently identify data exfiltration across their network boundaries. The InQuest solution to Data Leakage consists of four main steps: Observe, Dissect, Identify, and Alert.


The InQuest Collector can be deployed off a TAP or SPAN to collect all traffic passing through the network boundary of a protected network. As traffic passes through the network boundary, the Collector captures it and reassembles network sessions from the captured packets. Once reconstructed, these sessions are passed on to InQuest’s post-processing modules for dissection and analysis.


InQuest has developed proprietary dissection technology capable of processing the most common file types. This technology automatically identifies where data can be hidden within these file types. The file dissection utility natively supports a variety of compression, encoding, and obfuscation techniques and automatically extracts embedded and obfuscated data hidden in files for further analysis. File dissection and post-processing are run recursively so that each extracted piece of hidden content is analyzed. This provides protection against attackers using multiple levels of obfuscation to conceal data and guarantees that all concealed content is exposed for analysis.


Once dissection is complete, each piece of revealed data is tested against the full signature library of the InQuest system. In addition to the Data Leakage signatures provided by InQuest Labs, customers also have the ability to define and deploy custom signatures based on their specific needs for detecting sensitive data in-transit. This enables analysts to quickly identify and pinpoint the location of an attempted data exfiltration crossing their network boundaries.

User-defined signatures can be defined based on proprietary, sensitive, etc information known only to the internal organization. Simple signatures may alert on the detection of common markings for documents containing sensitive information (“SECRET”, “PROPRIETARY”, etc.). Other potential signatures may include account credentials, Social Security Numbers or other types of Personally Identifiable Information (PII). The possibilities are endless and can be tailored to meet the needs of a particular organization.


InQuest provides an intuitive and powerful user interface to enable analysts to quickly access data passing through their network. Automated alerting functionality will notify an analyst if any of the currently defined Data Leakage signatures have triggered, what their associated data exposure levels are and provide immediate access to the associated network sessions, files, and post-processing tool results.

The Inquest User Interface also provides powerful search and query functionality against all of the data observed passing through the network boundary as well as the results of analysis engines. This can be used in the development and testing of new signatures to explore relationships among data and alerts and to determine the possible impact of a detected breach.

Machine Learning Assisted Threat Detection

Use Case Description

Sometimes, no matter how broad of a net is cast with heuristics, signatures just aren’t enough to capture all malware. Machine learning provides an adaptive solution to these elusive corner cases. By learning from their mistakes, ML classifiers are able to tightly fill the cracks in a system’s armor.

Our Solution

InQuest’s proprietary machine learning software is built out of four well-vetted classifiers, and uses previously collected data on malicious and benign content to automatically discover patterns that might be left uncovered by signatures. On a weekly basis, models constructed from our ML algorithms are updated with the latest information from previously processed network traffic.

ICAP Integration

Use Case Description

Web traffic makes up the vast majority of network traffic entering and leaving a corporate network. ICAP (the Internet Content Adaptation Protocol) provides a mechanism for web proxies to present web traffic for inspection and modification. A corporate environment could combine its existing proxy infrastructure with an ICAP provider to detect outbound data leakage, inbound threats, command and control traffic for existing malicious software, and policy enforcement.

Our Solution

The InQuest platform includes a comprehensive ICAP solution that provides data leakage prevention, threat blocking, and command and control detection.

Data Leakage Prevention

The InQuest ICAP server inspects all outbound web traffic. If data leakage is detected, the request is blocked and the session logged. This provides network administrators real-time notification and in-depth analysis of potential data leaks.

By using InQuest's custom signature capability, users can tailor data loss prevention to their own critical data while simultaneously taking advantage of InQuest's best-of-breed generic data leakage detection.

Threat Blocking

Visits to malicious websites, or attempts to download malicious documents and software, can be detected and blocked in real time by the InQuest ICAP server working in concert with a corporate proxy. InQuest's comprehensive threat-detection rules, machine learning-based threat detection, and cloud intelligence are brought to bear on each visited web page, document, and download. Security analysts are notified in real-time of threats, and those threats can be immediately blocked.

Command and Control Detection

Once a system becomes infected with malware, the malicious software will often attempt to "phone home" by contacting a command and control systems. These communication attempts may be to receive instructions on how to attack other systems or to exfiltrate sensitive data. Web-based command and control traffic is detected and blocked in real time by InQuest's ICAP solution, preventing data exfiltration and potentially halting further compromise. Security analysts are notified in real time to provide instant visibility into command and control communication.