Skip to main content

Threat Hunting & RetroHunting

Use Case Description

Identification of malware present within a network is the first step to containing and eradicating an infection. If malware can be identified at the perimeter, it can be blocked from entering the network at all, ultimately eliminating the threat of an infection. However, if malware manages to enter and execute on a network, the infection can spread as well as take action to conceal itself and increase the difficulty of removal.

Our Solution

The InQuest platform provides powerful functionality to network defenders hunting for the presence of malware on their networks. In this section, we describe the features relating to the identification of malware, extraction of unique characteristics, and performing real-time and historical searches for artifacts matching these or similar characteristics to identify malware on the network.

Identification

InQuest is capable providing network protection at various strategic positions within your network. This can be achieved either in real-time through the deployment of a Collector off of a network TAP or SPAN to perform native network traffic capture or after the fact using file and/or packet capture upload capabilities manually through our UI or programmatically through our APIs. This network traffic is reassembled and reconstructed by InQuest into artifacts (Session information, Files, Objects, etc.) which are then analyzed to detect indications of malware.

InQuest Automatic Updates

InQuest provides the option to customers to subscribe to automatic updates from InQuest Labs. These updates include code updates, intelligence information, and signature packages for detecting recent threats. Updates are also available for manual upload to InQuest systems. InQuest labs collects data from internal research and experience, private partnerships, and crawling of public repositories and collates it to provide customers with a comprehensive view of the current threat landscape.

Enabling automatic updates maximizes the probability that InQuest will alert on malware entering a protected network, allowing defenders to react rapidly to a potential infection. If an infection is detected or suspected on a host, upload of a packet capture of the host’s traffic to the InQuest system enables scanning the traffic for indicators of known malware variants. This provides a jumping-off point for a malware hunting operation.

InQuest Blacklisting

In addition to the static analysis that InQuest performs, InQuest also provides the ability to blacklist file hashes. Checks against this blacklist are automatically performed on InQuest systems for all files captured and this aids in the detection of malware variants that have been previously identified but may otherwise go undetected.

InQuest URL Analyzer

Certain characteristics of a URL may indicate that a given domain is a command-and-control node or a drive-by download server. InQuest systems perform URL analysis and generate alerts when internal computers request URLs that appear suspicious or potentially malicious. Reviewing these alerts allows an analyst to identify computers that warrant a more in-depth analysis.

Artifact Characteristic Extraction

Once potential malware is identified on the network, any information that can be extracted from the sample can be valuable in determining the scope of the infection on the network. Properly classifying the malware can confirm that it is malicious and provide insight in regards to its potential capabilities. In-depth analysis can provide indicators to aid in identification of malicious traffic, related malware, and artifacts left on the infected system.

InQuest provides several tools and available integrations to aid in extracting actionable data from collected malware samples. Available tools are a mix of InQuest-developed programs and third-party vendor software. The applications of these tools to malware hunting is described in this section.

Recursive File Dissection

InQuest has developed a proprietary file dissection utility. Malware authors commonly compress, encode, obfuscate, and embed their malicious code and data within other files in order to avoid scrutiny and detection by network defenders and antivirus engines. InQuest’s tool performs recursive file dissection, extracting each piece of hidden content and submitting it to other post-processing utilities and back to itself to provide a comprehensive view of the content within a suspect file.

The information most valuable to malware hunters (dropped files, executable names, command-and-control nodes and IP addresses, etc.) is exactly what malware authors work the hardest to conceal. InQuest’s file dissection utility automatically locates and extracts this hidden information, making it readily available to analysts.

External Integrations

The InQuest Platform enables a user to leverage the capabilities of a variety of InQuest-developed and third-party vendor tools for analysis of files and objects captured on the network. Several sandboxes, automated malware analysis engines, antivirus engines, and file analysis engines can be painlessly integrated with InQuest to provide best-in-breed capabilities in all aspects of file analysis.

Sandboxes and Dynamic File Analysis Tools

InQuest systems provide seamless integration with a variety of third-party vendor solutions for automated dynamic analysis and characteristic extraction of files. Available tools include Cuckoo Sandbox, FireEye, Joe Sandbox, and VxStream Sandbox. Integration with these tools provides a malware hunter with a wealth of information regarding the behavioral characteristics of a suspected malware sample.

InQuest Threat Exchange

The InQuest Threat Exchange is a cloud-based database for InQuest clients to exchange information on suspicious IP addresses, domains, URLs, and file hashes. With this component enabled on the local InQuest deployment, automated checks are performed against the Threat Exchange database to determine if network and/or file artifacts have been previously identified as suspicious and/or malicious.

OPSWAT Metadefender Core

OPSWAT Metadefender Core is a hardware appliance that automatically scans a suspicious file using over thirty different antivirus engines. This scanning allows a malware hunter to proceed with confidence that a given sample is or is not a known threat and provides classification information regarding the malware family and its associated capabilities.

InQuest MultiAV

InQuest MultiAV is a cloud-based hash analysis engine. With this component enabled on the local InQuest deployment, automatic hash checks are performed against the cloud-based database providing users with information regarding the probable maliciousness of the file.

VirusTotal

VirusTotal is an online repository of data regarding suspicious files, URLs, and IP addresses. By searching for a certain hash, users can access results from many antivirus engines, behavioral information from dynamic analysis of the malware, and other users’ comments and notes on the malware. VirusTotal is integrated with InQuest to provide users with the ability to programmatically access VirusTotal’s data through their API.

User-Defined Signature Development

Beyond the InQuest-developed signatures provided via InQuest Automated Updates, InQuest empowers their users with the ability to define their own signatures in YARA format. Signatures can be directly entered or added in batches via a file upload option within the UI. Users also have the ability to set the confidence and severity of a signature (or batch uploaded via file upload) and to enable or disable certain signatures for scanning. Once the signature or signatures are defined, the users will have the ability to perform a RetroHunt using the newly defined signature against a configurable timeframe of historical data.

InQuest User Interface

The InQuest system provides a robust and user-friendly User Interface (UI) to aid analysts in network monitoring and threat hunting. Each network session and file captured by InQuest is automatically assigned a threat score based upon the output of the enabled post-processing tools and integrations. These threat score and tool outputs are available to the user via an intuitive interface. Malware hunters can also perform queries on the database to explore relationships between different sessions or files or to drill down into a suspicious incident.

RetroHunt Retrospective Analysis

InQuest also provides analysts with the ability to perform threat discovery on past network traffic via the RetroHunt Historic Threat Discovery Engine (TDE). By default, the RetroHunt TDE automatically performs RetroHunts or retrospective analysis across the past 14 days (configurable) of captured data (files, sessions, etc.). All of the enabled post-processing operations are applied to the historic traffic in RetroHunt mode using the most recent signature sets. This allows previously undiscovered/unidentified malware in-transit to be identified and analyzed.