ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™

Steganography

A subject may use steganography methods to attempt to discretely exfiltrate data.

 

Steganography is the practice of concealing information within other, seemingly innocuous data to prevent detection. Unlike encryption, which obscures the content of a message, steganography hides the very existence of the message. This technique can be employed by insiders to exfiltrate sensitive data without raising suspicion.

 

Common Steganographic Techniques:

  • Images: Data is embedded in image files (e.g., JPEG, BMP) by modifying least significant bits (LSB) of pixel values, maintaining visual integrity.
  • Audio/Video: Hidden payloads are encoded within audio or video data streams, leveraging high data density for concealment.
  • Text: Information is embedded through subtle alterations, such as extra spaces, character substitutions, or font variations.

Subsections (1)

ID Name Description
AF008.001Image Steganography

A subject embeds data within image files to hide sensitive content and exfiltrate it, in a way that conceals both the data and the act of exfiltration. Unlike encryption alone, this attempts to hide the existence of the data.

 

MethodDescriptionNotes
Least Significant Bit (LSB)Modifies the least significant bits of pixel values (typically in RGB channels) to store hidden data, with minimal visible change.High capacity, simple to implement, but fragile. Lossy compression may destroy the data. Detectable via histogram or entropy analysis.
Masking / FilteringAlters luminance or contrast, embedding data in textured or edge-heavy regions.Used with lossless formats (e.g., PNG, BMP). More robust than LSB, but limited capacity.
Transform-Domain MethodsApplies frequency transformations (DCT, DWT, FFT) and embeds data into coefficients.More resilient to compression and image editing. Lower capacity, higher complexity.
Palette / Color-Table EncodingModifies color palettes or transparency values in indexed-color images.Difficult to detect visually, but format-limited. May expose anomalies in color table comparisons.
EOF Padding (Appended Data)Appends hidden content after the image’s End of File (EOF) marker.Simple and often overlooked. No image modification required, making visual detection difficult. Easily done with basic scripts, file joiners or hex editor. Can be exposed if file size is unexpectedly large or during forensic carving.
Edge/Noise-Based EmbeddingSelectively hides data in edges, noise, or using adaptive spreading.Hardest to detect, especially when combined with ML techniques. Capacity is lower, implementation complex.

 

Trade-offs

  • LSB and EOF: High capacity, low complexity, fragile to inspection
  • Transform and Edge-based: Higher stealth, lower capacity, more resilient
  • Appended EOF: Minimal technical skill required, common in low-effort exfiltration attempts