Threat Actor Infrastructure Detection & Tracking

Use Case Description

Threat actors often use a variety of command-and-control servers to evade detection and improve resiliency of their attack campaigns. Attacks with a single point of failure (like WannaCry’s kill switch) run the risk of having this point identified and disabled, bringing the lifespan of an attack campaign to an abrupt end. Use of a single set of command-and-control nodes also runs the risk of an accidental denial of service (DOS) of these servers by a highly successful attack campaign. For these reasons, threat actors often use multiple command-and-control servers to distribute and communicate with their malware.

Identification of the infrastructure used by a threat actor in an attack is valuable to a network defender for many reasons. If all of the communication channels used by malware are identified and blocked, the threat posed by the malware is essentially eliminated. Identification and correlation of command-and-control servers used by multiple attack campaigns suggests a link between them, which may aid in analysis and accelerate deployment of appropriate defensive countermeasures.

Our Solution

InQuest has developed and integrated many in-house and third-party solutions for the discovery, detection and prevention of threat actor infrastructure. Several of these tools are useful in the identification and correlation of components of threat actor infrastructure used in various attack campaigns. Through the extensive research methodologies of InQuest Labs, they have been able to identify and mitigate malware campaigns designed to leverage threat actor infrastructure stood up specifically for the targeting of their clients.

Real-Time Network Traffic Monitoring

InQuest provides real-time monitoring of network traffic passing through the protected network perimeter through the use of a Collector passively collecting traffic via a TAP or SPAN. Sessions are reconstructed and analyzed using several proprietary InQuest native capture tools.

Automated Signature Scanning

InQuest provides their clients with the capability to import InQuest Labs provided signatures either manually or automatically. Users are also able to define and upload their own signatures and enable or disable them via Policy definition to meet their needs. The InQuest Threat Discovery Engine (TDE) uses these signatures to identify malware entering the network, providing a starting point for mapping a threat actor’s attack infrastructure.

DNS monitoring for known bad domains

Included in InQuest’s feed packs is a list of currently known malicious domains scraped from a variety of internal, private, and public sources. Each DNS request made from within a protected network is checked against this list and an alert is raised in the event of a match. Identification of an infected machine allows analysts to identify the malware and infection vector of the machine and analyze this data for further clues about the threat actor’s operations (IP addresses, domains, etc.).

InQuest Artifact Extractor

InQuest Collectors include a built-in network traffic artifact extraction engine which extracts metadata from network sessions passing through the network perimeter. This metadata includes IP addresses, URLs, domains, files, and file hashes and can be invaluable in identifying and associating various malicious content and different aspects of the same attack campaign.

Recursive File Dissection

InQuest has developed a recursive file dissection engine designed to unwrap the layers of obfuscation employed by hackers to mask and protect their malicious code. Hackers do not wish for their malicious content to be commonly known (since they would be promptly added to blacklists), so they often hide this information within files and/or objects in a variety of ways, forcing analysts to spend valuable time verifying that they have identified all of the infrastructure that the malware may contact. InQuest’s file dissection engine automatically unravels the protections placed around this information, accelerating the pace at which the threat actor’s infrastructure is identified and mitigated.

Sandboxes and Automated Malware Analysis Engines

InQuest provides seamless integration of multiple third-party sandboxes and automated malware analysis engines, including Cuckoo Sandbox, Joe Sandbox, VxStream Sandbox, and FireEye. These tools are valuable for extracting hidden information from malware. They allow the malware to execute in a protected environment and identify files, domains and IPs that the malware attempts to contact. This intelligence can be correlated with information gained from other sources to provide greater visibility into a threat actor’s infrastructure.

InQuest Automatic Updates

InQuest collects threat intelligence from a variety of sources. Internally, experience from dealing with real-world attacks on a daily basis provides knowledge regarding current attack trends. Private information is shared through a network of partnerships with Exodus Intelligence and other research organizations. Public information is collected and aggregated through crawlers that search public intelligence repositories. This information is available to InQuest clients via InQuest Automatic Updates. These code, signature, and intelligence updates from the InQuest cloud are available for manual download as well.

InQuest Threat Exchange

The InQuest Threat Exchange is a cloud-based forum for collaboration between InQuest clients across the globe. This cloud-based threat score database stores information regarding suspicious IP addresses, domains, files, and hashes and enables defenders to collaborate to quickly build a map of the infrastructure supporting a given attack.

InQuest User Interface

InQuest is designed to simplify the network defender’s experience. The InQuest User Interface (UI) provides a high degree of control to the user and powerful search and data correlation capabilities. Behind the scenes, every network session passing the network boundary is analyzed and labeled with a threat score. Once an indicator of an attack campaign is identified (a file, URL, domain name, etc.), the UI can be used to identify related information and trigger and access the results of integrated tools. Signatures based on extracted information can be easily defined and scanned against within the UI. The UI also allows scanning in RetroHunt mode to detect attacks performed before signatures had been developed.