Skip to main content

Use Cases

Identify Malware Through Automated Dissection and Inspection

A significant challenge for malware authors is how to actually deliver their malware through perimeter
network defenses and entice a user to execute it on their system. Many network-based intrusion detection
and/or prevention systems are signature-based and will alert and/or block known malware from successfully
entering a network. In addition to the perimeter defenses, the continuing rise of security awareness through
user training has made it increasingly challenging to entice a user to open a file that has been sent to them
from an untrusted source. In order to overcome these challenges, malware authors use a variety of tactics and
techniques such as compression, encoding, and obfuscation to evade detection.
Read More

Threat Hunting & RetroHunting

Identification of malware present within a network is the first step to containing and eradicating an
infection. If malware can be identified at the perimeter, it can be blocked from entering the network at all,
ultimately eliminating the threat of an infection. However, if malware manages to enter and execute on a
network, the infection can spread as well as take action to conceal itself and increase the difficulty of
removal.
Read More

Zero-Day Attack Coverage

Intrusion detection and prevention systems largely identify threats to a network by matching against
signatures of known attacks, which is largely ineffective against zero-day attacks. InQuest leverages
partnerships, in-house capabilities, and third-party tools to build a comprehensive picture of potential
threats passing through a protected network boundary. Using this information, a threat score is automatically
applied to all network session and probable threats are highlighted to analysts, allowing rapid detection,
triage, and remediation of network threats.

This Use Case describes the threat detection and alerting functionality provided by InQuest and how it can be
applied to the detection of zero-day threats entering a protected network.
Read More

N-Day Attack Coverage

N-Day threats are the most commonly used attacks targeting both the private and public sectors. The first
step in defending a system against a known attack is defining the threat. Once malicious traffic can be
reliably identified, it can be detected and/or prevented.
Read More

Machine Learning Assisted Threat Prevention

Sometimes, no matter how broad of a net is cast with heuristics, signatures just aren’t enough to capture all
malware. Machine learning provides an adaptive solution to these elusive corner cases. By learning from their
mistakes, ML classifiers are able to tightly fill the cracks in a system’s armor.
Read More

Breach Detection

Malicious software often seeks to gain control of your systems and establish command-and-control
communications to initiate processes such as exfiltrating valuable data. If a zero-day exploit has been used,
there is typically no signature that can be utilized to identify the exploit and stop it before it compromises
your systems. Detecting anomalous command-and-control communications is key to dealing with attacks of this
type to provide your SOC staff with the information they need to quickly deal with the compromise.
Read More

Sandbox Integration for Dynamic File Analysis

Information about the capabilities and communication paths used by a malware sample is invaluable for
removing an infection and developing usable indicators of compromise for network detection. Malware authors
commonly attempt to conceal this information, making static analysis of a sample to extract indicators
extremely time consuming and resource intensive.

Through execution of malware on a target system, these indicators can be easily collected through observation
of the effects of the malware on the system and host network. Multiple vendors have developed sandbox systems
to allow dynamic analysis of files and objects in a contained environment.
Read More

Threat Actor Infrastructure Detection & Tracking

Threat actors often use a variety of command-and-control servers to evade detection and improve resiliency of
their attack campaigns. Attacks with a single point of failure (like WannaCry’s kill switch) run the risk of
having this point identified and disabled, bringing the lifespan of an attack campaign to an abrupt end. Use
of a single set of command-and-control nodes also runs the risk of an accidental denial of service (DOS) of
these servers by a highly successful attack campaign. For these reasons, threat actors often use multiple
command-and-control servers to distribute and communicate with their malware.

Identification of the infrastructure used by a threat actor in an attack is valuable to a network defender
for many reasons. If all of the communication channels used by malware are identified and blocked, the threat
posed by the malware is essentially eliminated. Identification and correlation of command-and-control servers
used by multiple attack campaigns suggests a link between them, which may aid in analysis and accelerate
deployment of appropriate defensive countermeasures.
Read More

Data Loss Prevention (DLP)

With the recent explosion of data breach reports, data loss prevention (DLP) has become an area of focus for
many organizations. If an attacker gains access to a protected network and begins exfiltrating sensitive
information, the longer the breach goes undetected, the greater the damage to the organization. To evade
detection of data leaks, hackers commonly obfuscate and embed stolen data within benign files and network
flows. It is essential that data exfiltration be detected as soon as possible to minimize financial,
reputational, and intellectual property damage and exposure.
Read More

MultiAV Integration for Malware Detection

Traditional AV solutions may not be able to detect all of the ever-increasing variants of malware in action
at any one time. Additionally, different security software products may specialize in various types of malware
identification. To mount a comprehensive defense, an approach that allows for multi-scanning across various
engines is essential.
Read More

Support for the Consumption of Numerous Data, File and Protocol Formats

Malware can be embedded in a variety of different files and formats. In many cases, commercial-off-the-shelf
(COTS) security products are incapable of scanning and supporting all relevant file and protocol formats when
inspecting data in-transit leaving you blind to the potential threats.
Read More

Data Acquisition and Delivery

High-speed, distributed computing environments present significant challenges to perform network-based
monitoring to identify file-based threats and data leakage exposures. Establishing complete visibility of all
files and associated objects to perform static and dynamic analysis as well as content inspection has become
increasingly difficult due to the continuing rise of network throughput.
Read More

ICAP Integration

Web traffic makes up the vast majority of network traffic entering and leaving a corporate network. ICAP (the
Internet Content Adaptation Protocol) provides a mechanism for web proxies to present web traffic for
inspection and modification. A corporate environment could combine its existing proxy infrastructure with an
ICAP provider to detect outbound data leakage, inbound threats, command and control traffic for existing
malicious software, and policy enforcement.
Read More

SIEM Integration

Security software that doesn’t effectively communicate or integrate with other solutions in your environment
can leave significant gaps in your overall coverage. When security incidents or events occur, this information
needs to be rapidly communicated to your SOC staff so they can take action. As a result, robust SIEM
integration is an essential component of all Security Operations.
Read More

Multitenancy Support

Multitenancy or Multiple Tenant Support is when a system is capable of supporting the independent management
of multiple disparate entities, groups or organizations within a shared computing environment. Common examples
of Multitenant environments would be that of larger enterprises with numerous business units such as Managed
Security Service Providers (MSSPs), Government Organizations, etc.
Read More

Import YARA Signatures

YARA is a tool developed to assist in the identification and classification of malware. It performs pattern
matching against file content using a wide range of strings and/or regular expressions with varying
conditions.
Read More