000030982 - Information regarding steganography (null cipher) detection in RSA Security Analytics for packets

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030982
Applies ToRSA Product Set: Security Analytics, NetWitness
Platform: CentOS
O/S Version: EL6
TasksThis article provides general information about steganography (including null cipher) detection in both Security Analytics and NetWitness for packets.
ResolutionIt is not possible to "detect" steganography so much as it is to detect statistical anomalies/outliers in the composition of the file. Steganography requires statistical analysis. By design, both Security Analytics and Netwitness (for packets) perform on-the-wire packet decoding using BPF (Berkley Packet Filtering). Security Analytics does not perform statistical analysis of this type.  
At the time of this writing (SA 10.5), steganography is not a feature of Security Analytics or NetWitness.

Steganography is a form of encryption.  It works by replacing bits of unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with other bits of invisible information. (Typically this is done in plaintext, but may also be cipher text or images.) 
A null cipher is an antiquated form of encryption where plaintext is mixed with a large amount of non-cipher material.  Today, it is regarded as a very simple form of steganography.