James E. Wingate, CISSP-ISSEP, CISM, IAM
Director, Steganography Analysis & Research Center (SARC)
and
Vice President for West Virginia Operations
Backbone Security.Com

and

Chad W. Davis, CCE
Computer Security Engineer
Backbone Security.Com

Introduction

"Ignorance is bliss." "What you don't know can't hurt you." We've all heard those trite cliches. But, in this digital age, they couldn't be further from the truth. Much attention is given to external threats such as hackers, phishers, spammers, terrorists, foreign intelligence services, and the like. Consequently, much attention has been focused on perimeter defense. Firewalls and Intrusion Detection Systems (IDS), that are giving way to Intrusion Prevention Systems (IPS), have been employed to establish a barrier between the Internet and the LAN.

The main focus of cyber security defense has been to protect that which is on the inside from that which is on the outside. This has been done in the hopes of establishing an impenetrable perimeter - not unlike putting the shields up on the Starship Enterprise.

However, hope is not a viable strategy for dealing with today's cyber threats — particularly the threat from the trusted insider.

Asset Protection

Every business has assets that must be protected. Protection of physical assets is a given for most risk management programs. Physical security mechanisms such as locks, gates, and guards for protection of real property and staff or visitors are not difficult to visualize. However, protection of sensitive, or classified, information assets such as financial or medical information on employees, customer account information, proprietary information for business products and services, and any information that fits in the category of Intellectual Property such as copyrights, trademarks, and patents is a much more abstract concept for many.

Consequently, the cyber security mechanisms to protect information assets are not as easily visualized. Nonetheless, management must exercise due diligence in implementing appropriate mechanisms to protect both physical and information assets as part of an overall enterprise risk management program.

What you don't know can, and most likely will, hurt you

Physical security mechanisms have shape and substance...they can be seen and touched. Some cyber security mechanisms share this property. A firewall can be seen and touched as can other physical hardware platforms that might host other security appliances such as an IDS or IPS. However, the applications and files on user's computers are typically not visible to most network security applications. There are automated configuration management systems that monitor user workstations to ensure a standard configuration is maintained. However, unless the user's workstation is "locked down" to prevent other software from being loaded, there is a significant threat from a trusted insider using certain types of software for malicious purposes.

For example, what if Bob in Accounting had a network packet sniffer on his workstation? What if Mary in Sales had an encryption application on her workstation? What if Sam in R&D had a digital steganography application on his workstation?

Now, if Bob were a network administrator it would be reasonable to expect him to have a tool for troubleshooting network connections. And, if Mary were a system security administrator, it would be reasonable to expect her to have tools for providing for the confidentiality of information. But they aren't in those positions and neither is Sam — so none of them should have the tools they have on their workstations.

Not knowing that users have tools to eavesdrop on network traffic, communicate overtly, but confidentially, through use of encryption, or communicate covertly through the use of a digital steganography application puts sensitive, and possibly classified, information at risk. Information can be easily exfiltrated through the most sophisticated boundary protection devices and will not be detected!

Tools for Covert Communication Freely Available

Tools for hiding information - hiding any digital file inside of another digital file - are freely available and can be quickly found with a simple Web search. Use the search term "Steganography" on any of the popular Internet search engines and hundreds of links to free, or inexpensive, steganography applications will be displayed. Not only are they easy to find but they are also easy to download, install, and use (e.g. utilising drag and drop interfaces).

The widespread availability and ease of use of tools such as these are adding a whole new meaning to the Insider Threat...and a whole new sense of urgency for finding a solution to mitigate that threat.

Now for the bad news … detecting the use of digital steganography applications and then extracting information hidden with those applications is, shall we say, extraordinarily difficult.

But the good news is that research efforts in improved steganalysis techniques and procedures are resulting in new and better tools for detecting the use of digital steganography applications and subsequently extracting the hidden information.

Anomaly-based Detection

Much research has been done, and continues to be done, in the area of "universal blind detection" of steganography, also referred to as anomaly-based detection. Blind detection is an effort to detect the existence of hidden information without any prior knowledge of the application used to hide the information. A variety of approaches are used such as visual observation, structural analysis, and statistical analysis of suspect files with the objective of determining if the file's characteristics or parameters exceed a "normal" threshold.

The unfortunate reality is there are no really good tools available for performing this type of detection with a high degree of reliability. There are some tools available for doing targeted detection; however, use of those tools is dependent on prior knowledge of the steganographic technique used to hide the information inside another file, typically referred to as the carrier file or 'steg'd file'. And, it's important to keep in mind that even if a hidden message can be reliably detected, blind or targeted detection tools are of little help in extracting the hidden information.

Thus, a new approach is needed to counter the growing threat of a trusted insider using a digital steganography application to exfiltrate sensitive, proprietary, or classified information outside the enterprise network.

This situation gives rise to one of those "Gee, wouldn't it be great" moments as in "Gee, wouldn't it be great if we only had a way to detect a user's attempt to obtain or use a steganography application in real-time?" No way. Yes, way.