Steganography

Picture this news story: “42 suspects in three countries were arrested today in connection with the attempted theft of intellectual property from XYZ Corp.  XYZ Corp. worked with law enforcement in each country in order to identify and apprehend the would-be thieves. The Attackers were caught due to flaws in the implementation of their attack, which relied on steganography for a key portion of the attempted theft.”

Here We have a fictitious story - but it may not remain such a fictitious concept for long. In Reality, malware authors and malware groups are always looking for sneaky methods, techniques, and technologies and steganography fits the bill frighteningly well. A double bonus for malware authors is that this technology is old (academia has been examining the technique for a long time – therefore, lots of the hard work has already been done) and it is only just beginning to make its debut in the digital underground (Vinself, Shady RAT). Malware groups have a pattern of stealing technology from each other – if one form of technology is successful, a competing malware group will simply appropriate that into their own offerings.

Steganography Is a method of covertly communicating. Its close cousin is encryption, where the individual messages are obscured. In This case though, the entire fact that a conversation is taking place is obscured. Speaking Technically, encryption makes the messages covert, but not the communication channel - steganography makes the channel itself covert. What's worse is that both can be used together - a message can be encrypted and then the channel hidden through steganography.

Detecting steganography is difficult. The field dedicated to this topic is called "steganalysis".

The current threat from this type of technology is unclear and probably small. As This technique is somewhat new on the threatscape and appears to be gaining a foothold, as well as the potential applications of this technology, this author recommends maintaining acute awareness. If you are a large organization or one potentially prone to attacks such as APTs, more serious review and education into this technology is warranted.

Here are some potential avenues to consider exploring:

  • Awareness and exposure: There Is a lot of material available in the public domain for anybody who wishes to learn more about this technique.
  • Education And certification: There are companies that certify people to hunt for this technology, for example BackBone Security's Steganography Analysis and Research Center and WhetStone Technologies.
  • Security Testing: Customers should consider security testing to assess their risk of exposure to this technique. Things To consider when performing tests: the capability of the tools, security design, risk scenarios, potential countermeasures, threat characterization, threat behaviour, internal security procedure/workflow/escalation design.

One final note: to illustrate the nature of this technology a short message is steganographically embedded in this post using text steganography. The key is as follows: write down the first letter of each sentence where the second word is capitalized.  For the technically inclined, this is also very similar to chaffing-and-winnowing.