Use Case Description
Intrusion detection and prevention systems largely identify threats to a network by matching against signatures of known attacks, which is largely ineffective against zero-day attacks. InQuest leverages partnerships, in-house capabilities, and third-party tools to build a comprehensive picture of potential threats passing through a protected network boundary. Using this information, a threat score is automatically applied to all network session and probable threats are highlighted to analysts, allowing rapid detection, triage, and remediation of network threats.
This Use Case describes the threat detection and alerting functionality provided by InQuest and how it can be applied to the detection of zero-day threats entering a protected network.
InQuest draws from a variety of intelligence sources, shares this intel with the users through manual or automatic updates, and provides a plethora of information via the InQuest User Interface for discovery and analysis of zero-day threats.
InQuest Intelligence Sources
InQuest collects intelligence from a variety of internal, private, and public sources. Internally, InQuest uses hands-on experience gained from dealing with daily, real-world attacks to identify, triage, and develop signature for malware. InQuest partners closely with Exodus Intelligence and collaborates with other research organizations. Using web crawlers and aggregation tools, InQuest collects data from a variety of public sources into a single database. These data feeds are integrated to provide InQuest with a comprehensive view of potentially new or unknown threats targeting their clients.
InQuest Automated Updates
InQuest offers an optional, automated update service, providing code, signature, and intelligence updates. By enabling this service, InQuest systems can be kept up-to-date on the current threats that they may face and provide protection against attacks evolving in real time.
Automated Threat Scoring and Alerting
InQuest provides a variety of built-in and integrated solutions for assigning threat levels to network traffic passing through the perimeter of a protected network. Here, details of tools helpful in the detection of zero-day attacks and methods for accessing the results of these tools will be displayed.
Known Malicious DNS Domain Monitoring
It is not uncommon for malware authors to use the same command-and-control or download servers for a variety of malware campaigns. InQuest provides an automated monitoring service for any resolution attempt of known malicious domains. If a new malware variant uses known command-and-control or download servers, an alert will be generated for the malicious traffic, allowing a network administrator to shut down even zero-day attack traffic.
InQuest URL Analyzer
InQuest provides an integrated URL analysis engine. Based upon the structure of observed URLs, the URL Analyzer determines the probability that traffic is malicious. Even if a zero-day attack uses unknown command-and-control or download servers, if the URL shares common properties with other malicious sites, an alert will be raised to draw attention to the suspicious traffic.
InQuest File Analyzer
Malware authors commonly embed malicious code within a benign file in order to increase the probability that it will be able to enter the network perimeter and entice users to execute the malicious functionality. It is not uncommon for a zero-day attack to include some previously-known malicious code (for example, a new exploit that installs a common malware backdoor or downloader). InQuest’s file dissection engine recursively unwraps the levels of obfuscation around malicious code and tests each level using best-in-breed, third-party analysis tools, maximizing the probability that even a zero-day attack will be detected when entering the protected network.
InQuest offers seamless integration with several third-party tools to provide robust antivirus, sandboxing, reputation checking, and automated malware analysis capabilities. While not enabled by default, the following tools can be painlessly configured to improve detection of even zero-day attacks:
- InQuest Automatic Updates: Enables InQuest cloud connectivity for automatically retrieving and applying code, signature, and intelligence (C2) updates.
- Cuckoo Sandbox: Sandbox that performs dynamic malware analysis.
- VxStream Sandbox: Automated malware analysis system.
- FireEye: Hardware appliance that performs dynamic analysis of files.
- InQuest Eyelet Reputation: Cloud-based reputation database
- InQuest MultiAV: Provides cloud-based hash analysis.
- InQuest Threat Exchange: Enables communication with the InQuest Cloud-based threat exchange which provides shared threat information on IPs, domains, URLs, and file hashes.
- Joe Sandbox: Sandbox for deep malware analysis
- OPSWAT Metadefender Core: Hardware appliance that leverages multiple AV engines to scan files.
- VirusTotal: Online service used to look up AV reports for known-bad hashes.
InQuest User Interface
Based upon the information gathered by InQuest’s built-in and integration threat analysis capabilities, the system automatically generates a threat score for each session and file entering or leaving the network. These threat scores are displayed via the InQuest User Interface (UI), which highlights probable threats against the protected network. The UI also supports a wide range of queries against collected data, allowing an analyst to explore relationships and extract details regarding threats against their network.