SlideShare uma empresa Scribd logo

The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content

B
bfanelli

How to combine McAfee DLP with WetStone Steganography tools to better protect sensitive data.

Tecnologia
1 de 35
Baixar para ler offline
Bill Fanelli Principal Architect Carlton Jeffcoat VP Allen Corporation of America Cyber Security Technologies Division The Message Within: Data Sheet g Extending DLP to target Steganography
Steganography Discovering Critical Evidence - hidden in plain sight -
Introduction • Data Leakage greatly concerns certain industries – High value intellectual property • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Data Loss Prevention (DLP) explicitly prevents the l k th leakage of this data out of an organization. f thi d t t f i ti – DLP monitors the movement of tagged files and data with keyword content. – DLP technology is uniquely positioned to help with forensics efforts in identifying hidden message carriers. PAGE 4
How to use DLP in Steganography Detection • DLP can monitor the movement of likely carrier files such as image and music files – DLP will copy these files to a forensic archive – Other tools can then scan these files for the presence of hidden data • This presentation will: – Describe these forensic procedures – Detail an implementation of the required workflow PAGE 5
Definition • Steganography – Hiding the existence of the message • Vs. Cryptography – Ob Obscures the meaning of a message e me ning me ge – Does not conceal the fact that there is a message • Steganalysis g y – Detecting the presence of messages hidden using steganography • Legitimate uses of steganography – Digital Watermarking PAGE 6
Steganography - Ancient Methods Wax Tablets • Demaratus of Ariston, exiled in Persia, received news that Xerxes was to invade Greece. • To get word to Sparta he Sparta, scraped the wax off writing tablets and carved a warning message in the wood. He h d then covered the wood with a fresh coat of wax. • The tablet was passed by the sentries without raising any suspicion. s spicion PAGE 7
Steganography - Modern Methods Null Cipher Messages • The German Embassy in Washington, DC, y g , , sent these messages during World War I – Apparently neutral’s protest is thoroughly discounted and ignored Isman hard hit Blockade hit. issue affects pretext for embargo on by-products, ejecting suet's and vegetable oils • D Decoding the message by extracting the di h b i h second letter from each word reveals the actual message – PERSHING SAILS FROM N.Y. JUNE 1 PAGE 8
Technical Steganography • Uses scientific methods to hide a message, g , such as the use of invisible ink or microdots • I 1941 th FBI discovered a Micro Dot In the di d Mi D t carried on a letter from a suspected agent – Micro Dot production p • Create a postage stamp sized secret message • Reduce this in size using a reverse microscope producing an image .05 inches in diameter – The dot was pressed onto a piece of paper Mark IV microdot camera using a hypodermic needle in place of a p period PAGE 9
Simple Example Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
Concerns to Business • Data loss – Covert transmission of corporate IP • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Hiding illicit activity – Non-job related activity that potentially puts the organization at risk • Gambling • Pornography • Credit card fraud • Terrorism PAGE 14
How big is the problem? 600 Steganography Programs in the Wild 505 500 400 300 200 100 0 2001 2002 2003 2004 2005 2006 Today According to WetStone’s Chief Scientist Chet Hosmer • Where to find them – Neil Johnsons’ Steganography and Digital Watermarking web site • http://www.jjtc.com/Steganography/toolmatrix.htm – StegoArchive.com – Neil Johnsons’ Steganalysis web site g y • http://www.jjtc.com/Steganalysis/ PAGE 15
Steganalysis Tools • For our discussions, we will reference the following steganalysis and malware detection g g y tools from Allen Corporation’s WetStone Technologies – Stego Suite – Gargoyle – Live Wire Investigator PAGE 16
– Stego Suite • Stego Watch – Scan a file system and flag suspected files – Derived from the WetStone’s Steganography and Recovery Toolkit (S-DART) research project for US Air Force Research Laboratory – Exposes an API for researches and developers that allows for new research and steganography detectors • Stego Analyst – Imaging and analysis tool to identify visual clues that steganography is in use in both image and audio files • Stego Break – Obtain the pass p p phrase that has been used – Gargoyle • Hostile program detector with steganography dataset – Malware tool discovery over the network – Target at computers where suspect files originated PAGE 17
Known Methods of Steganography Covert Channels Color 24-Bit LSB Palette Encoding Modification Encoding Algorithm g Modification Word Formatting Substitution Modification Data Appending PAGE 18
Least Significant Bit Encoding • This is the most common steganographic method used with audio and image files • Used to overwrite – Legitimate RGB color codings or p g g palette p pointers in GIF and BMP files – Coefficients in JPEG files – Pulse Code Modulation in WAV files Individual Colors LSB Substitution Combined Color Before After RED 1 0 1 1 0 1 0 0 Before After GREEN 1 1 0 0 0 1 1 1 BLUE 1 1 1 0 0 0 0 0 PAGE 19
Adding a Payload to a Carrier PAGE 20
Steganalysis PAGE 21
Image Filtering PAGE 22
Implementation – Policy & Procedure • Use of these capabilities is driven by risk assessment and A t d Acceptable Use Policy t bl U P li – High risk • E.G., Government Classified, Corporate Legal, Research Lab g • Policy – Not Allowed • Technical Action – Block, Archive, Examine Content, Scan Source Computer • Personnel Action – Possible Termination – Medium Risk • E.G., Human Resources, Contracts, Software Development , , , p • Policy – Not Allowed • Technical Action – Log, Archive, Spot Investigations • Personnel Action – Possible Termination PAGE 23
Implementation - Technology • DLP – D t t movement of potential carriers Detect t f t ti l i – Copy to DLP archive • Steganography scan g g p y – Stego Suite – Examine files for potential covert content • M l Malware tools scan l – Gargoyle – Scan source workstations • Live Investigator – Consolidate findings into forensic documentation package k PAGE 24
DLP Configuration • Technology implementation should always be derived from security policies and procedures • Classified environment – Block and archive everything • Pharmaceutical company – Research area • Block and archive – Legal department • Log and archive – All other areas • Log only PAGE 25
DLP Architecture Policy set in ePO server to archive evidence files Evidence files Policy on endpoints collected in captures evidence files archive for steganalysis PAGE 26
Steganography Scan Configuration • Scan image files in evidence archive – Identify images as possible Steganography carriers • Identify workstations where images originated – S n workstations for steganography tools Scan o k t tion fo teg nog ph tool – Possibly scan for other malware tools • Initiate personnel actions, as necessary p , y – Capture evidence as part of forensic investigation • Continue digital investigation – Examine suspect files – Attempt to extract payload PAGE 27
Steganography Scan Architecture Scan image Scan Capture files f l in workstations k evidence as id evidence for malware part of archive tools forensic investigation PAGE 28
Evidence Archive Scan PAGE 29
Suspect Workstation Scan PAGE 30
Future – Stego Stomping • Server-level technology to filter outgoing e- mail • Modify all files to corrupt potential payload but leave carrier essentially intact – Essentially apply a randomized stego payload to every outgoing image • Proven for JPG formats – Other formats in development PAGE 31
Want to Learn More? • Classes – Steganography Investigator Training • November 11 - 12, 2008 - Fairfax, VA •DDecember 10 - 11 2008 - O li b 11, Online – Live Investigator Training • October 24 - 25, 2008 - Gaithersburg, MD – Hacking BootCamp for Investigators • October 23 - 25, 2008 - Gaithersburg, MD • November 18 - 21, 2008 - Vancouver, BC • December 16 - 18, 2008 - Houston, TX PAGE 32
Contact Us Corporate Headquarters: Allen Corporation of America Inc. p 10400 Eaton Place, Suite 450 Fairfax, VA 22030 (866) HQ - ALLEN (866) 472-5536 Bill Fanelli 571-321-1648 - bfanelli@allencorp.com Carlton Jeffcoat 571-321-1641 - cjeffcoat@allencorp.com www.AllenCorp.com www.WetStoneTech.com www WetStoneTech com A wholly owned subsidiary of Allen Corporation PAGE 33
Stego Suite™ P r o d u c t s Discovering The Hidden 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000 000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111 111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111 111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100 000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000 000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010 101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101 010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101 010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001 I n v e s t i g a t i o n Stego Hunter™ Stego Watch™ Stego Analyst™ Stego Break™ 010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010 101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100 101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000 001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000 Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence 010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000 111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101 Stego Suite is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or audio files for the presence of hidden information or covert communication channels. Detecting the presence of steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite. Key Features: System Recommendations: ▫ Rapid identification of known ▫ Microsoft Windows® 98 steganography programs ▫ 100 MB free disk space ▫ Flag suspicious files through blind anomaly-based approach ▫ 512 MB RAM ▫ State-of-the-art image and audio analyzer ▫ Pentium® III 1GHz processor D i g i t a l ▫ Crack and extract payloads from carrier License: files ▫ Single user license allows for installation ▫ Court ready investigator reports of entire suite ▫ Scan audio files, JPG, BMP, GIF, PNG ▫ Site licenses are available upon request and more Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
Gargoyle Investigator™ P r o d u c t s Enterprise Module Enterprise Malware Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 Internal 000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000 Investigation 000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111 111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111 111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010 110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000 Incident 000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010 Response 101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010 010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101 010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010 I n v e s t i g a t i o n 100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010 Enterprise 101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101 010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000 Reporting 000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111 100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111 100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010 Gargoyle Enterprise Module (GEM) provides corporate IT departments, incident response investigators, or organizations with large and complex networks, the ability to fight against malicious software within enterprise computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime throughout the enterprise. Key Features: System Recommendations: ▫ Perform enterprise wide collection of ▫ Microsoft Windows® 2000 malicious code hashes on multiple targets simultaneously ▫ 230 MB free disk space ▫ Includes a single user license of Gargoyle ▫ 1 GB RAM Investigator™ Forensic Pro ▫ Pentium® III 1GHz processor D i g i t a l ▫ Dataset Creator™ - create and build your own categories for detection ▫ Gargoyle Investigator™ Forensic Pro ▫ Interoperates with popular forensic tools License: such as EnCase™ and FTK™ ▫ Enterprise license with 10 scan option, ▫ Timestamped enterprise discovery additional scans of 25, 50 and 100 are reports for each target suspected available Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
LiveWire Investigator™ P r o d u c t s On Demand Digital Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111 111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000 Live Forensics 000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000 000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111 111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111 111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101 Remote Malware 011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000 Detection 000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101 010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001 001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010 101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101 eCrime I n v e s t i g a t i o n 010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101 010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010 101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000 000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011 eDiscovery 110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011 110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101 LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now rapidly and easily collect evidence on live running target systems from anywhere in the world. Key Features: System Recommendations: ▫ Live forensic discovery and triage of 25 or ▫ Microsoft Windows® 2000 or higher more “Live” target systems simultaneously ▫ 100 MB free disk space ▫ File system blueprinting ▫ 128 MB RAM ▫ Remote screenshots ▫ Pentium® III 1GHz processor ▫ Live drive and device captures D i g i t a l ▫ Physical and virtual memory imaging License: ▫ Integrated enterprise malware detection ▫ Single user license with the option to add ▫ Automated timestamped audit trail up to 50 and 100 simultaneous scans ▫ Site licenses are available upon request *Companion product LiveDiscover™ Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved

Recomendados

10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security RisksHeimdal Security
 
Ataques informaticos
Ataques informaticosAtaques informaticos
Ataques informaticosadrianruiz81
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Seguranca da Informação - Conceitos
Seguranca da Informação - ConceitosSeguranca da Informação - Conceitos
Seguranca da Informação - ConceitosLuiz Arthur
 
Hackeando Mentes - Engenharia social
Hackeando Mentes - Engenharia social Hackeando Mentes - Engenharia social
Hackeando Mentes - Engenharia social Abraão Állysson
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 

Recomendados

10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security RisksHeimdal Security
 
Ataques informaticos
Ataques informaticosAtaques informaticos
Ataques informaticosadrianruiz81
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Seguranca da Informação - Conceitos
Seguranca da Informação - ConceitosSeguranca da Informação - Conceitos
Seguranca da Informação - ConceitosLuiz Arthur
 
Hackeando Mentes - Engenharia social
Hackeando Mentes - Engenharia social Hackeando Mentes - Engenharia social
Hackeando Mentes - Engenharia social Abraão Állysson
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecurityDistributed Immutable Ephemeral - New Paradigms for the Next Era of Security
Distributed Immutable Ephemeral - New Paradigms for the Next Era of SecuritySounil Yu
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness trainingAbdalrhmanTHassan
 
Segurança da informação - Forense Computacional
Segurança da informação - Forense ComputacionalSegurança da informação - Forense Computacional
Segurança da informação - Forense ComputacionalJefferson Costa
 
Engenharia social
Engenharia socialEngenharia social
Engenharia socialLuiz Vieira .´. CISSP, OSCE, GXPN, CEH
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber securitysajid mehmood
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Engenharia Social - A arte de enganar
Engenharia Social - A arte de enganarEngenharia Social - A arte de enganar
Engenharia Social - A arte de enganarAnderson Zardo
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Perigos nas Redes Sociais
Perigos nas Redes SociaisPerigos nas Redes Sociais
Perigos nas Redes SociaisAlunas Darque
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness trainingSandeep Taileng
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringPrem Lamsal
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Importância do profissional Hacker ético no mercado de trabalho
Importância do profissional Hacker ético no mercado de trabalhoImportância do profissional Hacker ético no mercado de trabalho
Importância do profissional Hacker ético no mercado de trabalhoMarcos Flávio Araújo Assunção
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Securing Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudSecuring Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudLiwei Ren任力偉
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 

Mais conteúdo relacionado

Mais procurados

Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness trainingAbdalrhmanTHassan
 
Segurança da informação - Forense Computacional
Segurança da informação - Forense ComputacionalSegurança da informação - Forense Computacional
Segurança da informação - Forense ComputacionalJefferson Costa
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Engenharia Social - A arte de enganar
Engenharia Social - A arte de enganarEngenharia Social - A arte de enganar
Engenharia Social - A arte de enganarAnderson Zardo
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDPranav Shah
 
Perigos nas Redes Sociais
Perigos nas Redes SociaisPerigos nas Redes Sociais
Perigos nas Redes SociaisAlunas Darque
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCBIZ, Inc.
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness trainingSandeep Taileng
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringPrem Lamsal
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Importância do profissional Hacker ético no mercado de trabalho
Importância do profissional Hacker ético no mercado de trabalhoImportância do profissional Hacker ético no mercado de trabalho
Importância do profissional Hacker ético no mercado de trabalhoMarcos Flávio Araújo Assunção
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 

Mais procurados (20)

Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
 
Segurança da informação - Forense Computacional
Segurança da informação - Forense ComputacionalSegurança da informação - Forense Computacional
Segurança da informação - Forense Computacional
 
Engenharia social
Engenharia socialEngenharia social
Engenharia social
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Iot cyber security
Iot cyber securityIot cyber security
Iot cyber security
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Security
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Engenharia Social - A arte de enganar
Engenharia Social - A arte de enganarEngenharia Social - A arte de enganar
Engenharia Social - A arte de enganar
 
Cybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoDCybersecurity Metrics: Reporting to BoD
Cybersecurity Metrics: Reporting to BoD
 
Perigos nas Redes Sociais
Perigos nas Redes SociaisPerigos nas Redes Sociais
Perigos nas Redes Sociais
 
Cyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measuresCyber Security: Why your business needs protection & prevention measures
Cyber Security: Why your business needs protection & prevention measures
 
Information security awareness training
Information security awareness trainingInformation security awareness training
Information security awareness training
 
Introduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineeringIntroduction to Social engineering | Techniques of Social engineering
Introduction to Social engineering | Techniques of Social engineering
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
Importância do profissional Hacker ético no mercado de trabalho
Importância do profissional Hacker ético no mercado de trabalhoImportância do profissional Hacker ético no mercado de trabalho
Importância do profissional Hacker ético no mercado de trabalho
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
 

Destaque

Securing Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudSecuring Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudLiwei Ren任力偉
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)Trustmarque
 
Steganography
SteganographySteganography
Steganographysandeipz
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Netskope
 
Steganography
Steganography Steganography
Steganography Uttam Jain
 

Destaque (8)

Securing Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudSecuring Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the Cloud
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
 
Steganography
SteganographySteganography
Steganography
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
 
PACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security ControlsPACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security Controls
 
Steganography
Steganography Steganography
Steganography
 

Semelhante a The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content

Steganography.
Steganography.Steganography.
Steganography.yprajapati
 
Stegnography final
Stegnography finalStegnography final
Stegnography finalHeena Bohra
 
Information Security, some illustrated principles
Information Security, some illustrated principlesInformation Security, some illustrated principles
Information Security, some illustrated principlesboskabout
 
steganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptxsteganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptxAkashBhosale50
 
Steganography (Distributed computing)
Steganography (Distributed computing)Steganography (Distributed computing)
Steganography (Distributed computing)Sri Prasanna
 
Stegnography final
Stegnography finalStegnography final
Stegnography finalNikhil Kumar
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
CSE steganography for data writing and reading
CSE steganography for data writing and readingCSE steganography for data writing and reading
CSE steganography for data writing and readingmisbanausheenparvam
 
Phd T H E S I Sproposal
Phd T H E S I SproposalPhd T H E S I Sproposal
Phd T H E S I Sproposalguest6caaab
 
Steganography
SteganographySteganography
SteganographyPREMKUMAR
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- Nikhil Praharshi
 
Digital preservation and institutional repositories
Digital preservation and institutional repositoriesDigital preservation and institutional repositories
Digital preservation and institutional repositoriesDorothea Salo
 

Semelhante a The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content (20)

Steganography.
Steganography.Steganography.
Steganography.
 
Stegnography final
Stegnography finalStegnography final
Stegnography final
 
Information Security, some illustrated principles
Information Security, some illustrated principlesInformation Security, some illustrated principles
Information Security, some illustrated principles
 
steganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptxsteganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptx
 
Steganography (Distributed computing)
Steganography (Distributed computing)Steganography (Distributed computing)
Steganography (Distributed computing)
 
Stegnography final
Stegnography finalStegnography final
Stegnography final
 
Steganography ppt
Steganography pptSteganography ppt
Steganography ppt
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
CSE steganography for data writing and reading
CSE steganography for data writing and readingCSE steganography for data writing and reading
CSE steganography for data writing and reading
 
Steganography(Presentation)
Steganography(Presentation)Steganography(Presentation)
Steganography(Presentation)
 
Steganography
SteganographySteganography
Steganography
 
Final2
Final2Final2
Final2
 
steganography
steganographysteganography
steganography
 
Steganography
SteganographySteganography
Steganography
 
digital stega slides
digital stega slidesdigital stega slides
digital stega slides
 
Phd T H E S I Sproposal
Phd T H E S I SproposalPhd T H E S I Sproposal
Phd T H E S I Sproposal
 
Steganography
SteganographySteganography
Steganography
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography-
 
Digital preservation and institutional repositories
Digital preservation and institutional repositoriesDigital preservation and institutional repositories
Digital preservation and institutional repositories
 
Steganography
SteganographySteganography
Steganography
 

Último

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Último (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content

  • 1. Bill Fanelli Principal Architect Carlton Jeffcoat VP Allen Corporation of America Cyber Security Technologies Division The Message Within: Data Sheet g Extending DLP to target Steganography
  • 2. Steganography Discovering Critical Evidence - hidden in plain sight -
  • 3. Introduction • Data Leakage greatly concerns certain industries – High value intellectual property • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Data Loss Prevention (DLP) explicitly prevents the l k th leakage of this data out of an organization. f thi d t t f i ti – DLP monitors the movement of tagged files and data with keyword content. – DLP technology is uniquely positioned to help with forensics efforts in identifying hidden message carriers. PAGE 4
  • 4. How to use DLP in Steganography Detection • DLP can monitor the movement of likely carrier files such as image and music files – DLP will copy these files to a forensic archive – Other tools can then scan these files for the presence of hidden data • This presentation will: – Describe these forensic procedures – Detail an implementation of the required workflow PAGE 5
  • 5. Definition • Steganography – Hiding the existence of the message • Vs. Cryptography – Ob Obscures the meaning of a message e me ning me ge – Does not conceal the fact that there is a message • Steganalysis g y – Detecting the presence of messages hidden using steganography • Legitimate uses of steganography – Digital Watermarking PAGE 6
  • 6. Steganography - Ancient Methods Wax Tablets • Demaratus of Ariston, exiled in Persia, received news that Xerxes was to invade Greece. • To get word to Sparta he Sparta, scraped the wax off writing tablets and carved a warning message in the wood. He h d then covered the wood with a fresh coat of wax. • The tablet was passed by the sentries without raising any suspicion. s spicion PAGE 7
  • 7. Steganography - Modern Methods Null Cipher Messages • The German Embassy in Washington, DC, y g , , sent these messages during World War I – Apparently neutral’s protest is thoroughly discounted and ignored Isman hard hit Blockade hit. issue affects pretext for embargo on by-products, ejecting suet's and vegetable oils • D Decoding the message by extracting the di h b i h second letter from each word reveals the actual message – PERSHING SAILS FROM N.Y. JUNE 1 PAGE 8
  • 8. Technical Steganography • Uses scientific methods to hide a message, g , such as the use of invisible ink or microdots • I 1941 th FBI discovered a Micro Dot In the di d Mi D t carried on a letter from a suspected agent – Micro Dot production p • Create a postage stamp sized secret message • Reduce this in size using a reverse microscope producing an image .05 inches in diameter – The dot was pressed onto a piece of paper Mark IV microdot camera using a hypodermic needle in place of a p period PAGE 9
  • 9. Simple Example Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 10. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 11. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 12. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 13. Concerns to Business • Data loss – Covert transmission of corporate IP • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Hiding illicit activity – Non-job related activity that potentially puts the organization at risk • Gambling • Pornography • Credit card fraud • Terrorism PAGE 14
  • 14. How big is the problem? 600 Steganography Programs in the Wild 505 500 400 300 200 100 0 2001 2002 2003 2004 2005 2006 Today According to WetStone’s Chief Scientist Chet Hosmer • Where to find them – Neil Johnsons’ Steganography and Digital Watermarking web site • http://www.jjtc.com/Steganography/toolmatrix.htm – StegoArchive.com – Neil Johnsons’ Steganalysis web site g y • http://www.jjtc.com/Steganalysis/ PAGE 15
  • 15. Steganalysis Tools • For our discussions, we will reference the following steganalysis and malware detection g g y tools from Allen Corporation’s WetStone Technologies – Stego Suite – Gargoyle – Live Wire Investigator PAGE 16
  • 16. – Stego Suite • Stego Watch – Scan a file system and flag suspected files – Derived from the WetStone’s Steganography and Recovery Toolkit (S-DART) research project for US Air Force Research Laboratory – Exposes an API for researches and developers that allows for new research and steganography detectors • Stego Analyst – Imaging and analysis tool to identify visual clues that steganography is in use in both image and audio files • Stego Break – Obtain the pass p p phrase that has been used – Gargoyle • Hostile program detector with steganography dataset – Malware tool discovery over the network – Target at computers where suspect files originated PAGE 17
  • 17. Known Methods of Steganography Covert Channels Color 24-Bit LSB Palette Encoding Modification Encoding Algorithm g Modification Word Formatting Substitution Modification Data Appending PAGE 18
  • 18. Least Significant Bit Encoding • This is the most common steganographic method used with audio and image files • Used to overwrite – Legitimate RGB color codings or p g g palette p pointers in GIF and BMP files – Coefficients in JPEG files – Pulse Code Modulation in WAV files Individual Colors LSB Substitution Combined Color Before After RED 1 0 1 1 0 1 0 0 Before After GREEN 1 1 0 0 0 1 1 1 BLUE 1 1 1 0 0 0 0 0 PAGE 19
  • 19. Adding a Payload to a Carrier PAGE 20
  • 22. Implementation – Policy & Procedure • Use of these capabilities is driven by risk assessment and A t d Acceptable Use Policy t bl U P li – High risk • E.G., Government Classified, Corporate Legal, Research Lab g • Policy – Not Allowed • Technical Action – Block, Archive, Examine Content, Scan Source Computer • Personnel Action – Possible Termination – Medium Risk • E.G., Human Resources, Contracts, Software Development , , , p • Policy – Not Allowed • Technical Action – Log, Archive, Spot Investigations • Personnel Action – Possible Termination PAGE 23
  • 23. Implementation - Technology • DLP – D t t movement of potential carriers Detect t f t ti l i – Copy to DLP archive • Steganography scan g g p y – Stego Suite – Examine files for potential covert content • M l Malware tools scan l – Gargoyle – Scan source workstations • Live Investigator – Consolidate findings into forensic documentation package k PAGE 24
  • 24. DLP Configuration • Technology implementation should always be derived from security policies and procedures • Classified environment – Block and archive everything • Pharmaceutical company – Research area • Block and archive – Legal department • Log and archive – All other areas • Log only PAGE 25
  • 25. DLP Architecture Policy set in ePO server to archive evidence files Evidence files Policy on endpoints collected in captures evidence files archive for steganalysis PAGE 26
  • 26. Steganography Scan Configuration • Scan image files in evidence archive – Identify images as possible Steganography carriers • Identify workstations where images originated – S n workstations for steganography tools Scan o k t tion fo teg nog ph tool – Possibly scan for other malware tools • Initiate personnel actions, as necessary p , y – Capture evidence as part of forensic investigation • Continue digital investigation – Examine suspect files – Attempt to extract payload PAGE 27
  • 27. Steganography Scan Architecture Scan image Scan Capture files f l in workstations k evidence as id evidence for malware part of archive tools forensic investigation PAGE 28
  • 30. Future – Stego Stomping • Server-level technology to filter outgoing e- mail • Modify all files to corrupt potential payload but leave carrier essentially intact – Essentially apply a randomized stego payload to every outgoing image • Proven for JPG formats – Other formats in development PAGE 31
  • 31. Want to Learn More? • Classes – Steganography Investigator Training • November 11 - 12, 2008 - Fairfax, VA •DDecember 10 - 11 2008 - O li b 11, Online – Live Investigator Training • October 24 - 25, 2008 - Gaithersburg, MD – Hacking BootCamp for Investigators • October 23 - 25, 2008 - Gaithersburg, MD • November 18 - 21, 2008 - Vancouver, BC • December 16 - 18, 2008 - Houston, TX PAGE 32
  • 32. Contact Us Corporate Headquarters: Allen Corporation of America Inc. p 10400 Eaton Place, Suite 450 Fairfax, VA 22030 (866) HQ - ALLEN (866) 472-5536 Bill Fanelli 571-321-1648 - bfanelli@allencorp.com Carlton Jeffcoat 571-321-1641 - cjeffcoat@allencorp.com www.AllenCorp.com www.WetStoneTech.com www WetStoneTech com A wholly owned subsidiary of Allen Corporation PAGE 33
  • 33. Stego Suite™ P r o d u c t s Discovering The Hidden 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000 000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111 111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111 111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100 000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000 000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010 101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101 010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101 010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001 I n v e s t i g a t i o n Stego Hunter™ Stego Watch™ Stego Analyst™ Stego Break™ 010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010 101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100 101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000 001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000 Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence 010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000 111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101 Stego Suite is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or audio files for the presence of hidden information or covert communication channels. Detecting the presence of steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite. Key Features: System Recommendations: ▫ Rapid identification of known ▫ Microsoft Windows® 98 steganography programs ▫ 100 MB free disk space ▫ Flag suspicious files through blind anomaly-based approach ▫ 512 MB RAM ▫ State-of-the-art image and audio analyzer ▫ Pentium® III 1GHz processor D i g i t a l ▫ Crack and extract payloads from carrier License: files ▫ Single user license allows for installation ▫ Court ready investigator reports of entire suite ▫ Scan audio files, JPG, BMP, GIF, PNG ▫ Site licenses are available upon request and more Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
  • 34. Gargoyle Investigator™ P r o d u c t s Enterprise Module Enterprise Malware Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 Internal 000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000 Investigation 000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111 111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111 111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010 110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000 Incident 000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010 Response 101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010 010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101 010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010 I n v e s t i g a t i o n 100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010 Enterprise 101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101 010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000 Reporting 000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111 100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111 100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010 Gargoyle Enterprise Module (GEM) provides corporate IT departments, incident response investigators, or organizations with large and complex networks, the ability to fight against malicious software within enterprise computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime throughout the enterprise. Key Features: System Recommendations: ▫ Perform enterprise wide collection of ▫ Microsoft Windows® 2000 malicious code hashes on multiple targets simultaneously ▫ 230 MB free disk space ▫ Includes a single user license of Gargoyle ▫ 1 GB RAM Investigator™ Forensic Pro ▫ Pentium® III 1GHz processor D i g i t a l ▫ Dataset Creator™ - create and build your own categories for detection ▫ Gargoyle Investigator™ Forensic Pro ▫ Interoperates with popular forensic tools License: such as EnCase™ and FTK™ ▫ Enterprise license with 10 scan option, ▫ Timestamped enterprise discovery additional scans of 25, 50 and 100 are reports for each target suspected available Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
  • 35. LiveWire Investigator™ P r o d u c t s On Demand Digital Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111 111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000 Live Forensics 000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000 000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111 111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111 111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101 Remote Malware 011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000 Detection 000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101 010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001 001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010 101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101 eCrime I n v e s t i g a t i o n 010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101 010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010 101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000 000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011 eDiscovery 110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011 110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101 LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now rapidly and easily collect evidence on live running target systems from anywhere in the world. Key Features: System Recommendations: ▫ Live forensic discovery and triage of 25 or ▫ Microsoft Windows® 2000 or higher more “Live” target systems simultaneously ▫ 100 MB free disk space ▫ File system blueprinting ▫ 128 MB RAM ▫ Remote screenshots ▫ Pentium® III 1GHz processor ▫ Live drive and device captures D i g i t a l ▫ Physical and virtual memory imaging License: ▫ Integrated enterprise malware detection ▫ Single user license with the option to add ▫ Automated timestamped audit trail up to 50 and 100 simultaneous scans ▫ Site licenses are available upon request *Companion product LiveDiscover™ Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved