Research by a group of European cybersecurity experts is raising new concerns about the increasing stealthiness of hacker techniques to command and control massive networks of compromised computers, including future scenarios concerning smartphones, buildings and so-called “smart cities.”
In a paper posted last month on ResearchGate, cybersecurity experts from Germany, Poland and Italy said cyber criminals are increasingly leveraging advanced techniques to hide secret malware communications in the legitimate network traffic of compromised systems. Known as network steganography, the technique involves using popular Internet services, such as the header elements of web traffic, Skype, BitTorrent, DropBox and even Google search, to insert covert communications channels that can be used to command and control advanced malware or botnets. Although the concept of creating covert network channels dates back more than 25 years, the researchers predict vast new vulnerabilities and surveillance threats as more and more devices are connected to the Internet.
“We predict the emergence of network steganography to new domains, especially when combined with existing malware,” the report states. “One example in this regard is the potential to form novel botnets consisting of smart buildings instead of computers (so called smart building botnets), allowing the remote mass-surveillance and remote control of smart cities. Network steganography can increase the stealthiness of mass surveillance in such situations, especially when the number of bots in a smart building botnet is high.”
The traditional definition of steganography involves embedding secret data in various forms of digital media, including photographs, videos and audio files. The term network steganography was first coined in 2003 to describe the embedding of secret data in legitimate network traffic. The researchers note hundreds of techniques can be used to create covert communications channels in network streams, but experts interviewed by FedScoop said network steganography communication channels are expensive to develop and maintain and can pose high risks to the attackers.
“For an attack to be effective, the attacker must eventually exploit his position to gain access to network resources which they have not yet compromised,” said Eyal Firstenberg, vice president of research at LightCyber, a security breach detection company. “During these maneuvers, the attacker only controls one side of the communication, and there lies opportunities for the defender to place sophisticated tripwires. The attacker also takes on a risk, as these methods tend to be tailor-made for the environment for which they were designed. A small modification to the environment can cause the previously covert channel to become very conspicuous or even break the network.”
Vincent Berk, CEO and co-founder of network security company FlowTraq, said the amount of hidden data, information and messages in seemingly innocuous traffic cannot be known. “It is possible to hide data in almost any legitimate traffic stream,” Berk said. “In fact, during my research years I managed to encode data and exfiltrate it from a network through the timing between packets — without ever changing their actual content. How widely this is being used, and by whom cannot be known. We must always be wary of any out-of-band communications that don’t fit the business processes of an organization. For instance, places such as DropBox are not universally used, and you might consider restricting their use.”
But according to the European researchers, monitoring and controlling those out-of-band communications is becoming increasingly difficult as cloud computing and wireless devices proliferate. “While there is not a major effort in developing novel network covert channels especially crafted for smartphones, recent trends take advantage of the device offloading features, especially those using the cloud,” the report states. “The huge volumes and the degree of sophistication of many services will represent a great challenge, especially in terms of being able to detect the covert communication or to provide effective countermeasures.”
Carlos Fernandes, director of Salient Federal Solution Inc.’s Cyber Security Center, called IPv6 tunneling “the ultimate vulnerability” associated with network steganography. IPv6 is the latest version of the Internet Protocol and is intended to replace IPv4, which still carries more than 94 percent of global Internet traffic. “Just because of the sheer size of the vulnerability, attackers can use the capability in IPv6 enabled networks (even if they’re not using IPv6) as part of legitimate network transmission packets,” Fernandes said.
For now, Berk recommends organizations lock down outbound firewalls to restrict the services network users can use, carefully curate what software is used and deployed on the network and perform anomaly detection on the network. “Watch the typical volumes and direction of data flows for most services and systems, and note anomalies,” he said. “When steganography is in use, something changes. The anomaly may give you a clue.”
But the reality, according to Berk, is that almost anything can be used to encode information. “The difficulty is that the outsider does not know what the encoding mechanism is that the sender and receiver have chosen,” he said. “We can hope to catch the most obvious cases, but subtle and small messages in huge volumes of network data will remain impossible to detect.”