With the drumbeat of cybersecurity-related news headlines growing day-by-day, technology leaders are increasingly reassessing the efficacy of their layered cybersecurity defenses, including protections against insider threats, who may have access to highly sensitive data such as trade secrets, customer information or business strategy. Certus Cybersecurity recently participated in a “capture the flag” contest which allows security researchers to flex their technical skills by identifying security issues in a simulated scenario. The issues Certus Cybersecurity identified in the BambooFox capture the flag event (https://bamboofox.cs.nctu.edu.tw/) hold important lessons for businesses seeking to protect against insider threats and underscore the false sense of security provided by certain industry-standard defensive technologies. This article, which begins with a technical walkthrough of the capture the flag event and concludes with business implications, shows how widely adopted security technologies can be circumvented by a determined insider in the absence of effective, complementary forensics.
Technical Walkthrough
In the BambooFox capture the flag event, Certus Cybersecurity’s researcher was presented with the below cat image and the accompanying challenge: “Find what the cat is hiding.” With only a .png file to evaluate, our researcher decided to leverage a forensic tool known as binwalk to identify any embedded files or executable code. The ‘binwalk cat.png’ command identified two images embedded within in the photo.
The below image of a cat had two images hidden within it.

Once the two images were identified our researcher pulled them out using Foremost, an open source forensics tool. The output of the command executed, ‘foremost -b 371382 -o cat_new.png cat.png’, is shown below.
The below image shows the physical addresses of the two hidden images.

This command created two files within the cat_new.png folder named ‘00000000.png’ and ‘00000001.png’ with different file sizes. After running the compare command -‘compare 00000000.png 00000001.png -compose src new.png’, our researcher was able to extract a QR code which linked to a corrupted image file from Imgur: https://imgur.com/download/Xrv86y2.
The corrupted image from Imgur is shown below.

After performing the strings command on the image, our researcher was able to find the flag. ‘strings BambooFoxCTF2019/Find\ the\ Cat/cat_new.png/Xrv86y2\ -\ Imgur.jpg’. The below image highlights the flag our researcher identified after running the strings command.

Lessons Learned
Currently, corporations rely on data loss prevention (DLP) technologies to protect against exfiltration of sensitive information. The DLP controls are based on regular expressions, or regex. Without context and effective complementary forensics, regex-based DLP controls may be circumvented by an adversary to exfiltrate sensitive information. The capture the flag scenario described in this blog post shows how an adversary can obfuscate and extract sensitive business information by embedding the data they are seeking to exfiltrate in a innocuous-looking file, uploading the file to a third party website or publicly exposed internal site, and extracting information from the file via an personal laptop. One such war story we’ve seen illustrating this risk included an insider creating a SHA-1 hash of sensitive information and embedding that sensitive information’s hash in a .png file. The insider then uploaded the file on the social news aggregation website Reddit, and exfiltrated the file via their personal device from there.
Now, for the average user, the photo uploaded to Reddit was innocent, but for a rogue insider, the photo served as a means to extract sensitive corporate information. This practice is more widespread than is commonly recognized, and in order to combat against such threats, technology leaders need more context-aware DLP capabilities. For instance, in the case of a .png file, if the byte size is larger than anticipated, there has to be an intervention and forensics review to see if sensitive information is being exfiltrated. Without this context, overreliance on regex-based DLP controls permits adversaries to exfiltrate sensitive information, such as intellectual property or trade secrets, despite DLP capabilities that are seemingly robust.
About the Author
Swapnil Deshmukh is CTO & co-founder of Certus Cybersecurity. A product security thought leader and subject matter expert, Swapnil is responsible for leading the company's global team of security engineers.