Skip to main content

Use Cases

Identify Malware Through Automated Dissection and Inspection

A significant challenge for malware authors is how to actually deliver their malware through perimeter network defenses and entice a user to execute it on their system. Many network-based intrusion detection and/or prevention systems are signature-based and will alert and/or block known malware from successfully entering a network. In addition to the perimeter defenses, the continuing rise of security awareness through user training has made it increasingly challenging to entice a user to open a file that has been sent to them from an untrusted source. In order to overcome these challenges, malware authors use a variety of tactics and techniques such as compression, encoding, and obfuscation to evade detection.
Read More

Threat Hunting & RetroHunting

Identification of malware present within a network is the first step to containing and eradicating an infection. If malware can be identified at the perimeter, it can be blocked from entering the network at all, ultimately eliminating the threat of an infection. However, if malware manages to enter and execute on a network, the infection can spread as well as take action to conceal itself and increase the difficulty of removal.
Read More

Zero-Day Attack Coverage

Intrusion detection and prevention systems largely identify threats to a network by matching against signatures of known attacks, which is largely ineffective against zero-day attacks. InQuest leverages partnerships, in-house capabilities, and third-party tools to build a comprehensive picture of potential threats passing through a protected network boundary. Using this information, a threat score is automatically applied to all network session and probable threats are highlighted to analysts, allowing rapid detection, triage, and remediation of network threats. This Use Case describes the threat detection and alerting functionality provided by InQuest and how it can be applied to the detection of zero-day threats entering a protected network.
Read More

N-Day Attack Coverage

N-Day threats are the most commonly used attacks targeting both the private and public sectors. The first step in defending a system against a known attack is defining the threat. Once malicious traffic can be reliably identified, it can be detected and/or prevented.
Read More

Machine Learning Assisted Threat Prevention

Sometimes, no matter how broad of a net is cast with heuristics, signatures just aren’t enough to capture all malware. Machine learning provides an adaptive solution to these elusive corner cases. By learning from their mistakes, ML classifiers are able to tightly fill the cracks in a system’s armor.
Read More

Breach Detection

Malicious software often seeks to gain control of your systems and establish command-and-control communications to initiate processes such as exfiltrating valuable data. If a zero-day exploit has been used, there is typically no signature that can be utilized to identify the exploit and stop it before it compromises your systems. Detecting anomalous command-and-control communications is key to dealing with attacks of this type to provide your SOC staff with the information they need to quickly deal with the compromise.
Read More

Sandbox Integration for Dynamic File Analysis

Information about the capabilities and communication paths used by a malware sample is invaluable for removing an infection and developing usable indicators of compromise for network detection. Malware authors commonly attempt to conceal this information, making static analysis of a sample to extract indicators extremely time consuming and resource intensive. Through execution of malware on a target system, these indicators can be easily collected through observation of the effects of the malware on the system and host network. Multiple vendors have developed sandbox systems to allow dynamic analysis of files and objects in a contained environment.
Read More

Threat Actor Infrastructure Detection & Tracking

Threat actors often use a variety of command-and-control servers to evade detection and improve resiliency of their attack campaigns. Attacks with a single point of failure (like WannaCry’s kill switch) run the risk of having this point identified and disabled, bringing the lifespan of an attack campaign to an abrupt end. Use of a single set of command-and-control nodes also runs the risk of an accidental denial of service (DOS) of these servers by a highly successful attack campaign. For these reasons, threat actors often use multiple command-and-control servers to distribute and communicate with their malware. Identification of the infrastructure used by a threat actor in an attack is valuable to a network defender for many reasons. If all of the communication channels used by malware are identified and blocked, the threat posed by the malware is essentially eliminated. Identification and correlation of command-and-control servers used by multiple attack campaigns suggests a link between them, which may aid in analysis and accelerate deployment of appropriate defensive countermeasures.
Read More

Data Loss Prevention (DLP)

With the recent explosion of data breach reports, data loss prevention (DLP) has become an area of focus for many organizations. If an attacker gains access to a protected network and begins exfiltrating sensitive information, the longer the breach goes undetected, the greater the damage to the organization. To evade detection of data leaks, hackers commonly obfuscate and embed stolen data within benign files and network flows. It is essential that data exfiltration be detected as soon as possible to minimize financial, reputational, and intellectual property damage and exposure.
Read More

MultiAV Integration for Malware Detection

Traditional AV solutions may not be able to detect all of the ever-increasing variants of malware in action at any one time. Additionally, different security software products may specialize in various types of malware identification. To mount a comprehensive defense, an approach that allows for multi-scanning across various engines is essential.
Read More

Support for the Consumption of Numerous Data, File and Protocol Formats

Malware can be embedded in a variety of different files and formats. In many cases, commercial-off-the-shelf (COTS) security products are incapable of scanning and supporting all relevant file and protocol formats when inspecting data in-transit leaving you blind to the potential threats.
Read More

Data Acquisition and Delivery

High-speed, distributed computing environments present significant challenges to perform network-based monitoring to identify file-based threats and data leakage exposures. Establishing complete visibility of all files and associated objects to perform static and dynamic analysis as well as content inspection has become increasingly difficult due to the continuing rise of network throughput.
Read More

ICAP Integration

Web traffic makes up the vast majority of network traffic entering and leaving a corporate network. ICAP (the Internet Content Adaptation Protocol) provides a mechanism for web proxies to present web traffic for inspection and modification. A corporate environment could combine its existing proxy infrastructure with an ICAP provider to detect outbound data leakage, inbound threats, command and control traffic for existing malicious software, and policy enforcement.
Read More

SIEM Integration

Security software that doesn’t effectively communicate or integrate with other solutions in your environment can leave significant gaps in your overall coverage. When security incidents or events occur, this information needs to be rapidly communicated to your SOC staff so they can take action. As a result, robust SIEM integration is an essential component of all Security Operations.
Read More

Multitenancy Support

Multitenancy or Multiple Tenant Support is when a system is capable of supporting the independent management of multiple disparate entities, groups or organizations within a shared computing environment. Common examples of Multitenant environments would be that of larger enterprises with numerous business units such as Managed Security Service Providers (MSSPs), Government Organizations, etc.
Read More

Import YARA Signatures

YARA is a tool developed to assist in the identification and classification of malware. It performs pattern matching against file content using a wide range of strings and/or regular expressions with varying conditions.
Read More