This article describes the Intelligence Card Extension for InQuest Labs.
Feedback and improvement ideas are welcome - go to https://ideas.recordedfuture.com/
About InQuest Labs
The InQuest platform provides high-throughput Deep File Inspection (DFI) for threat and data leakage prevention, detection, and hunting. With this information, organizations can automate and scale the expert knowledge of a typical SOC analyst. Available on-premise or as a service, Inquest Labs uses a variety of sources in their automated decision-making engine. This includes bi-directional orchestration with multi-scanning and sandbox platforms, unique threat intelligence sources, and a seasoned signature development team augmented by machine learning.
The extension draws upon several assets developed at Inquest Labs. They include:
- Deep File Inspection (DFI) - Capable of ingesting malware at scale, samples are fed through a lightweight and less featured version of Deep File Inspection to extract embedded logic, semantic content, metadata, and IOCs such as URLs, domains, IPs, e-mails, and file names.
- Reputation Database - A variety of both open source and commercial IP/ASN and URL/domain reputation feeds exist which can assist defenders in standing setting automated blocks, and help analysts looking to add context to an investigation.
- IOC Database - comprised of artifacts harvested from both Twitter and blogs. This data isn't as high-fidelity as the reputation database, but is interesting and valuable in its own right. Artifacts include URLs, domains, IP addresses, file hashes, and YARA signatures.
For more detail, check out https://labs.inquest.net/about.
This extension is freely available to all Recorded Future clients.
Examples
Below are screenshots of the extension taken on August 2, 2022, for a variety of IOCs:
IP address 79.133.121.51 (risk score 90, current C&C server)
Domain monline.it (risk score 25)
File hash c19e776e46b9e865e027c3d2d4477c8722ae1e068192e5c99498aad5ce10e351 (risk score 65)