Use Case Description
N-Day threats are the most commonly used attacks targeting both the private and public sectors. The first step in defending a system against a known attack is defining the threat. Once malicious traffic can be reliably identified, it can be detected and/or prevented.
InQuest provides two methods for adding threat signatures to the database: automated and user-defined.
Malware Signature Development
The first step in defending a system against an attack is defining the threat. Once malicious traffic can be reliably identified, it can be located and removed on the system. InQuest provides two methods for adding threat signatures to the database: automated and user-defined.
Inquest Automated Updates
One service that InQuest provides to its users is an automated feed of code, signature, and intelligence content through InQuest Automatic Cloud Updates. InQuest’s intelligence originates from internal experience derived from daily real-world attack prevention, private partnerships with Exodus Intelligence and other research organizations, and public intelligence collected and aggregated using web crawlers from public sources into a single database. Based upon this intelligence, InQuest develops signatures of emerging threats and provides them via Automated Updates to protect their clients’ networks.
InQuest signature packs are also available to their clients for manual upload. This provides clients within restricted environments the ability to perform necessary security checks prior to importing them into their systems.
InQuest provides their clients’ internal security teams with the ability to define signatures for threats targeting their organizations. Through the User Interface, an administrator can add, enable, and disable policies to tune the InQuest system to the needs of their environment.
Inquest MultiAV, Threat Exchange, and VirusTotal Integrations
InQuest provides multiple methods by which an analyst can gather information regarding suspicious traffic passing through their computing environments. InQuest MultiAV is a cloud-based hash analysis engine. By providing the hash of a suspected file, analysts can determine whether or not the file in question is known to be malicious. InQuest also offers integrations with VirusTotal’s cloud-based API, which allows antivirus reports to be retrieved based on the hash of a file.
InQuest Threat Exchange allows analysts to communicate with the InQuest cloud-based threat score database to request and provide information regarding suspicious IP addresses, domains, URLs, and file hashes. During a distributed attack, this allows analysis at various InQuest client sites to pool their information and respond more rapidly to the threat.
Reviewing Past Events in RetroHunt
InQuest provides the ability to retrospectively analyze past network traffic and files using the RetroHunt functionality. When dealing with an attack using a new signature, it’s important to scan past traffic to determine if the network has been previously attacked and potentially infected. Using RetroHunt, hidden threats within the network can be identified and mitigated.