It is extremely difficult to defend against something that is invisible to the naked eye. It is for this reason that people have been using steganography in various forms for thousands of years to keep their communications private. However, some information is considered far too important for it to fall into the wrong hands. In ancient Greek times, people were relegated to using archaic methods of disguising communications such as writing words on a person’s shaved head and letting the hair grow in to cover it without washing it the entire time or writing with indelible ink that is only visible when heat is applied to the parchment. In the twenty-first century, the demand for private communication technology has not subsided. Instead, communication technology has become much more sophisticated and expedient with the digital technology that is available today. The criminal mind knows no limits and will adapt to whatever new technology is available to exploit victims.
Cybercriminals are using digital steganography to hide and encrypt information collected by malware and transmit it within cover mediums to command and control (C2) data servers that appear innocuous. Given the ever-evolving and metastasizing cyber threat posed by State and non-State actors, cyberspace has become a dangerous game of spy versus spy in which the United States (U.S.) desperately needs a better method of protecting its most valuable and sensitive information from exploitation and exfiltration by adversaries. Digital steganography combined with strong encryption can be a very effective and low-cost method for protecting National Security Information (NSI) being transmitted across the Internet backbone. This paper will explore some basic concepts of digital steganography, methods of detecting and defeating steganography, as well as how digital steganography may be used to provide information security for U.S. NSI.
Basic Digital Steganography Concepts
Steganography is defined as the art and science of hiding or camouflaging the presence of hidden messages within legitimate cover files (Zielinska, Mazurczyk & Szczypioski, 2014, p. 86). If done properly, using digital steganography almost seems like magic because it is completely invisible and unnoticeable to the naked human eye (Data Genetics, 2013).
Historical Examples of Steganography Use
The use of steganography is grounded in biological evolution and the manner in which the flora and fauna (i.e., animals) adapt to their respective environments by slowly evolving, over millions of years, to develop camouflage that helps them blend into their environment to better hide and increase their chances of survival (Zielinska et al., 2014, p. 89). The ancient Greeks found ways to communicate secretly using every day ordinary objects and transported between messengers such as messages hidden within dead animal carcasses, embossed on a wooden tablet or parchment paper using wax, or that were written in invisible ink using thithymallus plant sap that disappeared upon when the ink dried but was visible when heat was applied (Zielinska et al., 2014, p. 90).
The Romans invented a new form of steganography that used semagrams instead of words, or actual objects with various distinctions that signified different meanings to the recipient of the object. The Chinese invented paper which became the platform for watermarking, a practice that is still used today by manufacturers of media to signify copyrighted media but using digital watermarking technology instead of paper (Zielinska et al., 2014, p. 90). Paper-based steganography also led to the invention of acrostic, which was a technique developed by a Dominican priest named Francesco Colonna, that involved secret meanings of text that were derived from the first letter of each paragraph within the body of the text (Zielinska et al., 2014, p. 91). Newspapers also were very effective cover mediums for steganographic message techniques such as poking holes in the newspaper for specific letters that could be deciphered by the recipient who would also receive the same unmolested newspaper and use the secret decoder template to interpret the secret message (Zielinska et al., 2014, p. 91). In World War II, the Germans used microdots that were the size of a period in a newspaper that contained microscopic text and images (Zielinska et al., 2014, p. 91). Steganography has been around in one form or another for thousands of years and it appears there will always be a need for this art and science since people will always need to find innovative means of communicating privately.
Contemporary Examples of Digital Steganography Use
The 20th century Industrial Revolution spawned the invention of the personal computer (PC) which led to the development of the most sophisticated forms of steganography ever in history that are being used today. Digital media steganography can be traced back to the 1970s when various forms of steganography were developed such as Least Significant Bit (LSB), one of the most popular forms of digital media steganography (Zielinska et al., 2014, p. 91). LSB steganography essentially fools the human eye which is incapable of detecting microscopic “noise” changes in a digital image, audio, or video file. In fact, the larger the media file (i.e., video files), the less chance any “noise” produced by injecting the stego file into the carrier file will be noticeable (Zielinska et al., 2014, p. 92).
Fast-forward to the 21st century where digital steganography has been creatively applied to network data traffic protocols disguised to look like normal network traffic. Network steganography is an improved form of steganography in the sense that it is not limited by file sizes or previously identified images that are known to investigators like digital media steganography is (Zielinska et al., 2014, p. 93). Network steganography is capable of utilizing all seven layers of the Open Systems Interconnection (OSI) Reference Model in the protocols it uses to perform different functions such as query-response, file transfer, fragmentation, segmentation, and the physical characteristics of a file as it is seen visibly (Mazurczyk, 2013, p. 2).
Spectrum Warfare in the Current Cyber Threat Environment
Digital steganography also plays a part in electronic warfare (EW). Transmission of a stego message using direct-sequence spread spectrum (DSSS) creates “noise” that an adversary can intercept. However, an adversary will not even know that a message will have been sent without special equipment and techniques (Adamy, 2012, p. 47). The spread spectrum modulation during transmission provides security and prevents an adversary from being able to capture the entire message and also cloaks the transmitter location (Adamy, 2012, p. 47). Additionally, even if the entire message were intercepted, the encryption would prevent an adversary from being able to recover the information that was transmitted (Adamy, 2012, p. 47).
Digital steganography has the added benefit beyond what encryption can provide of denying an adversary the operational advantage of knowing that a secret message has been sent in the first place which could have triggered a major effort to decode it (Adamy, 2012, p. 47). From a military spectrum warfare perspective, digital steganography allows an attacker the ability to embed malware in normally, innocuous files or graphics that could be used to initiate a cyber-attack without an adversary knowing it was occurring. The incorporation of digital steganography into malware has been notably increasing and should be alarming to cybersecurity professionals, law enforcement authorities, and government officials. There is also some speculation that the Al Qaeda terrorist plot of 2001 utilized steganography to conceal secret messages on publicly available websites (Zielinska et al., 2014, p. 88).
Least Significant Bit Steganography
One of the most popular digital steganography methods is called the Least Significant Bit (LSB) method which involves substituting the last bit of a byte which consists of 8-bits. If the last bit were a 1, then changing it to a 0 value would not be noticeable when done repeatedly throughout an image, audio, or video file (Data Genetics, 2013). Steganography is only possible due to sophisticated compression algorithms that shrink data down to a binary level (i.e., 1’s and 0’s) to embed it into another file using a technique such as LSB steganography. Figure 1 (below) illustrates how LSB steganography is performed using a steganography algorithm which replaces the last bit of each byte that is necessary to hide the secret message or file within the cover medium
Digital Image Steganography
In the early days of digital media steganography, the technology did not support using more complicated cover mediums such as audio, video, VoIP, or network protocols to hide secret messages. Initially, steganographers created software that used digital images to embed secret messages within. The popularity of image steganography within the personal computing and privacy social circles skyrocketed and it did not take long for pedophiles to begin using digital image steganography to trade their illegal content over the Web (INTERPOL, 2017, pp. 22–23). Technology such as affordable PCs, video cameras, anonymous browsers (e.g., Tor, I2P, etc.) and high-speed Internet availability have made it incredibly difficult for law enforcement authorities to combat the spread of child pornography online (INTERPOL, 2017, p. 23). In 2002, “Operation Twins” was a law enforcement operation that brought down an international pedophile ring called the “Shadowz Brotherhood” that was trading in child pornography using steganography (Zielinska et al., 2014, p. 88).
Digital Audio, Video and VoIP-based Steganography
After digital image steganography had been done to death, steganographers moved onto audio and video files which were much larger in file size and much easier to embed large amounts of textual or image data within with very little added “noise.” The human ears and eyes are not able to discern between tiny modifications to the least significant bits of audio and video files as cover mediums (Zielinska et al., 2014, p. 92). It is worth noting that an enormous amount of video data is uploaded to websites such as YouTube, Facebook, and Twitter on a daily basis. It is highly unlikely that these Internet Service Providers (ISPs) are scanning for steganography before files are successfully uploaded to these websites. This is a potentially dangerous form of neglect due to the fact that there is a high degree of malware and other illicit material potentially hidden within audio and video files using digital steganography that these ISPs are almost certainly unaware of.
Voice-over-Internet Protocol (VoIP)-based steganography is a newer trend that uses VoIP phone call protocols such as Session Initiation Protocol (SIP) and Real-Time Transport Protocol (RTP) to embed secret data within (Mazurczyk, 2013, p. 1). IP telephony is an extremely attractive cover medium vehicle type for digital steganography due to the fact that it is a constant, real-time large-volume presence on networks with a very high Internet bandwidth level capable of achieving approximately 50 stego bits/second on a G.711-based VoIP phone call (Mazurczyk, 2013, p. 2).
Steganalysis is the science of detecting steganography and within digital communication can involve file hashing to spot altered files. However, in order to compare checksums or hash files, the original file and hash value is required to compare it against the intercepted file assuming the file can even be viewed since most likely it has also been encrypted.
Threats of Digital Steganography to National Security
Named in 2006 as one of the major threats to present-day networks, digital steganography is predominantly used by Black Hat hackers, malware developers, terrorist groups, malicious insiders, and pedophiles (Zielinska et al., 2014, p. 88). The Department of Justice (DOJ) reported in 2008 that digital image steganography was found to have been used by a malicious insider to exfiltrate “sensitive financial data” out of the agency (Zielinska et al., 2014, p. 88). The U.S. has experienced numerous high-profile espionage incidents in recent years that have resulted in a large of highly classified information being leaked onto the publicly available Internet on the Dark Web or websites such as WikiLeaks. The best method that system administrations can use to protect against steganography applications being installed on a network by a malicious insider is to restrict user accounts from having the ability to launch any executable files from the operating system. Malware can still infect the network and use steganography to exfiltrate data, however, which is why blacklisting known malware sites, anti-malware software, and user security awareness training regarding the perils of clicking on malicious links cannot be understated.
Digital Forensic Tools and Techniques for Detecting Steganography
At the time of this paper, there has not been enough of a demand within the private or government sectors to produce a wide-spread acceptance of the cyber threats posed by steganography and the logical ensuing adoption of steganography detecting software applications. This could be due to Information Technology (IT) security experts feeling helpless to protect that which they cannot see combined with a lack of available technology to detect and combat the threat. One company, however, Backbone Security, has been diligently working over the years to develop a massive database that contains over 1,225 steganography application file signatures which Backbone Security has dubbed as their Steganography Application Fingerprint Database (SAFDB) (Davis, 2014).
The unique aspect of Backbone Security is that presently the company is the only company that offers network steganography detection software that is capable of scanning for steganography instances in real-time (Davis, 2014). The SAFDB serves as the repository database that other Backbone Security steganalysis applications draw upon to scan for instances of steganography on a network via its Steganography Analyzer Artifact Scanner (StegAlyzerAS), Steganography Analyzer Field Scanner (StegAlyzerFS), and the Steganography Analyzer Real-Time Scanner (StegAlyzerRTS) (Davis, 2014). According to Backbone Security, their SAFDB is “…widely used by US and international government and law enforcement agencies, the intelligence community, and private sector digital forensic examiners and network security professionals to detect digital steganography applications on seized digital media and within inbound and outbound network traffic streams” (Davis, 2014).
Applying Steganography to National Security Information
National Security Information (NSI), also known as classified information, as defined by Executive Order 12356 as being classified at three different levels as either top-secret, secret, or confidential information that could be expected to cause grave damage, serious damage, or a level of damage to national security respectively (Reagan, 1984, p. 423). NSI is a broad categorization of material that typically consists of “military plans, weapons, or operations; the vulnerabilities or capabilities of systems, installations, projects, or plans relating to the national security; foreign government information; intelligence activities (including special activities), or intelligence sources or methods; foreign relations or foreign activities of the United States; scientific, technological, or economic matters relating the national security; U.S. Government programs for safekeeping nuclear materials or facilities; cryptology; a confidential source; or other categories of information that are related to the national security and that require protection against unauthorized disclosure as determined by the President or by agency heads or other officials who have been delegated original classification authority by the President” (Reagan, 1984, p. 424).
Department of Defense Applications of Steganography
The U.S. Department of Defense (DoD) is mandated to follow the National Institute of Standards and Technology (NIST) Special Publication (SP) 800–53 to be compliant with the Federal Information Security Management Act (FISMA) of 2002, in which the most current version, Revision 4, serves as a Risk Management Framework (RMF) which contains a list of over eight-hundred unique security controls that federal organizations are required to implement to varying degrees depending on the risk categorization of their particular information system (NIST, 2013). There are several other NIST and DoD publications that complement the SP 800–53, however, this publication is the sole reference source for NIST security controls. With NIST’s SP 800–53 revision 4, it specifically addressed for the first time ever the dangerous threat of steganography (Wingate, 2013). Specifically, the SC-7 boundary control security control, addresses monitoring for steganography (NIST, 2013, p. F-190); the malicious code protection security control, SI-3, addresses malicious code possibly hidden in files using steganography (NIST, 2013, p. F-217); and the SI-4 enhancement (18), addresses covert means that can be used for unauthorized exfiltration of organizational information (NIST, 2013, p. F-222).
It makes practical sense to apply a high level of security as is both feasible and possible on National Security Information (NSI) due to the fact that if this sensitive information were to come into the possession of adversaries, it could potentially cause grave damage to U.S. national security. It is logical then, to apply the strongest forms of security controls to protect this information. One advantage of steganography is that it allows users to both cloak and encrypt data into cover mediums such as images, video and audio files, voice over Internet Protocol (VoIP) data, and many other types of digital media. In order for it to be effectively used, the NSI data could be hidden using steganography while the data is at rest, but especially when the data is in transit across networks. When NSI data is being copied to any type of media, it is required to be encrypted but could also be hidden using steganography. The added protection would make it so much more difficult for adversaries to locate NSI data, and if it were somehow spotted they would need to find the appropriate steganography application to attempt to open the file with the correct passphrase and crack the encryption. There would be a learning curve that would need to occur for all federal employees, military personnel, and Department of Defense (DoD) contractors who have access to NSI data in order to properly educate personnel on how to use steganography applications and proper encryption methods and passphrase creation. However, this slight measure of pain would ensure that America’s most sensitive information is well-protected and if it were intercepted by adversaries, it would be nearly impossible for an adversary to read it.
Intelligence Community Applications of Steganography
The Intelligence Community uses cryptography almost by default to protect sensitive NSI. Cryptography systems are generally either symmetric with a single key or asymmetric with both public and private keys for decrypting messages (Khan & Gorde, 2015, p. 58). When encryption is employed in messages or data it raises suspicion by adversaries who could potentially be remotely monitoring network data packets and it’s a dead giveaway that at least some type of sensitive information is included within packets. Using cryptography openly may serve to compel adversaries to try even harder to decipher encrypted data. However, steganography is not detectable and does not raise suspicion unless it is specifically being checked for with special steganalysis software application tools and even then it is possible that if discovered, the secret message stego file will not be able to be decrypted and readable (Khan & Gorde, 2015, p. 58).
Advanced Persistent Threat (APT) groups are often named by a numerical value and sometimes also associated with the name the malware the group uses. The “Stuxnet” virus was by far the most sophisticated digital warfare weapon ever conceived and has been confirmed by President Obama to have been developed cooperatively between the U.S. and Israel to thwart the Iranian efforts to enrich Uranium for nuclear weapon manufacturing (Zetter, 2014). While steganography was not discovered within the complex bundles of code used in the Stuxnet virus, other forms of malware have incorporated steganography into the code to mask the exfiltration of sensitive proprietary, classified, personal and financial data. U.S. officials discovered that in 2010 a Russian spy ring located in the U.S. was utilizing “Duqu” and “Alureon” malware to exfiltrate classified U.S. NSI back to Russia using steganographic techniques to hide their payloads (Wendzel et al., 2014, p. 2). It is relatively safe to assume that government spy agencies like the National Security Agency (NSA) and the Central Intelligence Agency (CIA) have also used digital steganography by this point in time.
Predictable Adversarial Response to Protective Steganography Use
If a country such as the U.S. were to begin utilizing digital steganography to protect NSI, assuming it is not already doing so, the predictable adversarial response would be an increase in steganalysis tools designed to detect steganography file signatures combined with cryptanalytic software tools designed to break and decrypt encrypted data. State and non-State actors would also begin utilizing steganography if it was not already being employed to protect their own sensitive information. Essentially, the use of steganography will only result in nuclear détente situation that serves to elevate the level of sophistication that nations will have to ascend to in order to protect their NSI. In other words, if every country has nukes or uses digital steganography to protect NSI, then there is little value in having or using these types of weapons. Employing digital steganography combined with strong encryption does not assure secrecy any more than employing highly-compensated cybersecurity professionals does not assure an organization will never be hacked. What it does do, however, is make it much more difficult for adversaries to intercept and decrypt secret messages. For that reason, it does make practical sense for the U.S. government to implement some measure of “protective” steganography to better protect its most sensitive data.
In conclusion, digital steganography can be a very effective and affordable means of further protecting NSI beyond traditional encryption methods to conceal its existence altogether. It may not be worth training the massive amounts of U.S. government, military, and contractor personnel on how to properly use steganography applications to hide data in transit, but perhaps the cost and hassle would be justified only for Top Secret-level or above NSI. There is absolutely no reason that digital steganography has to only be used by malicious actors online. There is a valid case to be made for the U.S. government to direct the implementation of digital steganography combined with strong encryption and passphrases to further protect its most sensitive information. It is all but guaranteed that America’s adversaries like Russia, China, Iran, and North Korea have implemented digital steganography into their cyber weapon arsenal, and perhaps the U.S. has secretly done so as well. If the U.S. has incorporated digital steganography to protect NSI then it is on the right track, however, if it has not then it is walking a dangerous line by not utilizing this great form of protection.
Adamy, D. (2012). Spectrum Warfare — Part 18: Steganography. Journal of Electronic Defense, 47–49. Retrieved October 29, 2017.
Data Genetics. (2013). Steganography. Retrieved October 22, 2017, from http://www.datagenetics.com/blog/march12012/index.html
Davis, C. (2014, January 22). “Steganography application fingerprint database now contains over 1,225 applications.” Retrieved from http://www.backbonesecurity.com/SteganographyDatabase1225Applications.aspx
INTERPOL. (2017). Cybercrime. Retrieved October 21, 2017, from https://www.interpol.int/Crime-areas/Cybercrime/Cybercrime
Khan, N., & Gorde, K.S. (2015, September). Data security by video steganography and cryptography techniques. International Journal of Emerging Trends in Electrical and Electronics (IJETEE — ISSN: 2320–9569), 11(5), 58–64.
Mazurczyk, W. (2013, November 13). VoIP Steganography and Its Detection-A Survey. ACM Computing Surveys, 46(2), 20:1–20:21. doi:10.1145/2543581.2543587
NIST. (2013, April). NIST Special Publication 800–53r4. Retrieved October 22, 2017, from http://dx.doi.org/10.6028/NIST.SP.800-53r4
Reagan, R. (1982, April 2). Executive Order 12356: EO 12356. DHS Library. Retrieved October 22, 2017, from
Wendzel, S., Mazurcyzk, W., Caviglione, L., & Meier, M. (2014, July 8). The Growing Threat Of Network-Based Steganography. Retrieved January 13, 2017, from http://www.technologyreview.com/view/529071/the-growing-threat-of-network-based-steganography/
Wingate, J. (2013, April 30). Revision to NIST security controls catalog addresses steganography threat. Retrieved from https://www.backbonesecurity.com/NISTAddressesSteganography.aspx
Zetter, K. (2014). Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon.
Zielinska, E., Mazurczyk, W., & Szczypiorski, K. (2014, March). Trends in Steganography. Communications Of The ACM, 57(3), 86–95. doi:10.1145/2566590.2566610