Edge Browser History

A subject uses an existing, legitimate external Web service to exfiltrate data

A subject unlawfully accesses copyrighted material, such as pirated media or illegitimate streaming sites.

A subject accesses web content that is deemed inappropriate by the organization.

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

A subject uses electronic mail to exfiltrate data.

A subject may search for, or otherwise explore an IT Ticketing System to identify sensitive information or to identify credentials or other information which may assist in pivoting to other sources of sensitive information.

A subject can access the web with an organization device.

A subject dishonestly makes false representations, fails to disclose information or abuses their access or position to make a financial gain and/or cause a loss to an organization. Methods to achieve this include unauthorized bank transfers, misuse of corporate cards, or creating fictitious invoices.

A subject interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the intentional or unintentional sharing of sensitive information.

A subject engages in web searches that may indicate research or information gathering related to potential infringement or anti-forensic activities. Examples include searching for software that could facilitate data exfiltration, methods for deleting or modifying system logs, or techniques to evade security controls. Such activity could signal preparation for a potential insider event.

The subject downloads one or more files to a system to access the file or prepare for exfiltration.

A subject uses organizational resources, such as internet access, email, or work devices, for personal activities both during and outside work hours, exceeding reasonable personal use. This leads to reduced productivity, increased security risks, and the potential mixing of personal and organizational data, ultimately affecting the organization’s efficiency and overall security.

A subject is motivated by ideology to access, destroy, or exfiltrate data, or otherwise violate internal policies in pursuit of their ideological goals.

Ideology is a structured system of ideas, values, and beliefs that shapes an individual’s understanding of the world and informs their actions. It often encompasses political, economic, and social perspectives, providing a comprehensive and sometimes rigid framework for interpreting events and guiding decision-making.

Individuals driven by ideology often perceive their actions as morally justified within the context of their belief system. Unlike those motivated by personal grievances or personal gain, ideological insiders act in service of a cause they deem greater than themselves.

A subject uses a cloud storage service, such as Dropbox, OneDrive, or Google Drive to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://www.dropbox[.]com
• hxxps://drive.google[.]com
• hxxps://onedrive.live[.]com
• hxxps://mega[.]nz
• hxxps://www.icloud[.]com/iclouddrive
• hxxps://www.pcloud[.]com

A subject uses a code repository service, such as GitHub, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://github[.]com
• hxxps://gitlab[.]com
• hxxps://bitbucket[.]org
• hxxps://sourceforge[.]net
• hxxps://aws.amazon[.]com/codecommit

A subject uses a text storage service, such as Pastebin, to exfiltrate data. They will then access that service again on another device to retrieve the data. Examples include (URLs have been sanitized):

• hxxps://pastebin[.]com
• hxxps://hastebin[.]com
• hxxps://privatebin[.]net
• hxxps://controlc[.]com
• hxxps://rentry[.]co
• hxxps://dpaste[.]org

A subject may use an existing, legitimate external Web service to exfiltrate data

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully download copyrighted material.

A subject uses a website or peer-to-peer (P2P) network (such as BitTorrent) to unlawfully distribute copyrighted material.

A subject accesses lawful pornographic material from an organization device, contravening internal policies on acceptable use of organization equipment.

A subject accesses unlawful pornographic material from a organization device, contravening internal policies on acceptable use of organization equipment and potentially, the law.

A subject accesses, possesses and/or distributes materials that advocate, promote, or incite unlawful acts of violence intended to further political, ideological or religious aims (terrorism).

A person accesses, possesses, or distributes materials that advocate, promote, or incite extreme ideological, political, or religious views, often encouraging violence or promoting prejudice against individuals or groups.

A subject accesses or participates in online gambling from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject misuses social media platforms to engage in activities that violate organizational policies, compromise security, disclose confidential information, or damage the organization’s reputation. This includes sharing sensitive data, making unauthorized statements, engaging in harassment or bullying, or undertaking any actions that could risk the organization’s digital security or public image.

A subject accesses or participates in web-based online gaming from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject accesses other inappropriate web content from a corporate device, contravening internal policies on acceptable use of company equipment.

A subject exfiltrates information using a web-based messaging application that is accessed through a web browser. They will access the conversation at a later date to retrieve information on a different system.

A subject accesses a website that allows for the unauthorized streaming of copyrighted material.

A subject can access personal webmail services in a browser.

A subject can access personal cloud storage in a browser.

A subject can access websites containing inappropriate content.

A subject can access external note-taking websites (Such as Evernote).

A subject can access external messenger web-applications with the ability to transmit data and/or files.

A subject can access websites used to access or manage code repositories.

A subject may misuse a corporate credit for their own benefit by making purchases that are not aligned with the intended purpose of the card or by failing to follow the policies and procedures governing its use.

A subject with access to sensitive or confidential information may decide to use that information to trade the company's stock or other securities (like bonds or stock options) based on significant, nonpublic information about the company.

A subject misuses their direct or indirect access to dishonestly redirect funds to an account they control or to a third party.

A subject unintentionally introduces and attempts to execute malware on a system. This is can be achieved through various methods, such as phishing, malvertising, torrented downloads, and social engineering.

A subject installs software that is not considered appropriate by the organization.

A subject installs software that is not inherently malicious, but is not wanted, commonly known as “greyware” or “potentially unwanted programs”.

A subject exfiltrates data using an organization-owned device (such as a laptop) by copying the data from the device to a personal Network Attached Storage (NAS) device, which is attached to a network outside of the control of the organization, such as a home network. Later, using a personal device, the subject accesses the NAS to retrieve the exfiltrated data.

A subject can install unapproved browser extensions that provide additional features and functionality to the browser.

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device. Examples include (URLs have been sanitized):

• hxxps://www.evernote[.]com
• hxxps://keep.google[.]com
• hxxps://www.notion[.]so
• hxxps://www.onenote[.]com
• hxxps://notebook.zoho[.]com

A subject can access external text storage websites, such as Pastebin.

A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.

The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.

A subject intentionally submits sensitive information when interacting with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok). They will access the conversation at a later date to retrieve information on a different system.

A subject recklessly interacts with a public Artificial Intelligence (AI) chatbot (such as ChatGPT and xAI Grok), leading to the inadvertent sharing of sensitive information. The submission of sensitive information to public AI platforms risks exposure due to potential inadequate data handling or security practices. Although some platforms are designed not to retain specific personal data, the reckless disclosure could expose the information to unauthorized access and potential misuse, violating data privacy regulations and leading to a loss of competitive advantage through the exposure of proprietary information.

A subject uses image steganography to hide data in an image, to exfiltrate that data and to hide the act of exfiltration.

Image steganography methods can be categorised based on how data is embedded within an image. These methods vary in capacity (amount of data stored), detectability (resistance to steganalysis), and robustness (resistance to compression or modification). Below are the primary techniques used:

Least Significant Bit (LSB) Steganography

• One of the most common and simple methods.
• Modifies the least significant bits (LSBs) of pixel values to encode secret data.
• Minimal visual impact since changes occur in the lowest bit planes.

How it works:

• Each pixel in an image consists of three color channels (Red, Green, and Blue).
• The LSB of each channel is replaced with bits from the hidden message.

Example:

• Original pixel: (10101100, 11011010, 11101101)
• After encoding: (10101101, 11011010, 11101100)
• Only minor changes, making detection difficult.

Advantages:

• High capacity when applied to all three channels.
• Simple and easy to implement.

Disadvantages:

• Highly susceptible to detection and compression (JPEG compression removes LSB changes).
• Easily detected by statistical analysis methods.

Masking and Filtering Steganography

• Works similarly to watermarking by altering the luminance or contrast of an image.
• Best suited for lossless formats like BMP and PNG, not JPEG.

How it works:

• Hidden data is embedded in textured or edge-rich areas to avoid easy detection.
• Modifies pixel intensity slightly, making it harder to detect through simple LSB analysis.

Advantages:

• More robust than LSB against lossy compression and scaling.
• Works well for grayscale and color images.

Disadvantages:

• Lower capacity than LSB.
• More complex to implement.
   

Transform Domain Steganography

• Instead of modifying pixel values directly, this technique embeds data in frequency components after applying a mathematical transformation.

Types of Transform Domain Methods:

a. Discrete Cosine Transform (DCT) Steganography

• Used in JPEG images, where data is embedded in DCT coefficients instead of pixels.
• Common algorithm: F5 steganography (JSteg is an older, less secure method).

How it works:

• The image is converted to frequency domain using DCT.
• The hidden data is embedded in the mid-frequency DCT coefficients to avoid detection.
• The image is recompressed using JPEG encoding.

Advantages:

• Resistant to LSB steganalysis.
• Works with JPEG, making it more practical.

Disadvantages:

• Lower data capacity than LSB.
• Can be detected by statistical steganalysis.

b. Discrete Wavelet Transform (DWT) Steganography

• Uses wavelet transformation to embed data in high or low-frequency components.

How it works:

• The image is broken into multiple frequency bands using DWT.
• Data is embedded in high-frequency coefficients, ensuring robustness.
• Common in medical image steganography for secure data transmission.

Advantages:

• More robust against compression and noise than DCT.
• Can embed more data than traditional DCT methods.

Disadvantages:

• Requires more complex computation.
• Can be detected by advanced steganalysis tools.

c. Fourier Transform-Based Steganography

• Uses Fast Fourier Transform (FFT) to embed secret data in the frequency spectrum.
• More resistant to image processing operations like scaling and rotation.

Advantages:

• High robustness.
• Harder to detect using common LSB-based analysis.

Disadvantages:

• Requires complex processing.
• Limited in data capacity.

Palette-Based and Color Modification Techniques

a. Palette-Based Steganography (GIF, PNG)

• Modifies indexed color tables instead of pixels.
• Works by shifting palette entries in GIF or PNG images.

Advantages:

• No direct pixel modifications, making it hard to detect visually.

Disadvantages:

• Can be detected by comparing original and modified color palettes.
• Limited to certain file formats.

b. Alpha Channel Manipulation

• Uses transparency layers in images (e.g., PNG with alpha channels) to store hidden data.

Advantages:

• Harder to detect in images with multiple layers.

Disadvantages:

• Only works in formats supporting alpha transparency (PNG, TIFF).

Edge-Based and Texture-Based Steganography

a. Edge Detection Steganography

• Embeds data only in edge regions of an image, avoiding smooth areas.
• Uses Canny edge detection or similar algorithms.

Advantages:

• Harder to detect using basic LSB analysis.
• Can withstand minor modifications.

Disadvantages:

• Requires pre-processing.
• Lower capacity than LSB.

b. Patchwork Algorithm

• Uses redundant patterns to embed data, making detection harder.
• Works well for texture-rich images.

Advantages:

• High resistance to compression and cropping.

Disadvantages:

• Complex encoding and decoding process.

Spread Spectrum and Noise-Based Techniques

a. Spread Spectrum Steganography

• Mimics radio communication techniques, distributing data across the entire image.
• Uses pseudo-random noise patterns to hide data.

Advantages:

• Harder to detect due to randomness.

Disadvantages:

• Lower data capacity.

b. Statistical Steganography

• Alters color distributions or histogram properties to encode data.
• Ensures changes remain within natural variations.

Advantages:

• Very stealthy and hard to detect.

Disadvantages:

• Limited data capacity.

Adaptive and AI-Based Steganography

• Uses machine learning to optimize embedding locations.
• Adaptive algorithms select least noticeable areas dynamically.

Advantages:

• Extremely stealthy and resistant to detection.

Disadvantages:

• Requires computational power.

Comparison Table of Image Steganography Methods