Defending Against Insider Use of Digital Steganography

James E. Wingate, CISSP-ISSEP, CISM, IAM
Backbone Security
jwingate@backbonesecurity.com

Glenn D. Watt, CISSP, CISM, IAM, IEM
Backbone Security
glenn.watt@backbonesecurity.com

Marc Kurtz, CISSP
Backbone Security
mkurtz@backbonesecurity.com
 

Chad W. Davis, CCE
Backbone Security
chad.davis@backbonesecurity.com

Robert Lipscomb
Backbone Security
robert.lipscomb@backbonesecurity.com

ABSTRACT

The trusted insider is among the most harmful and difficult to detect threats to information security, according to the Federal Plan for Information Assurance and Cyber Security Research and Development released in April 2006.  By default, employees become trusted insiders when granted the set of privileges needed to do their jobs, which typically includes access to the Internet. It is generally presumed the insiders are loyally working to achieve the organization’s goals and objectives and would not abuse the privileges given to them. However, some insiders will inevitably abuse some of their privileges. For example, a trusted insider might abuse their privilege of access to the Internet to download, install, and use an information hiding tool, such as one of the hundreds of digital steganography applications available on the Internet, to steal sensitive, classified, or proprietary information. Effective countermeasures to this threat must begin with an organizational policy prohibiting installation of information hiding tools on user workstations and must also include automated tools capable of detecting attempts to download and use digital steganography applications. This paper will describe the threat from insider use of digital steganography applications; a new approach to detecting the presence or use of these applications; and extraction of hidden information when a known signature of one of these applications is detected. The analytical approach to steganalysis involves the development and use of computer forensic tools that can detect "fingerprints" and "signatures" of digital steganography applications. These tools can be employed in both an off-line forensic-based mode as well as a real-time network surveillance mode. Detection of fingerprints or signatures in either mode may lead to the discovery and extraction of hidden information. Accordingly, this approach represents a significant improvement over traditional blind detection techniques which typically only provide a probability that information may be hidden in a given file without providing a capability to extract any hidden information.

Keywords:  insider, steganography, steganalysis, computer forensics, artifacts, fingerprints, hash values, signatures