View
219
Download
4
Category
Tags:
Preview:
Citation preview
1SANS Technology Institute - Candidate for Master of Science Degree 1
SteganographyThen and Now
John HallyMay 2012
GIAC GSEC, GCIA, GCIH, GCFA, GCWN, GPEN
Steganography
• What it is: Hidden Writing– From Greek words “steganos” (covered) and
“graphie” (writing).– The goal is to hide that communication is
taking place.
• What it is not: Cryptography– The goal of Cryptography is to make data
unreadable by third party.
• Commonly combined together
SANS Technology Institute - Candidate for Master of Science Degree 2
Uses – Then
• Digital watermarking/copyright protection
• Corporate espionage• Anti-forensics• Terrorist cell covert
communications
SANS Technology Institute - Candidate for Master of Science Degree 3
Tools - Then
• Then (Circa 2001):– Spammimic– MP3Stego– OutGuess– JPHS (JP Hide and Seek)– Many others:
• www.jjtc.com/Steganography/tools.html
SANS Technology Institute - Candidate for Master of Science Degree 4
Detection - Then
• Direct comparison using original (visual, statistical)
• Targeted Detection tools – target popular steganography tools
• StegDetect• General framework - Statistical
analysisSANS Technology Institute - Candidate for Master of Science Degree 5
Tools - Now
• Updates/derivations of original tools
• Steganography Analysis and Research Center (SARC) – Detection Tools
• SARC tools:– StegAlyzerAS– StegAlyzerSS– StegAlyzerRTS
• 3rd Party tool Integration (Fidelis)
SANS Technology Institute - Candidate for Master of Science Degree 6
Detection - Now
• Signature-based solutions are prevalent
• AntiVirus/AntiMalware similarities• Original Methodologies still
relevant• Forensic expert consensus – not
typically included in investigations
SANS Technology Institute - Candidate for Master of Science Degree 7
SANS Technology Institute - Candidate for Master of Science Degree 8
In Use Today
• Command and Control• Operation Shady Rat
• Espionage• Russian Intelligence “Illegals
Program”
• Terrorism?
SANS Technology Institute - Candidate for Master of Science Degree 9
Operation Shady Rat
• A multi-year targeted operation by one ‘actor’ in order to extrude sensitive information from its targets.– 71 compromised organizations identified:
• 21 Government Organizations - including 6 US Federal, 5 State, 3 County
• 6 Industrial Organizations - Construction/heavy industry, Steel, Solar, Energy
• 13 Technology-based Organizations – including 2 Security organizations
• 13 Defense Contractors, many others.
– 3 Stage targeted attack:• Spear Phishing• Command and Control (C&C)• Information Exfiltration
SANS Technology Institute - Candidate for Master of Science Degree 10
Shady Rat C & C
•Trojan exploit code used steganography
•Commands embedded in HTML and image files
•HTML files used encryption and encoding for obfuscation
•Impregnated commands in images
SANS Technology Institute - Candidate for Master of Science Degree 11
Examples of Steganographic Files
SANS Technology Institute - Candidate for Master of Science Degree 12
Espionage
• United States vs. Anna Chapman and Mikhail Semenko
• Illegals Program – Investigation of Russian ‘sleeper’ agents operating in the U.S.
• Main goal was to infiltrate the United States policy making circles.
• Agents were to hide connections between themselves and the Russian Intelligence Federation
SANS Technology Institute - Candidate for Master of Science Degree 13
Espionage:Covert Communications
• Investigation revealed the use of steganography for communications back to Russia
• Custom steganography program used to embed data in images
• Communications also took place via “wireless drive-by”
• Additional physical steganograhic methods were used
Enterprise Defenses
• Know your data• Know your traffic• Know your people• Education• Vigilance
SANS Technology Institute - Candidate for Master of Science Degree 14
Summary
• Steganography• Art of hiding messages in files for covert
communications• Tools
– Hundreds of tools available, many use the same methods
• Detection– Detection methods for well known tools– Statistical analysis required for ‘custom’ tools– Not commonly searched for in typical forensic analysis
• Uses– Command and Control – Shady Rat– Russian Espionage – “Illegals Program”
• Defenses– Know your data, traffic, people– Education and vigilance
SANS Technology Institute - Candidate for Master of Science Degree 15
Recommended