InQuest

The InQuest InSights Job App integration with the ThreatConnect TI Ops platform provides ThreatConnect users with advanced threat intelligence, derived from extensive malware file analysis and a mix of open-source and exclusive reputation data sources, augmented with indicators extracted from file-based analysis across its customer base, partnerships, and its own analysis platform. The IOCs provided by InQuest are:

• 92.9% unique compared to existing TI data shared with Quad9.net, providing security teams with a distinct perspective based on real attacks observed in the wild. These are typically from advanced threat actor groups targeting highly sensitive, strategic sectors. 
• Noteworthy for their timeliness and uniqueness, averaging 383 days ahead of public dissemination or recognition as a “new threat” by other intel sources.

InQuest Intelligence provides two IOC feeds for ThreatConnect users:

• Bulk/Open Source - InQuest Intelligence IOCs generated by InQuest's advanced, automated research tools. Access to the Bulk feed is free to all ThreatConnect users.
• Curated - InQuest Intelligence IOCs that have been vetted by the InQuest research team for the highest fidelity and confidence.

There are three categories of IOCs provided by the InQuest Intelligence feeds:

• Address - IP addresses 
• Host - Domains
• URL - URLs with protocol

InQuest uses several internal sources to create their threat intelligence feeds, such as:

• InQuest InSights C2: A focused dataset that brings InQuest’s most novel analysis on malware command and control (C2) infrastructure. This feed is primarily composed of the output of InQuest’s threat intelligence analysts' work product as well as proprietary sources.
• InQuest InSights TI: A threat feed composed of indicators relating to adversary infrastructure used for a variety of abuse, including malware staging, phishing, VPN and proxy endpoints, and attack origination, including mail delivery, scanning and exploitation, and network penetration. This feed includes data from InQuest intelligence analysis and our partner networks.
• InQuest Labs RepDB: A collection of reputation data leveraged by the InQuest TI team to validate and contextualize InQuest Threat Intelligence. It consists of two dozen of the most trusted reputation datasets available privately and commercially, as well as output of InQuest’s state-of-the-art Deep File Inspection® (DFI) technology.
• InQuest Labs IOCDB: A rich OSINT-focused feed that contains hundreds of sources pulled from the Internet filtered and contextualized to provide high-quality indicators and data in a timely manner.
• InQuest Labs DFIDB: A feed composed of indicators extracted from publicly shared files as well as files uploaded to labs.inquest.net for analysis by InQuest DFI file analysis. This feed contains quality indicators good for hunting that have not been validated by an analyst at InQuest.

All IOC sources have four attributes:

• Threat Type - The IOC category; one of Address, Host, or URL.
• Threat Rating - The severity of the IOC on a scale of 1 to 5, with 5 being the highest. This value is mapped from the InQuest score which is on a scale of 1 to 10 with 10 being the highest.
• Added - The date the IOC was added to the ThreatConnect platform.
• Modified - The date the IOC was last updated on the ThreatConnect platform.