discovered a malware using network
information hiding and he decides to
block its communication channel. In
such a case, the administrator could
introduce new filter rules for firewalls or traffic normalizers. However,
adaptive malware would detect the
blocked channel and would most-likely find a way to route around this
barrier. Therefore, it uses one of the
several different hiding methods
available, eventually building a covert overlay network with dynamic
routing capabilities. These techniques were already discovered several years ago in academia. 2, 33
A New Initiative to Fight Information
Hiding-Based Cybercrime
In the context of the forensic challenges
mentioned previously, policymakers,
governmental organizations, and law-enforcement, security industry and
academia should work jointly to build
novel products and methods to protect
companies and citizens.
Criminal Use of Information Hiding
(CUIng) is an initiative recently
launched in cooperation with Europol’s European Cybercrime Centre
(EC3). The initiative is open for all interested members from different
backgrounds to participate in it. The
current structure of the initiative
consists of the Steering Committee
and regular members. The Steering
Committee is responsible for setting
the strategic direction of the initiative and proposing, approving and
coordinating all its activities. The
Steering Committee is a mix of members from academia, industry, LEAs,
and institutions.
Its main objectives, which are summarized in Figure 4, are the following:
˲ to raise awareness for the criminal
use of information hiding on all relevant levels (from IT administration to
governments),
˲ to track progress of academic research in the domain,
˲ to monitor the technology’s utilization by criminals,
˲ to share information about incidents between the relevant players,
˲ to provide practical advice to these
players,
˲ to work jointly with researchers
around the world, and
˲ to foster the education and training
on the professional and academic level.
Although the CUIng initiative started only recently, its circle of involved
organizations and individuals has
managed to collect and categorize a
vast amount of relevant information,
be it about discovered malware pieces, information about incidents or
research output. Currently it consists of more than 100 experts from
over 30 countries worldwide who are
presenting different backgrounds.
The initiative gathers and shares the
following information:
˲ General background on information hiding: it provides a general overview of recent trends and techniques.
˲Scientific publications: relevant
papers, which present the state-of-the-art in academic research in this area.
˲Information hiding-capable malware reports: analyses of real-life malicious software that uses data hiding
techniques.
˲ Relevant tools: applications which
allow to conceal data as well as different approaches for countermeasure/
detection.
˲New categorization and didactic
concepts and training course materials: new concepts on how to teach/train
information hiding to make the topic
more accessible and materials from
the previous trainings.
First surveyed results and trends
were presented at relevant events
(both academic and industry confer-
ences). For instance, CUIng was a pro-
gram partner for several industry
eCRIME conferences and it will orga-
nize a dedicated event CUING 2017
workshop (with ARES 2017) and a spe-
cial session (with IWDW 2017) on
these topics.
CUIng helped Europol’s EC3 to create a CyberBit (intelligence notification on cyber-related topics that aim to
raise awareness and to trigger discussions or further actions), that is, a brief
backgrounder for the Trends Series entitled “Steganography for Increased
Malware Stealth.” In January 2016, a
dedicated training course for EC3 entitled “Training on Information Hiding
Techniques and its Utilization in Modern Malware” was organized.
CUIng members are also involved in
creating new tools, projects, and concepts for digital forensic purposes. The
most notable examples include:
˲ Network Information Hiding Patterns projectk that allows the reduction of a large number of available
hiding techniques to only several patterns—this can aid the community to
remain focused on core developments
and to understand better the network
hiding concepts.
˲Covert Channel Educational
Analysis Protocol (CCEAP) tool, 34
k http://ih-patterns.blogspot.de/p/introduction.html
Figure 4. Objectives of the CUIng initiative.
CUIng Initiative Objectives
Collaborate with
Relevant Players
Work Jointly with Academia,
Professionals and LEAs
Raise
Awareness
Share
Incidents
Create Educational
Tools and Courses
Provide
Advice
Research and Develop
New Methods
Track Progress
of Research