Use Case Description
High-speed, distributed computing environments present significant challenges to perform network-based monitoring to identify file-based threats and data leakage exposures. Establishing complete visibility of all files and associated objects to perform static and dynamic analysis as well as content inspection has become increasingly difficult due to the continuing rise of network throughput.
InQuest has developed multiple native capture and analytical tools to network analysts can leverage to improve visibility into the traffic passing through their network at speeds ranging from megabits to multi-gigabit speeds. These tools and tools provided by third-party vendors are integrated into a platform that allows these tools to be centrally managed and their results aggregated into an accessible reporting format and an automatically generated threat score for the user.
To optimize use of the InQuest system, it is important to understand how data flows through the system and how to best deploy it to meet organizational needs. Here, data flow through the InQuest framework is described through the collection, analysis, and reporting phases.
The collection phase encompasses the original points of entry of different types of data into the InQuest system. Data can be provided by InQuest, uploaded by clients, derived from traffic currently passing through the network, analysis of past network traffic, or exchanged between InQuest users.
InQuest provides a Collector appliance designed to natively capture network traffic via a TAP or SPAN. The Collector monitors all traffic passing through the network and reassembles/reconstructs it into aggregated sessions for further analysis. These sessions are passed to the Artifact Extractor, which extracts embedded files, connection information (domains, IPs, ports, URLs, etc.), and metadata (hashes, etc.) from the session. By default, InQuest passes this information to several built-in post-processing functions. From there the files and associated objects are then passed to several analytical InQuest Engines:
- InQuest Threat Discovery Engine: Uses installed signature packs to identify known threats
- InQuest URL Analyzer: Analyzes URLs for suspicious features
- InQuest File Analyzer: Examines file variables and metadata and determines threat score
This information is then passed on to a threat scoring engine, which aggregate the results to generate a threat score for the session.
RetroHunt Historic Threat Discovery Engine
InQuest also supports historical analysis of past traffic (set to two weeks by default). Using RetroHunt’s retrospective analytical capabilities, traffic from the target date is scanned with the current signature set. This allows threats that became public knowledge after the attack to be retrospectively identified and handled.
InQuest Threat Exchange
The InQuest Threat Exchange is an opt-in cloud-based forum for information sharing between network defenders. Analysts can upload or download information on IP addresses, domains, URLs, and file hashes, which can be used in the automatic generation of threat scores.
The analysis phase consists of deriving further information from artifacts already inside the InQuest system. Primarily, this focuses on analysis of files by sandboxes, automated malware analysis engines, and recursive file dissection. File hashes can also be uploaded to cloud-based reputation databases to determine if they represent a known threat.
Sandboxes and Automated Malware Analysis Engines
InQuest provides the ability to integrate several sandboxes and automated malware analysis engines. Possibilities include Cuckoo Sandbox, FireEye, Joe Sandbox, VxStream Sandbox. These tools perform in-depth, dynamic analysis of malware in a controlled environment, extracting characteristics that may be hidden from static analysis of the files. Tools can be configured to be enabled, disabled, or only to run for certain filetypes. Results are automatically fed into the InQuest Threat Score Engine for score calculation and assignment.
OPSWAT Metadefender core is a hardware appliance that uses multiple malware engines to scan files. This tool can be integrated into InQuest and have files automatically submitted to it through the data acquisition that the InQuest Collector provides. The results of these malware engines is then passed to the InQuest Threat Score Engine for score calculation and assignment.
InQuest MultiAV and VirusTotal
InQuest MultiAV and VirusTotal allow users to submit the hash of a suspicious file and receive information on the file’s reputation and other metadata. The InQuest Threat Score Engine allows users to automatically pull data from one or the two and incorporate it into the generated threat scores.
Recursive File Dissection
InQuest has developed a file dissection engine designed to remove wrappings and obfuscations designed to conceal malware and useful intelligence information (IP addresses, domains, etc.). File dissection occurs recursively, with each level of extracted content passed through the analysis engines mentioned in previous sections to determine if they are a threat. If an embedded component is identified as a potential threat, the parent file is labeled as a threat as well.
Rather than force an analyst to review the results of several systems to derive a complete picture about a suspicious artifact, InQuest automatically runs the appropriate analysis tools (based on user configurations) and calculates a threat score for each network session and file passing through the network perimeter.
The InQuest User Interface provides a user-friendly method of accessing the reports generated for any session or file. The results of each analysis tool are collected on a single page along with the aggregate threat score. Users can also perform database queries to explore relationships or drill more deeply into an identified threat.