FortiGuard Labs Threat Research

Steganography: Combatting Threats Hiding in Plain Sight

By Jeannette Jarvis | February 21, 2018

Wikipedia defines steganography as “the practice of concealing a file, message, image, or video within another file, message, image, or video.” At this point, security professionals will immediately recognize the potential for steganography to act as vehicle for surreptitiously delivering malicious code into systems targeted for cybersecurity exploit, and subsequently exfiltrating purloined data from compromised devices. Given the ingenuity of the adversary community, it will be no surprise that the frequency of steganographically-based attacks has increased over the last couple of years.

How Steganography Works

There are many ways to conceal steganographic information in digital content. Taking graphics files as an example, a typical JPEG photo consists of a couple of megabytes of pixel data, which gives a stenographic message plenty of room to hide. Someone wishing to hide a message in a picture could alter the least significant bit of a number pixels in the JPEG to embed malicious code. The color value differences between altered and unaltered pixels are so subtle, that humans can’t see them, and it would be very time- and processor-intensive for a machine to scan every picture for hidden content in a data stream unless it knew what it was looking for. Using similar techniques, steganographic content can also be inserted into audio, video, and text files.

The major concealment advantage of steganography over encryption is that it’s easy to recognize the seeming gibberish of an encrypted file, while a steganographically altered file will, for all intents and purposes, look the same as an un-manipulated one. The JPEG of the adorable kitten will appear the same as the kitten hiding malicious code in its fur.

It’s easy and even fun to play with steganography for self-educational purposes. In much the same spirit as many cybersecurity professionals have taken up lock picking as puzzle solving exercise, the following link will take readers to a recreational steganography exploration site.

Steganography as a Cybersecurity Risk Factor

While still relatively unusual, security researchers report a 600% upsurge in steganographically-based attacks in 2017. Cybersecurity attackers use steganography to inject malicious content to slip past security defenses and exfiltrate misappropriated content from compromised systems.

As published in the Fortinet Q4 2017 Threat Landscape Report, steganography is a rising concern. For example, the Sundown EK exploit kit was reported by more organizations than any other exploit kit and rose to become the top trigger across sensors in early December. As it uses steganography—namely, malicious code embedded in images—to steal information, this is a threat that needs to be watched in coming quarters. 

While threat intelligence researchers continue to compile a growing list of indicators of compromise that can be used to detect malicious steganographic code, for the most part, steganographic attacks arrive as zero-day threats. This makes access to up-to-date threat intelligence an important element in any effective defense against steganographically-borne threats.

How to Address the Risks of Steganography

A robust counter-steganographic kill chain based on the Fortinet Security Fabric includes the following elements:

  • FortiGuard Labs Threat Intelligence to stay current with steganographic and other threat innovations.
  • FortiSandbox to observe and test suspected steganographically-obscured malware.
  • FortiWeb to inspect applications and other code that might conceal malicious content.
  • FortiGate next-generation firewalls to block known steganographic message traffic.
  • FortiClient for expediting and prioritizing vulnerability patches, updates, and policy controls.

Organizations should also take an activist approach to cybersecurity hygiene measures that include both ongoing end-user education and timely endpoint update and policy enforcement measures to defend against steganographic attacks. Here, the FortiClient endpoint management tools can expedite timely patches, updates, and policy setting that make it harder for stenographic and other attacks on endpoints to get traction in an infrastructure.

Steganography cannot really be considered a new threat vector. It’s been present in the threat environment, although encountered infrequently, for several years. The sharp increase in steganographically-borne attacks, however, and the rapid growth in the rich kinds of digital content that gives steganographic code a place to hide, highlights the importance to watch for a resurgence in proven threat vectors and to ensure that you have the right technologies and cyber awareness training in place to thwart them.

In the meantime, Fortinet customers can find some solace in the fact that the Fortinet Security Fabric provides a broad, integrated, and automated security architecture that enables them to quickly respond to changes in the threat landscape such as the reemergence of steganography. For more on what we saw on steganography and other threats in Q4, make sure to get your copy of the Threat Landscape Report