What is steganography and how can we avoid it?

What is steganography?

Steganography is basically a type of covert communication involving the use of any medium to hide messages. Steganography is a relatively old technique of hiding “secret” data in plain sight to avoid detection. Seeing a resurgence of late malicious actors, they are taking advantage of steganography to circumvent cybersecurity, distribute malware, and achieve a wider presence with less effort.

Steganography doesn’t just encode a message, but rather hides the fact that there is no message. It was, in its simplest form, practiced in ancient Greece. According to the historian Herodotus, Histiaeus (a tyrant and ruler of Miletus in the late 6th century BCE) shaved the head of one of his servants and tattooed a message on their scalp. After the servant’s hair grew back and it reached the recipient of the message, the recipient again shaved the servant’s scalp to read the message. The first formally recorded use of the term was in 1499 by Johannes Trithemius in his dissertation on cryptography and steganography, The Steganographia, itself disguised as a book on magic.

Use of steganography in cybercrime

Malicious actors have begun to leverage steganography as a new type of attack, hiding malware and malicious JavaScript in files and delivering them to appropriate targets within an organization.

Least Significant Bit (LSB) is a commonly used steganography technique that embeds malicious content by altering the last bits of a byte required to encode a message. Steganography can further be combined with encryption to further camouflage “secret” data. Any “secret” data can be extracted upon opening – releasing, for example, malware inside a .jpg meme, botnet worms in viral GIFs, WAVs that can trigger malicious ads , or possibly a fun .mov that will encrypt files and demand a Bitcoin ransom for their release. A deliberately targeted steganographic distribution, such as a vacation day change .doc file apparently originating from an organization’s human resources department, can be devastating to any unprepared network.

Steganography is used to gain a foothold as part of a larger attack, such as an Advanced Persistent Threat (APT) event that can be more easily mitigated but is notoriously difficult to detect. Attacks usually require multiple steps (at least two), and so steganography is often reserved for targeted attacks instead of broader general attacks. Each hidden item will be designed for a specific compromised system and when delivered should function correctly. It is becoming an increasingly popular dispersal method for spyware and malware distributors. Anti-malware tools, especially perimeter security tools, can do little to detect and mitigate these attacks. Their difference from normal files is negligible – appearing as digital video, audio, text files and images.

How to avoid steganography attacks?

There is no simple solution to this, and it involves – like phishing – the buy-in and education of those who will be exposed to this type of attack. It is the cybersecurity team’s job to liaise with and educate other parts of the business. It starts with department heads and convinces them of the need for training and the internal rules and legislation that will need to be put in place.

Through training colleagues through online courses, security team presentations or videos, it is important that we show the importance of never downloading, opening or clicking on any image, video, a suspicious audio or text file from unknown sources. How can we recognize suspicious files, if any, and what should we look for in emails and other communications that may contain steganography files? It is important to test our colleagues and train them to understand the risks and the signs. Completing simple questionnaires or more complicated multiple-choice questionnaires reaffirms the importance of this training and offers a display of success and/or room for improvement. General training should also be provided on common phishing and social engineering tactics used by malicious actors.

For starters, lock individual computers to prevent employees from downloading software or other applications that may contain steganographic codes from unauthorized sources. Establishing company-wide rules for this, along with the Principle of Least Privilege (PoLP), will work best. Cybersecurity teams must, by default, closely monitor digital activity to identify (knowingly, accidentally, or negligently) malicious insiders. Insider threat management can also provide insight into who has legitimate access to what information.

Although it does not directly detect steganography in action, anti-malware tools recognize the presence of types of malware, such as ransomware, worms, rootkits, and Trojans. Anti-malware tools can include Web Application Firewall (WAF), which is deployed at the edge of your network and uses signature, behavior and reputation analysis to block software injection attacks malware on websites and web applications. Cloud WAF is a managed service and protects against any kind of application layer hacking attempt. It is possible to intercept communication attempts with backdoor shells on your web server to identify hidden malware, and a solid 2FA solution will prevent bad actors from using stolen login credentials to gain access to the network in order to install rootkits and backdoors on your web servers.

The big picture

Although difficult to identify, protection is possible. The use of steganography is increasing and the best offense is a good defense. Education, as with many elements of cybersecurity, is important. Best practices and the mantra that “security is everyone’s responsibility” will be key to avoiding another path of malware injection in the future when, who knows, steganography pervades the Internet of Things.

What is steganography and how can we avoid it? appeared first on Blog.

*** This is a syndicated blog from the Security Bloggers Blog Network written by Nik Hewitt. Read the original post at: https://www.imperva.com/blog/what-is-steganography-and-how-can-we-avoid-it/

Comments are closed.