John Stevenson by John Stevenson | | Blog

The market is full of solutions that promise to detect and prevent data loss. Mostly they are designed to prevent inadvertent data loss. But how can you combat the determined, malicious threat actor operating inside the organisation?

Organisations tend to leak. Cybersecurity vendors offer data loss protection (DLP) solutions and detection-based software solutions to try and stop them leaking. Some of these solutions are designed to detect and prevent inadvertent breaches, such as accidentally attaching a customer database to an email and sending it to the wrong person. Other solutions monitor key data assets “at rest” on the network and try to spot signs of anomalous behaviour that might suggest someone is trying to steal them. But how can you combat the determined, malicious threat actor operating inside the organisation? 

A Cautionary Tale

The attempted theft from General Electric of Nuclear Power Plant technology, offers us an insight into the problem and the increasing levels of sophistication being used by the malicious insider. It’s a cautionary tale. In a Criminal Complaint FBI investigators detail how the accused, Xiaoqing Zheng, approached the task of stealing GE’s intellectual property. Initially Zheng attempted to steal the data (some 19,020 files) using a removable drive.

When this was spotted Zheng claimed he had deleted the files and no further action was taken. The accused then encrypted 400 files on his personal workstation. Encrypting the files meant it was impossible to see what was in them. But it still looked suspicious.

Zheng’s next move was to conceal a number of the encrypted files inside an image, a photo of a sunset. The encrypted files were concealed inside the image using a technique called steganography whereby the files are hidden in the binary code of the image. He then emailed the image to his personal webmail account. The beauty of using image steganography to conceal the theft is that it offers the culprit deniability. Encryption conceals the secret but leaves it clear one is present. Steganography conceals the secret without alerting suspicion. Unless there is prior reason to be investigating the individual, it is likely their actions will never be spotted.

Evolution of a Cyber Crime

The story of General Electric and the cybercrimes committed by Xiaoqing Zheng act as a perfect illustration of the way that the techniques being used by the malicious insider are evolving, from the simple expedient of a thumb drive, through the use of encryption, to image steganography, a technique that is at once so simple and so effective it should concern anyone with valuable data assets to protect.

Undetectable Crime

FBI agents investigating the activities of Xiaoqing Zheng knew of the techniques he employed to steal data from his employer but had never encountered them before in the field. This should not come as reassuring news to the concerned CISO for two reasons. The cyber security industry is awash with examples of exploits that started out as the sole preserve of intelligence agencies and state threat actors but that rapidly become part of the mainstream cybercriminal’s armoury.  The other reason for not being complacent is that executed correctly, image steganography is an undetectable way of stealing data.

The presence of data concealed in an image using steganography is impossible to detect with any certainty without intimate knowledge of the encoding mechanism and password. Images are largely ignored by detection-based defences and DLP systems. They are easy to manipulate using open source software and scripting tools. A single image can covertly store large amounts of valuable data and of course, images are part of the minute-by-minute flow of data into and out of every organisation.

Gone in a Matter of Seconds

Mr Zheng’s nefarious activities took him 10 minutes to perform from start to finish and his crime only came to light after man months of investigation by world-leading cyber security experts. Given this, we should conclude that in all probability, image steganography is being used as we speak to conceal the theft of high value data from organisations around the world.

For more information on how Deep Secure is addressing the threat posed by image steganography, see our in-depth paper on the Content Threat and how to deal with it - and look out for our exclusive report on the Insider Threat due out next month.


View all posts