1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,

1SANS Technology Institute - Candidate for Master of Science Degree 1

SteganographyThen and Now

John HallyMay 2012

GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN

Steganography

• What it is: Hidden Writing– From Greek words “steganos” (covered) and

“graphie” (writing).– The goal is to hide that communication is

taking place.

• What it is not: Cryptography– The goal of Cryptography is to make data

unreadable by third party.

• Commonly combined together

SANS Technology Institute - Candidate for Master of Science Degree 2

Uses – Then

• Digital watermarking/copyright protection

• Corporate espionage• Anti-forensics• Terrorist cell covert

communications


Tools - Then

• Then (Circa 2001):– Spammimic– MP3Stego– OutGuess– JPHS (JP Hide and Seek)– Many others:

• www.jjtc.com/Steganography/tools.html


Detection - Then

• Direct comparison using original (visual, statistical)

• Targeted Detection tools – target popular steganography tools

• StegDetect• General framework - Statistical

analysisSANS Technology Institute - Candidate for Master of Science Degree 5

Tools - Now

• Updates/derivations of original tools

• Steganography Analysis and Research Center (SARC) – Detection Tools

• SARC tools:– StegAlyzerAS– StegAlyzerSS– StegAlyzerRTS

• 3rd Party tool Integration (Fidelis)


Detection - Now

• Signature-based solutions are prevalent

• AntiVirus/AntiMalware similarities• Original Methodologies still

relevant• Forensic expert consensus – not

typically included in investigations



In Use Today

• Command and Control• Operation Shady Rat

• Espionage• Russian Intelligence “Illegals

Program”

• Terrorism?


Operation Shady Rat

• A multi-year targeted operation by one ‘actor’ in order to extrude sensitive information from its targets.– 71 compromised organizations identified:

• 21 Government Organizations - including 6 US Federal, 5 State, 3 County

• 6 Industrial Organizations - Construction/heavy industry, Steel, Solar, Energy

• 13 Technology-based Organizations – including 2 Security organizations

• 13 Defense Contractors, many others.

– 3 Stage targeted attack:• Spear Phishing• Command and Control (C&C)• Information Exfiltration


Shady Rat C & C

•Trojan exploit code used steganography

•Commands embedded in HTML and image files

•HTML files used encryption and encoding for obfuscation

•Impregnated commands in images


Examples of Steganographic Files


Espionage

• United States vs. Anna Chapman and Mikhail Semenko

• Illegals Program – Investigation of Russian ‘sleeper’ agents operating in the U.S.

• Main goal was to infiltrate the United States policy making circles.

• Agents were to hide connections between themselves and the Russian Intelligence Federation


Espionage:Covert Communications

• Investigation revealed the use of steganography for communications back to Russia

• Custom steganography program used to embed data in images

• Communications also took place via “wireless drive-by”

• Additional physical steganograhic methods were used

Enterprise Defenses

• Know your data• Know your traffic• Know your people• Education• Vigilance


Summary

• Steganography• Art of hiding messages in files for covert

communications• Tools

– Hundreds of tools available, many use the same methods

• Detection– Detection methods for well known tools– Statistical analysis required for ‘custom’ tools– Not commonly searched for in typical forensic analysis

• Uses– Command and Control – Shady Rat– Russian Espionage – “Illegals Program”

• Defenses– Know your data, traffic, people– Education and vigilance


1 SANS Technology Institute - Candidate for Master of Science Degree 1 Steganography Then and Now John Hally May 2012 GIAC GSEC, GCIA, GCIH, GCFA, GCWN,

Documents

master of science degree

images slide

gpen slide

technologybased organizations

custom tools

use of steganography

steganography commands

images communications