Wikipedia defines steganography as “the practice of concealing a file, message, image, or video within another file, message, image, or video.” It represents the “hidden writing” ie. the process of hiding secret messages inside some multimedia files (like photo, audio or video file), which usually contain unused or irrelevant data spaces filled by terrorists’ secret information, using different steganographic techniques.
In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size.
Whereas cryptography is the practice of protecting the contents of a message alone, steganography is concerned with concealing the fact that a secret message is being sent as well as concealing the contents of the message.
The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable they are, arouse interest and may in themselves be incriminating in countries in which encryption is illegal.
The steganography process generally involves inserting secret messages inside a transmission medium, which is called a “carrier”, and which has the role of concealing secret messages. The Payload refers to the information to be concealed and sent secretly, or the data covertly communicated
In today’s world Steganography has been used by governments, criminal organizations, and individuals. Most modern anti-malware solutions provide little, if any, protection from steganography, while any carrier in which a payload can be secretly carried poses a potential threat. It may contain data being exfiltrated by spyware, communication between a malicious program and its C&C, or new malware.
Steganography is being used by terrorist and criminals.
According to nameless “U.S. officials and experts” and “U.S. and foreign officials,” terrorist groups are “hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other Web sites”.
One of the most noted cases was an al-Qaeda operative who was detained in Germany in 2011 and found to be carrying plans for an attack stegged into pornographic movies. You can read more about the incident at this CNN article. There was a more recent report of ISIS relying heavily on Steganography for Operational Security. You can read more HERE. There is also evidence that drug cartels might be using Steganography to communicate.
Terrorists in cyberspace can often use different steganographic tools and encryption methods. Encryption is a way to protect certain content against unwanted and unauthorized reading or change of data. The protection level is determined by an algorithm or key (“encryption algorithm”). There are two types of encryption systems (“cryptosystems”): symmetric and asymmetric. A symmetric system of encryption uses the same “secret key” which is used both for encryption and decryption, and the asymmetric system of encryption uses one public key to encrypt messages, and other, secret one, for decryption.
The perpetrator can input hidden message in a digitized visual and audio data, which not bother the original multimedia message, but can only be discovered if searched for in a specific way.
There is a perception that members of Al Qaeda communicate by sending encrypted messages like this. Today, the encryption is not so widespread as before, because intelligence services have developed strong systems for decoding the encryption. Encryption and encrypted messages are still present on various internet forums, where terrorist organizations often leave their messages in the form of encrypted text messages to terrorist cells, which they can then publicly read. Identification of users that use this kind of encrypted communication for terrorist purposes on some internet forums is almost impossible.
The crucial argument here is that terrorists are most likely to be employing digital steganography to facilitate secret intra-group communication as has been claimed. This is mainly because the use of digital steganography by terrorist is both technically and operationally dubious.
Generally though, there are many techniques known to be able to hide messages in data using steganographic techniques. None are, by definition, obvious when users employ standard applications, but some can be detected by specialist tools. Others, however, are resistant to detection – or rather it is not possible to reliably distinguish data containing a hidden message from data containing just noise – even when the most sophisticated analysis is performed.
Steganography as a Cybersecurity Risk Factor
Cybersecurity attackers use steganography to inject malicious code into systems also referred to as Stegware, targeted for cybersecurity exploit and exfiltrate misappropriated content from compromised systems.
For Steganography based cyber-attacks, detection is not an adequate defence. The only way of defeating the threat is to transform data in a way that destroys any hidden messages, a process called Content Threat Removal.
For example, the Sundown EK exploit kit was reported by more organizations than any other exploit kit and rose to become the top trigger across sensors in early December. As it uses steganography—namely, malicious code embedded in images—to steal information, this is a threat that needs to be watched in coming quarters.
As published in the Fortinet Q4 2017 Threat Landscape Report, steganography is a rising concern. Security researchers report a 600% upsurge in steganographically-based attacks in 2017.
While threat intelligence researchers continue to compile a growing list of indicators of compromise that can be used to detect malicious steganographic code, for the most part, steganographic attacks arrive as zero-day threats. This makes access to up-to-date threat intelligence an important element in any effective defense against steganographically-borne threats.
The sharp increase in steganographically-borne attacks, however, and the rapid growth in the rich kinds of digital content that gives steganographic code a place to hide, highlights the importance to watch for a resurgence in proven threat vectors and to ensure that you have the right technologies and cyber awareness training in place to thwart them.