One of the things customers want to know is how did you start with the idea of solving phishing. For us the story starts with Steganography and the threat of stego malware. Everyone knows only too well that all sorts of digital attacks are lurking on the internet. Be it ransomware, a virus, or a deceptive phish at any moment. What is not often talked about by cyber authorities is the knowledge that some malicious code can mask or hide inside other, benign software code and be programmed to jump out when you aren’t expecting it.

Nation state and sponsored state actors have been using this technique for years (think Stuxnet and DuQu) However, increasingly hackers are using this technique, known as steganography, to trick users and smuggle malicious payloads past security scanners and firewalls. Unlike cryptography, which works to obscure content so it can’t be read, steganography’s goal is to hide the fact that content exists at all by embedding it in something else.

In the digital world, Steganography works where a file like an image can be stealthily encoded with information. For example, pixel values, brightness, and filter settings for an image are normally changed to affect the image’s aesthetic look. But hackers can also manipulate them based on a secret code with no regard for how the inputs make the image look visually. This technique can be used for ethical reasons, such as to evade censorship or detect insider activity against companies. But these methods can also be used nefariously. The famous Russian spy Anna Chapman ran a team that communicated with Moscow Central using bespoke steganography programs. Despite being arrested by the FBI, they never broke the code to understand what exactly was being communicated to the Russian authorities. Paedophiles use steganography to hide abuse images within ordinary images, so that vast collections can be kept without fear of discovery by the authorities. For security defenders there is no real way to tell the difference between an image that’s been embedded with stego malware and one that hasn’t, unless the original encoding steganography program is left on the computer by mistake, which is the clue that often trips up the bad guys.  

This evasion technique takes advantage of the fact that most anti-malware signatures detect malicious content in the malware’s configuration file. With steganography, the configuration file is embedded in the cover file. It is extremely difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command inside a steganographic file. Unfortunately, the use of steganography in cyberattacks is easy to implement and hard to detect.

Because nothing is the same twice, and there is no pattern to look for, and the steganography itself is completely undetectable. The code that we developed combined deep learning with advanced statistics to reveal the presence of these anomalies. We also realised that this code could be modified to dig into emails looking for different factors of deception be they be technical, meta, or linguistical.

As a defence against steganographic techniques most try to address other aspects of the attack, not the steganography itself. For example, financial institutions are increasingly dealing with unauthorized data exfiltration attempts in which a bad actor smuggles data like credit card numbers out past the organization’s scanners by masking the information in unremarkable files. This strategy can also be used to facilitate insider trading. Possible mitigations all have to do with limiting network access, monitoring who is interacting with the network, or sanitizing data before it leaves the network. These can be effective defence strategies, but none of them directly detects or addresses the steganographic techniques attackers are using.

McAfee Labs’ June 2018 threat detection report notes that steganography is being used in more diverse types of attacks than ever. Instead of being reserved for the most sophisticated hacks, steganography now crops up in malvertising, phishing, run-of-the-mill malware distribution, and exploit kits (like a tool called Sundown that is popular with hackers looking to exploit software vulnerabilities). The offers of steganography exploits are increasing on the deep web and it’s showing up in the bread-and-butter attacks of low-level cyber criminals in addition to advanced operations. If a particular technique is easy to carry out, its inventor can sell instructions to cybercriminals who might not have been able to think of it themselves. In this way, shrewd techniques trickle down.

For companies, the way to protect yourself from steganographic attacks is largely to stay vigilant about security overall. The main attack vector will be phishing emails, but malware scanners will not pick out the steganographic code, which will be activated when you to click on a link or download a file. It is vital to have users with 4th generation systems that use AI to discover deception lurking within the email, alerting users before they “do the wrong thing” because they have been deceived. Training users on the dangers and types of phishing is always worthwhile as is considering two-factor authentication, especially admin type accounts.

But while helpful, these measures don’t address the larger challenge to actually detect steganographic techniques in all their infinite forms. These stego techniques will become much more common in the next couple of years so expect to see an exponential growth in digital steganography attacks.

Technology never stays still and nor does cyber threats – so something that was initially designed to take out Iran nuclear centrifuges, without alerting defenders, is out in the wild, offered on the deep web, and available to even low skill cyber criminals. Circles of defence, vigilance, and awareness of what can be done allows security professionals to assess the level of protection they need to protect their organisations from the stego threat.