Application Whitelisting

A subject installs unapproved software on a corporate device, contravening internal policies on acceptable use of company equipment.

A subject may install or attempt to install software that will be used to exfiltrate sensitive data or contravene internal policies.

A subject modifies the modified, accessed, created (MAC) file time attributes to hide new files or obscure changes made to existing files to hinder an investigation by removing a file or files from a timeframe scope.

nTimestomp is part of the nTimetools repository, and it provides tools for working with timestamps on files on the Windows operating system. This tool allows for a user to provide arguments for each timestamp, as well as the option to set all timestamps to the same value.

Linux has the built-in command touch that has functionality that allows a user to update the access and modified dates of a file. The command can be run like this:

touch -a -m -d ‘10 February 2001 12:34' <file>

The argument -a refers to the access time, -m refers to the modify time, and -d refers to the date applied to the target file.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject can install software on a device without restriction.

A subject can leverage software approved for installation or software that is already installed.

A subject conducts a scan of a network to identify additional systems, or services running on those systems.

The subject uninstalls software, which may also remove relevant artifacts from the system's disk, such as regsitry keys or files necessary for the software to run, preventing them from being used by investigators to track activity.

The subject uses a virtual machine (VM) to contain artifacts of forensic value within the virtualized environment, preventing them from being written to the host file system. This strategy helps to obscure evidence and complicate forensic investigations.
 

By running a guest operating system within a VM, the subject can potentially evade detection by security agents installed on the host operating system, as these agents may not have visibility into activities occurring within the VM. This adds an additional layer of complexity to forensic analysis, making it more challenging to detect and attribute malicious activities.

The subject installs and uses an unapproved VPN client, potentially violating organizational policy. By using a VPN service not controlled by the organization, the subject can bypass security controls, reducing the security team’s visibility into network activity conducted through the unauthorized VPN. This could lead to significant security risks, as monitoring and detection mechanisms are circumvented.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject uses utilities to compress and/or encrypt collected data prior to exfiltration.

A subject uses utilities to compress collected data prior to exfiltration.

A subject uses utilities to encrypt collected data prior to exfiltration.

A subject exfiltrates information using a messaging application that is already installed on the system. They will access the conversation at a later date to retrieve information on a different system.

A subject installs a hypervisor that allows them to create and access virtual environments on a device.

A subject installs a VPN application that allows them to tunnel their traffic.

A subject can install an unapproved browser with features that frustrate or prevent preventions or detections, such as built-in VPN, Tor access, or automatic browser artifact destruction.

A subject can install an unapproved cloud storage application that has the ability to sync files across the Internet.

A subject installs an unapproved note taking application with the ability to sync notes across the Internet.

A subject installs an unapproved messenger application with the ability to transmit data and/or files across the Internet.

A subject installs a Secure Shell (SSH) client, which can be used to access SSH servers across a network.

A subject installs a File Transfer Protocol (FTP) client which can be used to access FTP servers across the a network.

A subject installs a Remote Desktop Protocol (RDP) client which can be used to access RDP servers across a network.

A subject installs screen sharing software which can be used to capture images or other information from a target system.

A subject has access to or can install screen sharing software which can be used to capture images or other information from a target system.

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

A subject uploads confidential organization data to a note-taking web service, such as Evernote. The subject can then access the confidential data outside of the organization from another device.

A subject exfiltrates data outside of the organization's control using the built-in file transfer capabilities of software such as Teamviewer.

A subject attempts to identify security software by monitoring network traffic.

A subject installs custom software or malware on an endpoint, potentially disguising it as a legitimate process. This software includes tripwire logic to monitor the system for signs of security activity.

The tripwire software monitors various aspects of the endpoint to detect potential investigations:

• Security Tool Detection: It scans running processes and monitors new files or services for signatures of known security tools, such as antivirus programs, forensic tools, and Endpoint Detection and Response (EDR) systems.
• File and System Access: It tracks access to critical files or system directories (e.g., system logs, registry entries) commonly accessed during security investigations. Attempts to open or read sensitive files can trigger an alert.
• Network Traffic Analysis: The software analyzes network traffic to identify unusual patterns, including connections to Security Operations Centers (SOC) or the blocking of command-and-control servers by network security controls.
• User and System Behavior: It observes system behavior and monitors logs (such as event logs) that indicate an investigation is in progress, such as switching to an administrative account or modifying security settings (e.g., enabling disk encryption, changing firewall rules).

Upon detecting security activity, the tripwire can initiate various evasive responses:

• Alert the Subject: It covertly sends an alert to an external server controlled by the subject, using common system tools (e.g., curl, wget, or HTTP requests).
• Modify Endpoint Behavior: It can terminate malicious processes, erase evidence (e.g., logs, browser history, specific files), or restore system and network configurations to conceal signs of tampering.

A subject uses image steganography to hide data in an image, to exfiltrate that data and to hide the act of exfiltration.

Image steganography methods can be categorised based on how data is embedded within an image. These methods vary in capacity (amount of data stored), detectability (resistance to steganalysis), and robustness (resistance to compression or modification). Below are the primary techniques used:

Least Significant Bit (LSB) Steganography

• One of the most common and simple methods.
• Modifies the least significant bits (LSBs) of pixel values to encode secret data.
• Minimal visual impact since changes occur in the lowest bit planes.

How it works:

• Each pixel in an image consists of three color channels (Red, Green, and Blue).
• The LSB of each channel is replaced with bits from the hidden message.

Example:

• Original pixel: (10101100, 11011010, 11101101)
• After encoding: (10101101, 11011010, 11101100)
• Only minor changes, making detection difficult.

Advantages:

• High capacity when applied to all three channels.
• Simple and easy to implement.

Disadvantages:

• Highly susceptible to detection and compression (JPEG compression removes LSB changes).
• Easily detected by statistical analysis methods.

Masking and Filtering Steganography

• Works similarly to watermarking by altering the luminance or contrast of an image.
• Best suited for lossless formats like BMP and PNG, not JPEG.

How it works:

• Hidden data is embedded in textured or edge-rich areas to avoid easy detection.
• Modifies pixel intensity slightly, making it harder to detect through simple LSB analysis.

Advantages:

• More robust than LSB against lossy compression and scaling.
• Works well for grayscale and color images.

Disadvantages:

• Lower capacity than LSB.
• More complex to implement.
   

Transform Domain Steganography

• Instead of modifying pixel values directly, this technique embeds data in frequency components after applying a mathematical transformation.

Types of Transform Domain Methods:

a. Discrete Cosine Transform (DCT) Steganography

• Used in JPEG images, where data is embedded in DCT coefficients instead of pixels.
• Common algorithm: F5 steganography (JSteg is an older, less secure method).

How it works:

• The image is converted to frequency domain using DCT.
• The hidden data is embedded in the mid-frequency DCT coefficients to avoid detection.
• The image is recompressed using JPEG encoding.

Advantages:

• Resistant to LSB steganalysis.
• Works with JPEG, making it more practical.

Disadvantages:

• Lower data capacity than LSB.
• Can be detected by statistical steganalysis.

b. Discrete Wavelet Transform (DWT) Steganography

• Uses wavelet transformation to embed data in high or low-frequency components.

How it works:

• The image is broken into multiple frequency bands using DWT.
• Data is embedded in high-frequency coefficients, ensuring robustness.
• Common in medical image steganography for secure data transmission.

Advantages:

• More robust against compression and noise than DCT.
• Can embed more data than traditional DCT methods.

Disadvantages:

• Requires more complex computation.
• Can be detected by advanced steganalysis tools.

c. Fourier Transform-Based Steganography

• Uses Fast Fourier Transform (FFT) to embed secret data in the frequency spectrum.
• More resistant to image processing operations like scaling and rotation.

Advantages:

• High robustness.
• Harder to detect using common LSB-based analysis.

Disadvantages:

• Requires complex processing.
• Limited in data capacity.

Palette-Based and Color Modification Techniques

a. Palette-Based Steganography (GIF, PNG)

• Modifies indexed color tables instead of pixels.
• Works by shifting palette entries in GIF or PNG images.

Advantages:

• No direct pixel modifications, making it hard to detect visually.

Disadvantages:

• Can be detected by comparing original and modified color palettes.
• Limited to certain file formats.

b. Alpha Channel Manipulation

• Uses transparency layers in images (e.g., PNG with alpha channels) to store hidden data.

Advantages:

• Harder to detect in images with multiple layers.

Disadvantages:

• Only works in formats supporting alpha transparency (PNG, TIFF).

Edge-Based and Texture-Based Steganography

a. Edge Detection Steganography

• Embeds data only in edge regions of an image, avoiding smooth areas.
• Uses Canny edge detection or similar algorithms.

Advantages:

• Harder to detect using basic LSB analysis.
• Can withstand minor modifications.

Disadvantages:

• Requires pre-processing.
• Lower capacity than LSB.

b. Patchwork Algorithm

• Uses redundant patterns to embed data, making detection harder.
• Works well for texture-rich images.

Advantages:

• High resistance to compression and cropping.

Disadvantages:

• Complex encoding and decoding process.

Spread Spectrum and Noise-Based Techniques

a. Spread Spectrum Steganography

• Mimics radio communication techniques, distributing data across the entire image.
• Uses pseudo-random noise patterns to hide data.

Advantages:

• Harder to detect due to randomness.

Disadvantages:

• Lower data capacity.

b. Statistical Steganography

• Alters color distributions or histogram properties to encode data.
• Ensures changes remain within natural variations.

Advantages:

• Very stealthy and hard to detect.

Disadvantages:

• Limited data capacity.

Adaptive and AI-Based Steganography

• Uses machine learning to optimize embedding locations.
• Adaptive algorithms select least noticeable areas dynamically.

Advantages:

• Extremely stealthy and resistant to detection.

Disadvantages:

• Requires computational power.

Comparison Table of Image Steganography Methods