Page 1254 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1254
breaches in the past. For example, in the Sony attack of 2014,
attackers exfiltrated more than 25 GB of sensitive unencrypted data on
Sony employees, including social security numbers, medical, and
salary information. If the attackers didn’t encrypt the data prior to
retrieving it, a DLP system could have detected attempts to transmit it
out of the network.
However, it’s worth mentioning that advanced persistent threats (such
as Fancy Bear and Cozy Bear discussed in Chapter 14) commonly
encrypt traffic prior to transmitting it out of the network.
The U.S. Department of Homeland Security and the
Federal Bureau of Investigation released a joint analysis report
(JAR-16-20296A) in December 2016 outlining the actions of Fancy
Bear (APT 28) and Cozy Bear (APT 29).
Steganography
Steganography is the practice of embedding a message within a file.
For example, individuals can modify bits within a picture file to embed
a message. The change is imperceptible to someone looking at the
picture, but if other people know to look for the message, they can
extract it.
It is possible to detect steganography attempts if you have the original
file and a file you suspect has a hidden message. If you use a hashing
algorithm such as Secure Hash Algorithm 3 (SHA-3), you can create a
hash of both files. If the hashes are the same, the file does not have a
hidden message. However, if the hashes are different, it indicates the
second file has been modified. Forensic analysis techniques might be
able to retrieve the message.
In the context of egress monitoring, an organization can periodically
capture hashes of internal files that rarely change. For example,
graphics files such as JPEG and GIF files generally stay the same. If
security experts suspect that a malicious insider is embedding
additional data within these files and emailing them outside the
