1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,

1SANS Technology Institute - Candidate for Master of Science Degree 1

SteganographyThen and Now

John HallyMay 2012

GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN

Steganography

• What it is: Hidden Writing– From Greek words “steganos” (covered) and

“graphie” (writing).– The goal is to hide that communication is

taking place.

• What it is not: Cryptography– The goal of Cryptography is to make data

unreadable by third party.

• Commonly combined together

SANS Technology Institute - Candidate for Master of Science Degree 2

Uses – Then

• Digital watermarking/copyright protection

• Corporate espionage• Anti-forensics• Terrorist cell covert

communications

SANS Technology Institute - Candidate for Master of Science Degree 3

Tools - Then

• Then (Circa 2001):– Spammimic– MP3Stego– OutGuess– JPHS (JP Hide and Seek)– Many others:

• www.jjtc.com/Steganography/tools.html

SANS Technology Institute - Candidate for Master of Science Degree 4

Detection - Then

• Direct comparison using original (visual, statistical)

• Targeted Detection tools – target popular steganography tools

• StegDetect• General framework - Statistical

analysisSANS Technology Institute - Candidate for Master of Science Degree 5

Tools - Now

• Updates/derivations of original tools

• Steganography Analysis and Research Center (SARC) – Detection Tools

• SARC tools:– StegAlyzerAS– StegAlyzerSS– StegAlyzerRTS

• 3rd Party tool Integration (Fidelis)

SANS Technology Institute - Candidate for Master of Science Degree 6

Detection - Now

• Signature-based solutions are prevalent

• AntiVirus/AntiMalware similarities• Original Methodologies still

relevant• Forensic expert consensus – not

typically included in investigations

SANS Technology Institute - Candidate for Master of Science Degree 7

SANS Technology Institute - Candidate for Master of Science Degree 8

In Use Today

• Command and Control• Operation Shady Rat

• Espionage• Russian Intelligence “Illegals

Program”

• Terrorism?

SANS Technology Institute - Candidate for Master of Science Degree 9

Operation Shady Rat

• A multi-year targeted operation by one ‘actor’ in order to extrude sensitive information from its targets.– 71 compromised organizations identified:

• 21 Government Organizations - including 6 US Federal, 5 State, 3 County

• 6 Industrial Organizations - Construction/heavy industry, Steel, Solar, Energy

• 13 Technology-based Organizations – including 2 Security organizations

• 13 Defense Contractors, many others.

– 3 Stage targeted attack:• Spear Phishing• Command and Control (C&C)• Information Exfiltration

SANS Technology Institute - Candidate for Master of Science Degree 10

Shady Rat C & C

•Trojan exploit code used steganography

•Commands embedded in HTML and image files

•HTML files used encryption and encoding for obfuscation

•Impregnated commands in images

SANS Technology Institute - Candidate for Master of Science Degree 11

Examples of Steganographic Files

SANS Technology Institute - Candidate for Master of Science Degree 12

Espionage

• United States vs. Anna Chapman and Mikhail Semenko

• Illegals Program – Investigation of Russian ‘sleeper’ agents operating in the U.S.

• Main goal was to infiltrate the United States policy making circles.

• Agents were to hide connections between themselves and the Russian Intelligence Federation

SANS Technology Institute - Candidate for Master of Science Degree 13

Espionage:Covert Communications

• Investigation revealed the use of steganography for communications back to Russia

• Custom steganography program used to embed data in images

• Communications also took place via “wireless drive-by”

• Additional physical steganograhic methods were used

Enterprise Defenses

• Know your data• Know your traffic• Know your people• Education• Vigilance

SANS Technology Institute - Candidate for Master of Science Degree 14

Summary

• Steganography• Art of hiding messages in files for covert

communications• Tools

– Hundreds of tools available, many use the same methods

• Detection– Detection methods for well known tools– Statistical analysis required for ‘custom’ tools– Not commonly searched for in typical forensic analysis

• Uses– Command and Control – Shady Rat– Russian Espionage – “Illegals Program”

• Defenses– Know your data, traffic, people– Education and vigilance

SANS Technology Institute - Candidate for Master of Science Degree 15