The art of hiding secret messages is ancient. One of the first recorded uses of the practice, known as steganography, comes from Greek history in the 6th century BC, when a ruler shaved the head of one of his servants, tattooed a message on his scalp, then let his hair grow back. The servant then was sent to another ruler, who shaved his head to reveal the message.
At its essence, steganography is the practice of hiding a message in something else, according to Steffen Wendzel, a professor of information security and computer networks at Worms University of Applied Sciences, in Germany.
Wendzel explains those exchanging covert messages must first agree to use steganography, and then agree on how they will do it, and by what methods, before they start communicating. If you were going to use invisible ink, one of the more well-known historical methods of steganography, what kind of invisible ink would you use? How would you send it? How would you ensure the targeted recipient could read it?
It is difficult to talk about steganography for long before its cousin cryptography comes up. Fundamentally, cryptography, or the use of codes, provides privacy, while steganography is intended to provide secrecy. Alan Woodward, of the Surrey Centre for Cybersecurity in the Department of Computer Science at the University of Surrey in the U.K., clarifies that steganography roughly translates from the Greek as "hidden writing," while cryptography means "secret writing."
"The core concept and origination of steganography is rooted in the ability to covertly communicate," says Chet Hosmer, founder of Python Forensics, a non-profit organization focused on the collaborative development of open source investigative technologies using the Python programming language.
Hosmer points out steganography hides the mere existence of the communication. Unlike encryption, which is easy to detect but difficult to break, steganography provides both those elements. "Even if you are able to detect the covert communication, you still need to crack the hidden content. If done well, this is as difficult as cracking encryption," Hosmer says.
"Steganography is where the data is made to look like something else. Because it is made to look like something else, it is very difficult to detect," Woodward says. "A covert message written and then recovered is the essence of steganography."
While covertly hiding information in images are classic examples of digital steganography, hackers are hiding malicious code in benign software with increasing frequency, in order to sneak their payloads past security measures.
As cyber defensive measures have increased and organizations have locked down their environments using intrusion detection systems, application firewalls, content filters, and deep log analysis, the ability to exfiltrate (surreptitiously withdraw) data has become a challenge, Hosmer says. By embedding data within an innocuous carrier, such as a .jpg, an .MP3, an .MP4, or even a network protocol, hackers can exfiltrate data and evade detection, effectively weaponizing steganography.
Steganography employs a variety of techniques. One is hollowing; Woodward explains that cybercriminals will take what appears to be a standard library, like a DLL, then hollow it out and embed other data inside it. "The virus checker will think it is fine, and let it on, then the 'jack-in-the-box' will pop out while nobody is looking, and it runs riot on your machine."
That scenario holds the potential for an even worse situation, Woodward says, if the hollowed file starts sending data back out; the victim might never know about it, or even realize they have been attacked. At least with an assault like ransomware, the victim knows they have been hacked; with steganography, data can both enter and exit a system without the victim ever becoming aware.
Worse still, Woodward continues, stenographic attacks can now erase themselves and leave no trace, becoming almost a zero-footprint attack. "That is the nightmare, where you only find out when your data is being used against you, and you have no idea how it happened."
Network Steganography & Detection Difficulties
Network steganography is becoming even more of a direct cybersecurity concern than other forms of digital steganography, considering the role steganography is starting to play in role in distributed botnets, or covert malware communication for distributed denial of service attacks.
"Say you are some company and you have competitors who want your knowledge," says Wendzel. "They don't attack your systems in the usual way and render the network useless; instead, they covertly exfiltrate the data out of your organization in a continuous knowledge flow."
Hackers might make slight modifications in the attributes of that traffic, by changing the gaps between network packets, or altering packet sizes, or by adding some space in a message. It can be imperceptible to the naked eye, with the covert communication hiding in plain sight.
Since it appears to be part of the normal traffic flow, cybersecurity experts would not know where to look. "If you know where to look for it, you know where to look," Wendzel says, "but if you don't know where to look for it, you just don't know. …You get a lot of false positives, and it is extremely difficult to process them all."
Surrey's Woodward maintains that even if a cybercriminal is using standard protocols like transport layer security (TLS) or another standard network encryption technique, the encrypted data can still be differentiated from standard network traffic. However, he says, "If someone is using steganography to exfiltrate data, it is practically impossible to detect."
"If you think about the huge volume of traffic, you have to look at every single packet and every single flow, and every attribute of these flows" to find the unauthorized data flow, Wendzel says. He suggests there are too many places to look, and current detection messages are not always able to detect steganographic communication. Statistical methods, artificial intelligence, machine learning, and other advanced methods are all being utilized to detect steganographic presence, to little or no avail.
"Detection tools either give a high number of false positives, or they just miss the hidden message entirely," Woodward says.
Hidden in Plain Sight
Both Woodward and Wendzel serve on the Steering Committee of the Criminal Use of Information Hiding (CUIng) Initiative (CUing), an organization was launched in 2016 to fight the criminal exploitation of information hiding techniques, to detect and disable information-hiding activity, and to raise awareness of the issue.
Public awareness of the malicious use of steganography remains, well, hidden. It is hard to raise the profile of a technique that is stealthy by nature. For example, steganography isn't even mentioned in McAfee's latest threat assessment report, and barely makes a blip in its 2019 threat predictions, where steganographic techniques are only mentioned in passing, and sparingly at that. While Forint's recent threat assessment offered some background discussion on steganography, no hard numbers of its widespread use exist.
The use of steganography is nearly impossible to quantify.
"Steganography hasn't hit the headlines the way encryption has," says Woodward. "From a security and law enforcement perspective, you understand the scale of encryption, it's everywhere, everything is now encrypted; but at the moment, we don't know if steganography is a problem or not."
According to Woodward, there is a large gap in our knowledge about whether or not steganography is being used. It could be an enormous problem, but we don't know it. We know when encryption is being used, because we can see it, but can't read it.
"But how do you know if somebody is sending something that looks like something else? You don't know what to look for, and that's the problem."
A New Core Threat
"There needs to be a lot more research as to what the true scale is; we need to understand the scale of the problem," Woodward says. "It is not like encryption, which is tangible, and you can actually see the problem."
This has been Wendzel's research focus. "We have descriptions of all the experiments, the data, the test bed designs, all the methodology," Wendzel says. "I work on unifying this more and more, so the terminology, the taxonomy, and the description of how data is hidden is getting more attention. This will render all of the methods we apply to detect such communication, to describe them, to implement them, to verify them so as to be more comparable."
Wendzel hopes this will lead to more mature network steganographic research. "It is easier to find new hiding nodes then to counter them," he says. "There are more and more hiding methods, and we need to develop high-quality counter-measures."
Python Forensics' Hosmer illustrates this by pointing out there is no way for organizations to trust inbound or outbound traffic against stenographic techniques. "I have been working on this challenge for over two decades, and the fundamental problem that enables this to work is the lack of stenographic integrity protection for data structures and network protocols."
Woodward feels steganography will eventually be recognized as another core threat, but not today.
"It will always be a case of measure and counter-measure, attack and defense," Woodward says. "The bad guys might be a step ahead, but then you work out how to defend it. It's cat and mouse. Cybersecurity is an enormous game of whack-a-mole, and steganography will be no different."
Legitimate uses for steganography, such as digital watermarking, will continue to grow, but will likely not expand nearly as fast as its nefarious uses. Woodward makes the essential point that technology itself is not moral or immoral; it is what people do with it that matters. "There is always going to be a dynamic tension."
John Delaney is a freelance technology writer based in Brooklyn, NY, USA.