chapter  Chapter 5
28 Pages

Steganography Techniques for Command and Control (C2) Channels

WithJedrzej Bieniasz, Krzysztof Szczypiorski

The aim of steganography is to conceal secret data by utilizing various features of the different objects called carriers. Since the ancient times through the medieval ages until today, steganography has been widely used to hide information against observers on the way to recipients. Steganography was generally recognized in the context of hiding communication between adversaries or criminals, whereas other applications were considered as very specific or mostly theoretical without a possibility of the correct implementation. In last years, the increasing evidence of the real applications of steganography for the covert data storage and the covert data communication has given another security factor to consider by engineers and cyber security experts. To emphasize steganography as the trending topic for information security, recent reports by Kaspersky [1], McAfee [2] or Fortinet [3] warned that information hiding techniques applied by computer malicious software designers are highly emerging cyber threats. Applying steganography for computer malware operations and communication enables to:

bypass common security mechanisms, such as antivirues, Intrusion Detection/Intrusion Prevention systems, firewalls. All of them would allow a network traffic or multimedia files with hidden data as they would recognize them as normal, non-violating and non-suspicious network communication or data exchange.

evade or make a detection a harder. Steganography introduces an additional level of difficulty in the forensic and malware analyses.

The modern approach tends to examine the cyberattacks as a complete process of doing harm by cyber adversaries in which executing the malicious code or command and control communication (C2) would be only one of the stages. In this approach, a cyberattack is modelled by a concept of advanced persistent threats (APTs) [4]. APT represents the model of multilayer intrusion campaigns, conducted in a long time frame by well-resourced and trained groups who target highly sensitive information, such as economic, proprietary, or national security intelligence. Information hiding techniques must be recognized as one of the tools that adversaries could utilize to achieve their goals. The evolution of APTs impacts the development of new defense approaches because the earlier methodologies are not sufficient anymore. One of the solutions is an intelligence-based network defense approach [5]. It leverages Cyber Kill Chain model to describe stages of intrusion, finding kill chain indicators of actions, identifying patterns that link particular intrusions and incidents into broader campaigns. Furthermore, the defenders’ efforts are set in an iterative process of gathering and exchanging knowledge about adversaries and their techniques. It creates intelligence feedback loop to enable defenders to decrease the likelihood of adversary’s success with each following intrusion attempt.