Detecting Steganography in Your SOC
Steganography is a methodology of hiding information in the unnecessary pixels of a picture. While it is not terribly common, hackers have used it in a variety of ways, from hiding malware to sending commands and information and exfiltrating data. Steganography can be very difficult to detect as the image itself looks the same as the original. This makes steganography a very effective tool for phishing emails as a way to spread malicious files rather than attaching them as a file.
Whether steganography is being used in phishing or as a way for malware to exfiltrate data, detecting steganography can be very difficult for a security operations center. However, building such a capability can greatly improve your security capabilities.
How to Detect Steganography
The easiest way for a SOC to detect steganography is to simply invest in an email security or data-loss prevention tool that has such capabilities built in. All you have to do is point the alerts to your monitoring system and respond. Of course, it’s not always that easy and not every organization has that capability in their security systems.
The best way to build a detection capability organically is to compare the metadata of the images. First, is to compare hashes over a given period of time. A hacker who injects something into an image will likely save the file as the same filename to ensure the obfuscation is complete. Maintaining a list of image hashes you can narrow down to images that have been modified. Once you have that narrowed down, you look at the file sizes of those files. If an image has a different hash but the same file size, it is likely that very little has changed and there is likely no steganography risk. However, if the newer file is larger it may suggest something is hidden in the image. Generating an alert in your SOC based on this can ensure that the threat is detected.
Tools to Detect Steganography
Unfortunately, while comparing hashes and file sizes may sound easy, it is complex and it is certainly not something that can be done manually. We recommend that you acquire a tool that can provide this basic service if you cannot invest in a full DLP system. If there are specific files you suspect may be hiding information, there are online tools that can verify.
Steganography is a creative way for hackers to hide what they are doing. It takes advantage of the end-user’s normal expectations and inherent sense of trusting what we see. Detecting steganography in your organization can be difficult, but it is not impossible. Acquiring the right tools and generating the right alerts will help protect you from such threats.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.