One of the revelations from the recent capture of a number of deep cover Russian spies here in the US was that they used steganography (the concealment of data within innocuous looking files) in order to hide and transmit secret documents and messages to their handlers. Steganography is one of those techniques which get talked about a lot a security conferences, but has not seemed to play a major role in news of security breaches. This seems a bit odd to me – stego seems like a great way to exfiltrate information in plain sight. By embedding ill gotten data in vacation pictures posted to Flickr or Facebook, spies (corporate or otherwise) can create very low risk electronic dead drops with a few mouse clicks. Unlike encryption, stego does not leave suspicious encrypted files to exfiltrate, just innocent looking pictures or songs. The software needed to create stego protected files is available on the Net. So why (other than some articles about Al Qaeda reportedly using stego to embed secret information in internet images) do we not hear more about this technique? I have a couple of hypotheses here:
Attackers are using stego, but they are not getting caught. Detection of files with steganographically hidden content is very difficult, requiring very specialized knowledge and tools which most enterprises and forensic examiners don’t have access to.
Attackers don’t need to use stego because they don’t need to. There are so many organizations out there who do not have a handle on what information is leaving their networks, that they don’t feel the need to go to the trouble of hiding the information they are swiping. Or they are using really low tech methods to get the data out of the organization, like printing, or fax, or this.
Is stego a real threat to the enterprise? I am not sure. But the availability of stego underlines the need to build a security culture in your organization and use both technology and non tech means to detect potential problems. Stego seems to be a tool which insiders would be predisposed to use – detecting insider threats takes both technology and plain old vigilance. There is some excellent information on detecting insider threats available from the CERT team – this should be on your reading list.
This post was inspired by Kai Axford’s (Accretive Solutions) great presentation at today’s New York Metro InfraGard meeting.