About InQuest
InQuest provides a data acquisition and analysis platform. Providing network defenders with capabilities to block attacks, detect sophisticated breaches, discover sensitive data leaks, and hunt for otherwise unseen campaigns. Built out of necessity and touting a feature-set driven by seasoned SOC analysts with over 15 years of hands-on operational experience across US Department of Defense networks globally. We’ve automated much of the typically mundane tasks of the SOC analyst. Resulting in analyst level scrutiny at multi-gigabit speeds, all the while reducing alert fatigue as well as frustration, and in-turn, allowing precious human time to be spent where it matters.
InQuest is typically deployed at ingress/egress points where it can capture and inspect all packets traversing the network perimeter. Among our mantra is “throw everything and the kitchen sink at the problem of malware prevention”. We apply a blend of tactics not simply to detect threats, but to detect the interesting ones. We’re not as interested in garden variety malware, but we do detect it all the same.
Supporting throughput speeds of up to 20Gb/sec in a single 1U system, InQuest carves artifacts including files, session headers, and metadata from a number of data sources such as a network TAP, network SPAN, ICAP, APIs, and MTAs. The extracted artifacts are then fed through a gauntlet of security checks. The most prominent is our Deep File Inspection (DFI) engine which is capable of decompressing, decoding, deobfuscating, and decompiling executable code from common malware carriers ranging from documents to applets. A combination of heuristics, static analysis, and machine learning are blended together to form the basis of our Threat Discovery Engine (TDE). Additionally, we leverage intelligent integrations with complementary security products that may already exist in our customer stacks. By intelligent we mean there is bi-directional automated communication with a layer of logic on top of the received results. Example integrations include multi-av / file-reputation providers such as OPSWAT and VirusTotal, detonation technologies such as VMRay (the focus of this article), cloud reputation databases, and more. The optional components are engaged in parallel with their results aggregated into a single, digestible Threat Score. An infosec map-reduce pattern if you will.
With the overview out of the way, let’s dive into the specifics of our integration with VMRay Analyzer, the benefits of detonation-based malware analysis, and how the combination of blended technologies allow for improved cyber resilience.
InQuest + VMRay Integration
InQuest is proud to offer an intelligent integration with VMRay Analyzer. VMRay sets itself apart from other detonation technologies by taking an agentless approach to dynamic analysis. Whereas a sandbox solution such as Cuckoo requires a running agent within the guest operating system to record samples activity; VMRay is implemented at the hypervisor level, fundamentally operating in a layer outside of the system being monitored. Since there are no agents or hooks inside the Virtual Machine (VM), the sandbox itself is undetectable by malware. In addition, VMRay includes a number of features meant to counter common VM detection and evasion techniques. VMRay Analyzer passes all of the VM detection checks implemented by pafish, VMDE, and anticuckoo.
For a recent example of a case where VMRay was an invaluable asset, we can look at DDE. This macro-less technique allows attackers to execute malicious code through Word documents, Excel spreadsheets, and even Outlook emails. At the time of its initial public reveal, no antivirus vendors had signatures that would catch such attacks. VMRay Analyzer is looking for suspicious behavior – so it opened the document, applied a click-to-explore algorithm to trigger the exploit, automatically waded through any prompts requiring interaction, and executed the resulting malicious payload.
Figure 1: VMRay detonated the file in four different environments, only one alerted.
Starting from the overview, you’ll note that VMRay detonated the file in four different unique environments. Only one of these generated alerts from suspicious activity. This is not uncommon as malware may be looking for specific OS and application mixes, or using an exploit specific to only one version of an application. It is prudent to accurately build your sandbox environment to reflect your real-world systems. The next screen shows the process overview:
Figure 2: Clear depiction of the multiple stage pivots detailed above.
Here you can clearly see the process chain from the original Word document with the DDE exploit (winword.exe), through multiple pivots, and finally to the malicious PowerShell payload (powershell.exe). If you’re interested in a more detailed walkthrough of this sample, take a look at the full InQuest blog post, Walkthrough of a Common Malware Carrier.
You may also want to explore an interactive VMRay Analyzer report on a similar DDE sample.
Figure 3: Configuration options for InQuest’s intelligent VMRay Analyzer integration.
InQuest’s intelligent VMRay integration allows users to control exactly what files are submitted to VMRay, filtering by MIME type or InQuest Threat Score, or disabling automatic file submission altogether and letting the analyst trigger manual submissions of “interesting” files. Other options include email alerts to see when an analysis has completed, syslog endpoints for sending messages to SIEM devices, and proxy settings.
Opening a session details page in the InQuest UI will present a wealth of information about the session, along with any files attached to it. From this single view, you can see the assigned Threat Score, every single integration that was used to determine that score, details of session endpoints and headers, and details of every file contained within the session.
Figure 4: InQuest Session Details view.
The file details can be expanded to show results from multi-AV scanners and sandboxes, file metadata and hashes, as well as each InQuest and user-defined signature that fired on the file and the specific offset and content within the file that triggered it. Users can also pivot from here to search pages that will show every session containing each file.
Figure 5: VMRay integration, in manual mode, ready to submit. Auto submission is an option.
Figure 6: VMRay integration after submission, waiting for response from the sandbox.
Figure 7: VMRay integration after sandbox analysis has completed, ready to view reports.
Once a file has been submitted to the VMRay Analyzer and the analysis completes, the VMRay report is available directly through the InQuest UI for easy export and investigation. The results from this analysis, and any other integrations, are aggregated under a single pane of glass and summarized by a simple threat score from 1 to 10. Our threat score algorithm is not prone to artificial inflation from over-detection. We lean on our experience as SOC analysts to automate the heating / cooling of scores based on a combination of inputs. In essence, we’re automating much of the SOC analyst workflow to spare precious human cycles for what matters most. The key decision points that drive the algorithm are shown in a straightforward threat receipt:
Figure 8: Raw JSON report from VMRay Analyzer available for download from the InQuest UI.
Each InQuest sandbox integration includes optional automatic and manual submission of files, email notification of sandbox scan completion, and CEF-compatible syslog output for SIEM integrations. The results of the sandbox analysis are factored into the InQuest Threat Score, and full reports from the external sandbox system are retrieved and cached for reference by analysts from within the InQuest UI. Because dynamic analysis can be time-consuming, all InQuest sandbox integrations also include options to configure exactly when to submit files, based on MIME type inclusion or exclusion, as well as the file’s base Threat Score.
The holistic picture is then considered when determining the Threat Score. We believe in “showing our work” and towards that effect, couple our Threat Score with a Threat Receipt which is a simple visualization of the factors that contributed to the score.
The following screen excerpt shows a Threat Score of 8 out of 10, calculated over the collection of artifacts captured from a web session.
Figure 9: InQuest Threat Score, ranging from 0-10, with an overview of informational vs threat events
In this next screen excerpt you see an example Threat Receipt. The first three green-marks are from InQuest internal components contributing to the Threat Score. The next green-mark indicates that our integration with VMRay produced novel information that contributed to the Threat Score as well. The next two yellow-marks indicate components that produced some threat-intel, but did not contribute to the threat score. We don’t want to artificially inflate our Threat Score because all analysis components detected a threat. More than likely this alert overlap is suggestive that the sample in question is garden variety and potentially not worth human analysis. We want to save a Threat Score of 10 for intriguing samples.
Figure 10: InQuest Threat Receipt indicating which subsystems contributed to the Threat Score.
Open Source Library
InQuest built an open source Python library for building integrations with malware sandboxes including VMRay Analyzer. The library provides a minimal, consistent interface across sandboxes, and allows for file submission, check back, and report retrieval.
Basic usage of the library is as follows:
import sys
import time
import pprint
from sandboxapi import vmray
# connect to the sandbox
sandbox = vmray.VMRayAPI(‘MY_KEY’)
# verify connectivity
if not sandbox.is_available():
print(“sandbox is down, exiting”)
sys.exit(1)
# submit a file
with open(‘myfile.exe’, “rb”) as handle:
file_id = sandbox.analyze(handle, ‘myfile.exe’)
print(“file {f} submitted for analysis, id {i}”.format(f=filename, i=file_id))
# wait for the analysis to complete
while not sandbox.check(file_id):
print(“not done yet, sleeping 10 seconds…”)
time.sleep(10)
# print the report
print(“analysis complete. fetching report…”)
report = sandbox.report(file_id)
pprint.pprint(report)
print(“Score: {score}”.format(score=sandbox.score(report)))
Read the full library documentation on ReadTheDocs.
Conclusion
VMRay’s automated malware analysis platform is an invaluable asset for SOC analysts, providing actionable intelligence and a deeper understanding of threats from the dynamic runtime analysis that it provides. InQuest’s intelligent integration allows you to leverage VMRay Analyzer alongside our advanced Deep File Inspection (DFI), signature-based detection, multi-av, reputation databases, and more for complete security coverage of your network.
