Cyber criminals are becoming increasingly creative in delivering sophisticated attacks through innocuous-looking documents, email messages, social media and even text messages. Their latest threat vector, however, is everyday digital image files: PDF, .JPG, .PNG and so on. These are becoming the delivery source of targeted Advanced Persistent Threats (APTs) on the way in, and tools for concealing critical information on the way out.
Traditional Data Loss Prevention (DLP) solutions provide basic protection against the traditional threat of someone trying to send a file to an unauthorised individual. Today, data loss prevention requires a step change. Advanced Deep Content Inspection (DCI) of email messages, attachments and web upload/downloads is required to detect sophisticated threats such as ransomware which is embedded in documents and images. Once detected, Clearswift’s Adaptive Redaction technology – developed to modify the content of files on-the-fly – can be used to redact only the malicious or sensitive data.
We often don’t give images a second thought; they are in presentations and documents all the time, but what sorts of risks can they pose? These days the multi-function printer enables remote printing, standard photocopying and the ability to scan and send to an email. When the device scans the document, it typically creates a PDF, but each page in the document is actually an image. These images are not picked up with traditional DLP solutions.
Clearswift has a number of new innovative features which combat this next-generation data loss risks through images. Optical Character Recognition (OCR) is a technique for analysing images and extracting the text, such as it can be processed like a normal electronic document using DLP functionality.
This issue is not restricted to scanned documents; other techniques such as screenshots can also be used to turn critical information into an image, but OCR enables them to be analysed and DLP will prevent data leaks. A further enhancement to OCR enables redaction of text in images. Images can also be used to “hide” information. Some of this can be found in the document properties, for example geographical co-ordinates as to where the picture was taken.
This information can be used to identify locations and there have been several incidents with military personnel leaking information through these means. Document Sanitisation is a technique to remove document properties to prevent that mechanism of inadvertent data loss.
However, images can also be used to hide information, with a technique called steganography. This is where tools can be used to subtly change the image, such that, to the naked eye, there is no visible difference, and then used to exfiltrate data.
Anti-steganography functionality will disrupt the image, so that no data can be extracted. Steganography is used in bot nets to communicate on the inbound traffic flow, the same anti-steganography techniques can be used to disrupt that communication channel to keep the organisation safe. Images are often overlooked, but the next generation of threats has emerged and is using them.
Dr Guy Bunker is chief technology officer at Clearswift.