What is steganography?
Steganography is, broadly, a type of covert communication involving the use of any medium to hide messages. Steganography is a relatively old technique of hiding ‘secret’ data in plain sight to avoid detection. Seeing a resurgence of late, bad actors are taking advantage of steganography to circumnavigate cybersecurity, distribute malware, and secure a wider presence with less effort.
Steganography doesn’t just encode a message but instead hides the fact that there is any message at all. This was, in its simplest form, practiced in ancient Greece. According to the historian Herodotus, Histiaeus (a tyrant and ruler of Miletus in the late 6th century BCE) shaved the head of one of his servants and tattooed a message onto their scalp. After the servant’s hair grew back and they reached the message recipient, the receiver shaved the servant’s scalp again to read the message. The first formally recorded use of the term was in 1499 by Johannes Trithemius in his disquisition on cryptography and steganography, The Steganographia, itself disguised as a book about magic.
Usage of steganography in cybercrime
Least Significant Bit (LSB) is one commonly used steganography technique which embeds malicious content by changing the last few bits in a byte required to encode a message. Steganography can further be combined with encryption for the further camouflage of the ‘secret’ data. Any ‘secret’ data can be extracted during opening – releasing, for example, malware from inside a .jpg meme, botnet worms in viral GIFs, WAVs that may trigger malvertising, or may be an amusing .mov that will encrypt files and demand a Bitcoin ransom for their release. Deliberately targeted steganography distribution, such as a .doc file about changes in holiday days apparently from an organization’s HR department, can be devastating to any unprepared network.
Steganography is used to gain a foothold as part of a larger attack, such as an advanced persistent threat (APT) event which can be more easily mitigated but is notoriously difficult to detect. Attacks usually require multiple (at least two) steps, and so steganography is often reserved for targeted attacks instead of broader blanket attacks. Each hidden element will be designed for a specific compromised system and, once it’s delivered, must run appropriately. It is becoming an increasingly popular dispersal method for spyware and malware distributors. Anti-malware tools, especially perimeter security tools, can do very little to spot and mitigate these attacks. Their difference from normal files is negligible – appearing as regular digital video, audio, text files, and images.
How can we avoid steganography attacks?
There is no simple solution to this, and it involves – as does phishing – the buy-in and education of those who will be exposed to this sort of attack. It is the job of the cybersecurity team to liaise with and educate other parts of the business. This starts with departmental heads and convincing them of the necessity of training and the rules and internal legislation that will need to be put in place.
Through colleague training via online courses, through security team presentations, or via video, it’s important we show the importance of never downloading, opening, or clicking on a suspicious image, video, audio, and text files from unknown sources. How can we recognize suspicious files, if at all, and what should we look for in email and other communications that might contain steganography files? Testing our colleagues and training them to understand the risks and signs is important. Filling in simple quizzes or more complicated multiple-choice forms all help to reaffirm the importance of this training and offer a show of success and/or room for improvement. General training should also be given on common phishing and social engineering tactics used by bad actors.
As a start, lock down individual computers in order to prevent employees from downloading software or other applications that may contain steganographic codes, from unsanctioned sources. Setting company-wide rules for this, with the principle of least privilege (PoLP), will work best. Cybersecurity teams should, by default, closely monitor digital activity to identify (consciously, or by accident or neglect) malicious insiders. Insider threat management can also offer a clearer understanding of who has legitimate access to what information.
While it will not directly detect steganography in action, anti-malware tools will recognize the presence of malware types – such as ransomware, worms, rootkits, and Trojans. Anti-malware tools might include Web Application Firewall (WAF), which is deployed at the edge of your network and uses signature, behavioral and reputational analysis to block malware injection attacks on websites and web applications. Cloud WAF is a managed service and protects against any type of application layer hacking attempt. It is possible to intercept communication attempts with backdoor shells on your web server to pinpoint hidden malware, and a solid 2FA solution will hamper bad actors from using stolen login credentials to gain network access to install rootkits and backdoors on your web servers.
The big picture
While tricky to identify, protection is possible. The use of steganography is increasing, and the best offense is a good defense. Education, as with many elements of cybersecurity, is important. Best practices and the mantra that “security is everyone’s responsibility” will be critical in avoiding yet another route to malware injection in the future when, who knows, steganography spreads to the internet of things.
Try Imperva for Free
Protect your business for 30 days on Imperva.