Use Case Description
With the recent explosion of data breach reports, data loss prevention (DLP) has become an area of focus for many organizations. If an attacker gains access to a protected network and begins exfiltrating sensitive information, the longer the breach goes undetected, the greater the damage to the organization. To evade detection of data leaks, hackers commonly obfuscate and embed stolen data within benign files and network flows. It is essential that data exfiltration be detected as soon as possible to minimize financial, reputational, and intellectual property damage and exposure.
The InQuest platform provides functionality that empowers analysts with the ability to easily and efficiently identify data exfiltration across their network boundaries. The InQuest solution to Data Leakage consists of four main steps: Observe, Dissect, Identify, and Alert.
The InQuest Collector can be deployed off a TAP or SPAN to collect all traffic passing through the network boundary of a protected network. As traffic passes through the network boundary, the Collector captures it and reassembles network sessions from the captured packets. Once reconstructed, these sessions are passed on to InQuest’s post-processing modules for dissection and analysis.
InQuest has developed proprietary dissection technology capable of processing the most common file types. This technology automatically identifies where data can be hidden within these file types. The file dissection utility natively supports a variety of compression, encoding, and obfuscation techniques and automatically extracts embedded and obfuscated data hidden in files for further analysis. File dissection and post-processing are run recursively so that each extracted piece of hidden content is analyzed. This provides protection against attackers using multiple levels of obfuscation to conceal data and guarantees that all concealed content is exposed for analysis.
Once dissection is complete, each piece of revealed data is tested against the full signature library of the InQuest system. In addition to the Data Leakage signatures provided by InQuest Labs, customers also have the ability to define and deploy custom signatures based on their specific needs for detecting sensitive data in-transit. This enables analysts to quickly identify and pinpoint the location of an attempted data exfiltration crossing their network boundaries.
User-defined signatures can be defined based on proprietary, sensitive, etc information known only to the internal organization. Simple signatures may alert on the detection of common markings for documents containing sensitive information (“SECRET”, “PROPRIETARY”, etc.). Other potential signatures may include account credentials, Social Security Numbers or other types of Personally Identifiable Information (PII). The possibilities are endless and can be tailored to meet the needs of a particular organization.
InQuest provides an intuitive and powerful user interface to enable analysts to quickly access data passing through their network. Automated alerting functionality will notify an analyst if any of the currently defined Data Leakage signatures have triggered, what their associated data exposure levels are and provide immediate access to the associated network sessions, files, and post-processing tool results.
The Inquest User Interface also provides powerful search and query functionality against all of the data observed passing through the network boundary as well as the results of analysis engines. This can be used in the development and testing of new signatures to explore relationships among data and alerts and to determine the possible impact of a detected breach.