< Back to Blog

Anti-Steganography with Content Disarm & Reconstruction

November 4, 2021

A Proactive Approach to Data Loss Prevention

With cyber-attacks and corporate data loss making headlines almost daily, businesses have no choice but to re-evaluate their defense methods and strategies in light of the constantly evolving threat landscape. This article explores the old-new technique of steganography, explains why taking solid anti-steganography security steps is critical for protecting against both incoming threats and outgoing data, and what strategies are most likely to be most effective at combating this danger.

What is Steganography? 

Steganography is the practice of hiding information within an ordinary computer file, message, image, or video in a way that avoids detection. The word steganography has its origins in the Greek word “steganos,” which means secret or hidden, and “graphy,” which means writing or drawing. Steganography uses hidden writing techniques to pass information secretly. Popular steganography examples include embedding information within a file’s metadata, playing an audio file backward to hear a secret message, writing a note in invisible ink, or even increasing the video playback speed to uncover a message. One of the most common techniques used today is called image steganography, where a text file is embedded and obscured within an image file. 

Why is Anti-Steganography Critical?

While there are certainly legitimate uses for steganography, today malware developers are increasingly turning to this age-old technique to target unsuspecting victims. The simple reason? It works. According to a 2021 Proofpoint Report, more than one in three people targeted in steganography attack campaigns last year clicked the malicious payload, the highest hit rate of any attack technique. If even one company employee falls victim to a malicious steganography attack, malware creators have hit their jackpot. They can now infiltrate the business, steal data, encrypt systems, install ransomware, or wreak other types of havoc that will ruin the company’s reputation. 

How is Image Steganography Carried Out?

It is not difficult for a hacker to conceal malicious code in an image. For example, a standard JPEG photo contains several megabytes of pixel data, allowing an attacker to alter several of the pixels to embed malicious code. 

Children playing on a beach with grid overlay

The color value differences between altered and unaltered pixels are subtle enough that human eyesight cannot detect them. It would be very time-consuming for machines to scan every image for hidden data, especially when the threat is unknown. Like all malware, image steganography can be used to hide the payload within the code itself, or the code can call additional code or executables associated with attacks. That means that when an employee views the innocent-looking image, the payload is executed and can immediately start damaging the target company.

In this famous example posted by the FBI, malicious actors hid a detailed airport map within these two innocent-looking images.

man holding electricity and the Washington monument

The images were posted on a public website and were downloaded by thousands of people. However, only those who knew the secret code could extract the hidden map.

Image Steganography and Data Loss Prevention

Companies have more to worry about than just incoming malicious files that can execute macros for a cyber-attack. There is an additional danger of unauthorized employees or other malicious third parties exfiltrating company data. Data loss prevention (DLP) is a critical area of organizational security, where information within a business is accidentally or intentionally spread outside its boundaries. Who hasn’t heard of Wikileaks? Traditional methods for DLP include a range of filters and OCR techniques that have met with varying degrees of success. However, image steganography has managed to evade all DLP efforts. A standard-sized image file can easily hide several thousand customer contacts, billing details, or account numbers, and company security professionals will be none the wiser.

As an example, in 2019, the U.S. Department of Justice unsealed the case against Xiaoqing Zheng, a Chinese entrepreneur who had previously held the position of Principal Engineer at General Electric. It was alleged that Zheng had employed steganography techniques to surreptitiously transfer 20,000 confidential documents containing trade secrets from GE to Tianyi Aviation Technology Co. in China. Zheng could smuggle the information out using steganography to hide the stolen files in a digital picture of a sunset named “New Year.jpg. He then emailed the picture containing the files to his Hotmail email address with the subject line “Nice view to keep.”

Crafting an Anti-Steganography Strategy

Whether incoming or outgoing, image steganography techniques often make the most minute modifications to the image files, enabling them to evade standard anti-malware and APT tools, which are not designed to detect this type of malware. Steganographic attacks generally arrive as zero-day threats, making detection difficult for antivirus and next-gen antivirus tools that rely on threat intelligence and signature databases. Today’s purpose-built steganography detection programs are proof-of-concept, are known to be slow, and have relatively low detection rates, rendering them unfit for commercial security uses.

Keep in mind that this method is not limited to expert hackers. Image steganography toolkits are widely available, with hundreds of free apps on the market. These tools are extremely easy to use—some are even drag and drop—with no code necessary. This means that any amateur with malicious intent has the potential to abuse image steganography. Therefore, the best way – and likely the only way – to safeguard your business against the risk of steganography attacks is to take a proactive approach and not rely on anti-steganography detection. 

Anti-Steganography with Votiro

Votiro’s content disarm and reconstruction technology overcomes image steganography challenges because of its unique approach to sanitizing files. For email channels in particular, where DLP is a major concern, the Votiro Email Connector can be installed on a Microsoft Exchange Edge server and focused on any SMTP traffic, whether it is inbound or outbound. All traffic would be pointed to the Microsoft Exchange server to allow for sanitization and removal of steganography. 

As an advanced CDR solution, Votiro Cloud breaks the file down into its basic objects and reconstructs a new clean file using only the file’s vendor-approved objects. This ensures that each individual section and metadata is fully cleansed of any threat. Even when no malicious activity has been detected, Votiro’s technology still protects against inbound and outbound image steganography attacks and prevents data loss and other damage by taking this proactive approach, cleaning all non-standard and hidden code from the file. All this is done in microseconds, with no obstruction to the user, and the reconstructed and sanitized file preserves the integrity and functionality of the original file, combining the highest levels of security and productivity.

The process for protecting against DLP via image steganography with Votiro.

For a demonstration of how an image steganography threat is constructed and how enterprises can protect themselves from such a threat, you can read about it on our blog.

If you’d like to learn more about implementing Votiro Cloud to secure your network against image steganography and other zero-day threats, please schedule a demo today.