Scenario: Stegware - Covert Data Loss

OVERVIEW: Steganography is used by an attacker/insider to conceal information through the means of encoding data in a cover image. The image does not indicate the presence of steganography being applied - the image looks normal but the concealed data will pass through ALL Data Loss Prevention tools - detection fails to see the encoded content.

BUSINESS PROBLEM: Intellectual Property can be covertly concealed using simple steg encoding, tools are freely available online.

THREAT: Steganography can not be detected (it is robust). Encoded data is not visible.

SAMPLE 1: Challenger Tank

Original Image

 Stegged Image (aka Cover Image)

SAMPLE 2: Morgan Cars

Stegged Image (aka Cover Image)

SAMPLE 3: Online Banking

Stegged Image (aka Cover Image)

TEST USING GX PLATFORM:

With CTR DISABLED (i.e. the ICAP profile is disabled on the Web Proxy)

  • Download the Original Image - note the file size
  • Download the Stegged Image - note the file size
  • Result: Each file has a different file size


    • With CTR ENABLED

  • Enable the ICAP profile in your proxy and repeat the download of both files
  • Result: Both files are the same size
  • Advanced: Using Notepad/Notepad++ open the Stegged image file. Notice that you can not see ANY visible sign of an embedded file.


    OUTCOME

  • Deep Secure treat all content as hostile - regardless
  • So both image downloads are subject to Content Transforms
  • Stegware hidden in the cover image is removed by the CTR platform - NO DETECTION is necessary
  • The image is delivered as intended - BUT - the covert data loss channel is disrupted


    • THE HIDDEN MESSAGE

  • The stegged image contains a large Excel file containing multiple tabs
  • You can download this file here
  • This scenario clearly indicates the volume of data that can be concealed in a cover image - and why detection is easily evaded.



    • ADVANCED

    Note: If a Deep Secure Consultant or technical resource from a Channel Partner is onsite during this scenario then they will be able to show the image encode/decode process.