Blog post

Careful with that alternate data stream Eugene

By Jonathan Care | October 24, 2020 | 0 Comments

CyberSecurityIdentity and Access Management and Fraud DetectionInfrastructure SecuritySecurity and Risk Management LeadersSecurity Operations
Careful with those alternate file streams, Eugene!

Insider Risk Management

One of the things I’ve been researching quite in depth this year has been the Insider Risk Management problem, and I hope to have some useful research notes published quite shortly.

Return of the shuffling hordes. BRAAAIIINSSSS!

There are lots of interesting questions to answer, for example Insider Risk or Insider Threat as a fundamental one, but also moving onto more Cyber-Existentialism such as:

  • What is Insider Risk anyway?
  • Isn’t this just DLP in new shoes?
  • How creepy is this anyway?

and the list goes on. (and on)

But one thing to ask your Insider Risk (or Threat) vendor is whether they can handle (or detect) the use of alternate data streams as a simple steganographic method that (guess what!) is supported natively by Windows NTFS. And you can’t turn it off.

Admiring the problem

The brilliant Sysinternals page at Microsoft tells us:

The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file’s main unnamed data stream, but by using the syntax ‘file:stream’, you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply.

First, change to a directory on a NTFS drive from within a command prompt.

Next, type ‘echo hello > test:stream’.

You’ve just created a stream named ‘stream’ that is associated with the file ‘test’.

Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter ‘more < test:stream’ (the type command doesn’t accept stream syntax so you have to use more).

So these things are simple, and it would appear are hard to detect unless you know what you are looking for, or have a tool such as your favourite hex editor to hand which will allow manual inspection.

Why should I care? I have data exfiltration measures?

Well, why indeed. But consider this. If I can effectively hide one file inside another (and even get windows to lie about the file size) then perhaps I can fool an exfiltration system into looking the other way. For example, hiding an excel spreadsheet behind a binary DLL and then sending it out via corporate email might cause a “smart” content filter to route the DLL through the malware scrubber, rather than through the sensitive content comb.

A lot of my clients are becoming concerned about the amount of information leaked by insiders, and in my research I talk about the three primary actor types, the determined spy, the disgruntled associate, or the disaffected “unaware and just don’t care”. By far of course, the last group are the largest as this report shows (and so do many others), and they are unlikely to use alternate data streams, or even to be aware of them.

However, as the examples shown above (and also mentioned by Folder Security Viewer), its really simple to do this. So that means that when you are examining capabilities, either when looking at your current system, or talking to new vendors about their Insider Risk Management capability, an important question to ask is whether they can pick up alternate data streams.

The answers may surprise you.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed