The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content

3,100 views
2,886 views

Published on

How to combine McAfee DLP with WetStone Steganography tools to better protect sensitive data.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,100
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content

  1. 1. Bill Fanelli Principal Architect Carlton Jeffcoat VP Allen Corporation of America Cyber Security Technologies Division The Message Within: Data Sheet g Extending DLP to target Steganography
  2. 2. Steganography Discovering Critical Evidence - hidden in plain sight -
  3. 3. Introduction • Data Leakage greatly concerns certain industries – High value intellectual property • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Data Loss Prevention (DLP) explicitly prevents the l k th leakage of this data out of an organization. f thi d t t f i ti – DLP monitors the movement of tagged files and data with keyword content. – DLP technology is uniquely positioned to help with forensics efforts in identifying hidden message carriers. PAGE 4
  4. 4. How to use DLP in Steganography Detection • DLP can monitor the movement of likely carrier files such as image and music files – DLP will copy these files to a forensic archive – Other tools can then scan these files for the presence of hidden data • This presentation will: – Describe these forensic procedures – Detail an implementation of the required workflow PAGE 5
  5. 5. Definition • Steganography – Hiding the existence of the message • Vs. Cryptography – Ob Obscures the meaning of a message e me ning me ge – Does not conceal the fact that there is a message • Steganalysis g y – Detecting the presence of messages hidden using steganography • Legitimate uses of steganography – Digital Watermarking PAGE 6
  6. 6. Steganography - Ancient Methods Wax Tablets • Demaratus of Ariston, exiled in Persia, received news that Xerxes was to invade Greece. • To get word to Sparta he Sparta, scraped the wax off writing tablets and carved a warning message in the wood. He h d then covered the wood with a fresh coat of wax. • The tablet was passed by the sentries without raising any suspicion. s spicion PAGE 7
  7. 7. Steganography - Modern Methods Null Cipher Messages • The German Embassy in Washington, DC, y g , , sent these messages during World War I – Apparently neutral’s protest is thoroughly discounted and ignored Isman hard hit Blockade hit. issue affects pretext for embargo on by-products, ejecting suet's and vegetable oils • D Decoding the message by extracting the di h b i h second letter from each word reveals the actual message – PERSHING SAILS FROM N.Y. JUNE 1 PAGE 8
  8. 8. Technical Steganography • Uses scientific methods to hide a message, g , such as the use of invisible ink or microdots • I 1941 th FBI discovered a Micro Dot In the di d Mi D t carried on a letter from a suspected agent – Micro Dot production p • Create a postage stamp sized secret message • Reduce this in size using a reverse microscope producing an image .05 inches in diameter – The dot was pressed onto a piece of paper Mark IV microdot camera using a hypodermic needle in place of a p period PAGE 9
  9. 9. Simple Example Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  10. 10. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  11. 11. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  12. 12. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  13. 13. Concerns to Business • Data loss – Covert transmission of corporate IP • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Hiding illicit activity – Non-job related activity that potentially puts the organization at risk • Gambling • Pornography • Credit card fraud • Terrorism PAGE 14
  14. 14. How big is the problem? 600 Steganography Programs in the Wild 505 500 400 300 200 100 0 2001 2002 2003 2004 2005 2006 Today According to WetStone’s Chief Scientist Chet Hosmer • Where to find them – Neil Johnsons’ Steganography and Digital Watermarking web site • http://www.jjtc.com/Steganography/toolmatrix.htm – StegoArchive.com – Neil Johnsons’ Steganalysis web site g y • http://www.jjtc.com/Steganalysis/ PAGE 15
  15. 15. Steganalysis Tools • For our discussions, we will reference the following steganalysis and malware detection g g y tools from Allen Corporation’s WetStone Technologies – Stego Suite – Gargoyle – Live Wire Investigator PAGE 16
  16. 16. – Stego Suite • Stego Watch – Scan a file system and flag suspected files – Derived from the WetStone’s Steganography and Recovery Toolkit (S-DART) research project for US Air Force Research Laboratory – Exposes an API for researches and developers that allows for new research and steganography detectors • Stego Analyst – Imaging and analysis tool to identify visual clues that steganography is in use in both image and audio files • Stego Break – Obtain the pass p p phrase that has been used – Gargoyle • Hostile program detector with steganography dataset – Malware tool discovery over the network – Target at computers where suspect files originated PAGE 17
  17. 17. Known Methods of Steganography Covert Channels Color 24-Bit LSB Palette Encoding Modification Encoding Algorithm g Modification Word Formatting Substitution Modification Data Appending PAGE 18
  18. 18. Least Significant Bit Encoding • This is the most common steganographic method used with audio and image files • Used to overwrite – Legitimate RGB color codings or p g g palette p pointers in GIF and BMP files – Coefficients in JPEG files – Pulse Code Modulation in WAV files Individual Colors LSB Substitution Combined Color Before After RED 1 0 1 1 0 1 0 0 Before After GREEN 1 1 0 0 0 1 1 1 BLUE 1 1 1 0 0 0 0 0 PAGE 19
  19. 19. Adding a Payload to a Carrier PAGE 20
  20. 20. Steganalysis PAGE 21
  21. 21. Image Filtering PAGE 22
  22. 22. Implementation – Policy & Procedure • Use of these capabilities is driven by risk assessment and A t d Acceptable Use Policy t bl U P li – High risk • E.G., Government Classified, Corporate Legal, Research Lab g • Policy – Not Allowed • Technical Action – Block, Archive, Examine Content, Scan Source Computer • Personnel Action – Possible Termination – Medium Risk • E.G., Human Resources, Contracts, Software Development , , , p • Policy – Not Allowed • Technical Action – Log, Archive, Spot Investigations • Personnel Action – Possible Termination PAGE 23
  23. 23. Implementation - Technology • DLP – D t t movement of potential carriers Detect t f t ti l i – Copy to DLP archive • Steganography scan g g p y – Stego Suite – Examine files for potential covert content • M l Malware tools scan l – Gargoyle – Scan source workstations • Live Investigator – Consolidate findings into forensic documentation package k PAGE 24
  24. 24. DLP Configuration • Technology implementation should always be derived from security policies and procedures • Classified environment – Block and archive everything • Pharmaceutical company – Research area • Block and archive – Legal department • Log and archive – All other areas • Log only PAGE 25
  25. 25. DLP Architecture Policy set in ePO server to archive evidence files Evidence files Policy on endpoints collected in captures evidence files archive for steganalysis PAGE 26
  26. 26. Steganography Scan Configuration • Scan image files in evidence archive – Identify images as possible Steganography carriers • Identify workstations where images originated – S n workstations for steganography tools Scan o k t tion fo teg nog ph tool – Possibly scan for other malware tools • Initiate personnel actions, as necessary p , y – Capture evidence as part of forensic investigation • Continue digital investigation – Examine suspect files – Attempt to extract payload PAGE 27
  27. 27. Steganography Scan Architecture Scan image Scan Capture files f l in workstations k evidence as id evidence for malware part of archive tools forensic investigation PAGE 28
  28. 28. Evidence Archive Scan PAGE 29
  29. 29. Suspect Workstation Scan PAGE 30
  30. 30. Future – Stego Stomping • Server-level technology to filter outgoing e- mail • Modify all files to corrupt potential payload but leave carrier essentially intact – Essentially apply a randomized stego payload to every outgoing image • Proven for JPG formats – Other formats in development PAGE 31
  31. 31. Want to Learn More? • Classes – Steganography Investigator Training • November 11 - 12, 2008 - Fairfax, VA •DDecember 10 - 11 2008 - O li b 11, Online – Live Investigator Training • October 24 - 25, 2008 - Gaithersburg, MD – Hacking BootCamp for Investigators • October 23 - 25, 2008 - Gaithersburg, MD • November 18 - 21, 2008 - Vancouver, BC • December 16 - 18, 2008 - Houston, TX PAGE 32
  32. 32. Contact Us Corporate Headquarters: Allen Corporation of America Inc. p 10400 Eaton Place, Suite 450 Fairfax, VA 22030 (866) HQ - ALLEN (866) 472-5536 Bill Fanelli 571-321-1648 - bfanelli@allencorp.com Carlton Jeffcoat 571-321-1641 - cjeffcoat@allencorp.com www.AllenCorp.com www.WetStoneTech.com www WetStoneTech com A wholly owned subsidiary of Allen Corporation PAGE 33
  33. 33. Stego Suite™ P r o d u c t s Discovering The Hidden 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000 000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111 111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111 111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100 000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000 000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010 101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101 010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101 010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001 I n v e s t i g a t i o n Stego Hunter™ Stego Watch™ Stego Analyst™ Stego Break™ 010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010 101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100 101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000 001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000 Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence 010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000 111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101 Stego Suite is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or audio files for the presence of hidden information or covert communication channels. Detecting the presence of steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite. Key Features: System Recommendations: ▫ Rapid identification of known ▫ Microsoft Windows® 98 steganography programs ▫ 100 MB free disk space ▫ Flag suspicious files through blind anomaly-based approach ▫ 512 MB RAM ▫ State-of-the-art image and audio analyzer ▫ Pentium® III 1GHz processor D i g i t a l ▫ Crack and extract payloads from carrier License: files ▫ Single user license allows for installation ▫ Court ready investigator reports of entire suite ▫ Scan audio files, JPG, BMP, GIF, PNG ▫ Site licenses are available upon request and more Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
  34. 34. Gargoyle Investigator™ P r o d u c t s Enterprise Module Enterprise Malware Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 Internal 000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000 Investigation 000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111 111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111 111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010 110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000 Incident 000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010 Response 101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010 010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101 010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010 I n v e s t i g a t i o n 100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010 Enterprise 101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101 010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000 Reporting 000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111 100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111 100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010 Gargoyle Enterprise Module (GEM) provides corporate IT departments, incident response investigators, or organizations with large and complex networks, the ability to fight against malicious software within enterprise computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime throughout the enterprise. Key Features: System Recommendations: ▫ Perform enterprise wide collection of ▫ Microsoft Windows® 2000 malicious code hashes on multiple targets simultaneously ▫ 230 MB free disk space ▫ Includes a single user license of Gargoyle ▫ 1 GB RAM Investigator™ Forensic Pro ▫ Pentium® III 1GHz processor D i g i t a l ▫ Dataset Creator™ - create and build your own categories for detection ▫ Gargoyle Investigator™ Forensic Pro ▫ Interoperates with popular forensic tools License: such as EnCase™ and FTK™ ▫ Enterprise license with 10 scan option, ▫ Timestamped enterprise discovery additional scans of 25, 50 and 100 are reports for each target suspected available Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
  35. 35. LiveWire Investigator™ P r o d u c t s On Demand Digital Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111 111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000 Live Forensics 000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000 000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111 111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111 111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101 Remote Malware 011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000 Detection 000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101 010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001 001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010 101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101 eCrime I n v e s t i g a t i o n 010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101 010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010 101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000 000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011 eDiscovery 110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011 110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101 LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now rapidly and easily collect evidence on live running target systems from anywhere in the world. Key Features: System Recommendations: ▫ Live forensic discovery and triage of 25 or ▫ Microsoft Windows® 2000 or higher more “Live” target systems simultaneously ▫ 100 MB free disk space ▫ File system blueprinting ▫ 128 MB RAM ▫ Remote screenshots ▫ Pentium® III 1GHz processor ▫ Live drive and device captures D i g i t a l ▫ Physical and virtual memory imaging License: ▫ Integrated enterprise malware detection ▫ Single user license with the option to add ▫ Automated timestamped audit trail up to 50 and 100 simultaneous scans ▫ Site licenses are available upon request *Companion product LiveDiscover™ Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved

×