Steganography is a methodology of hiding information in the unnecessary pixels of a picture. While it is not terribly common, hackers have used it in a variety of ways, from hiding malware to sending commands and information and exfiltrating data. Steganography can be very difficult to detect as the image itself looks the same as the original. This makes steganography a very effective tool for phishing emails as a way to spread malicious files rather than attaching them as a file.
Whether steganography is being used in phishing or as a way for malware to exfiltrate data, detecting steganography can be very difficult for a security operations center. However, building such a capability can greatly improve your security capabilities.
How to Detect Steganography
The easiest way for a SOC to detect steganography is to simply invest in an email security or data-loss prevention tool that has such capabilities built in. All you have to do is point the alerts to your monitoring system and respond. Of course, it’s not always that easy and not every organization has that capability in their security systems.
The best way to build a detection capability organically is to compare the metadata of the images. First, is to compare hashes over a given period of time. A hacker who injects something into an image will likely save the file as the same filename to ensure the obfuscation is complete. Maintaining a list of image hashes you can narrow down to images that have been modified. Once you have that narrowed down, you look at the file sizes of those files. If an image has a different hash but the same file size, it is likely that very little has changed and there is likely no steganography risk. However, if the newer file is larger it may suggest something is hidden in the image. Generating an alert in your SOC based on this can ensure that the threat is detected.
Tools to Detect Steganography
Unfortunately, while comparing hashes and file sizes may sound easy, it is complex and it is certainly not something that can be done manually. We recommend that you acquire a tool that can provide this basic service if you cannot invest in a full DLP system. If there are specific files you suspect may be hiding information, there are online tools that can verify.
Steganography is a creative way for hackers to hide what they are doing. It takes advantage of the end-user’s normal expectations and inherent sense of trusting what we see. Detecting steganography in your organization can be difficult, but it is not impossible. Acquiring the right tools and generating the right alerts will help protect you from such threats.
About Security On-Demand
Security On-Demand (SOD) provides 24×7 advanced cyber-threat detection services for mid-market companies and state or local government agencies. SOD’s patented, behavioral analytics technology platform, ThreatWatch® enables the detection of advanced threats that help protect brand value and reduce the risk of a data breach. Headquartered in San Diego, California with R&D offices in Warsaw Poland, SOD services and protects hundreds of brands globally and is the winner of multiple industry awards. Please visit us at www.securityondemand.com. Find us on LinkedIn and follow us on Twitter @SecurityOnDmand.