Example 1: Steganography for Data Exfiltration
An insider threat at a defense contractor needs to exfiltrate classified documents without triggering DLP controls. The DLP system scans all outbound emails and attachments for keywords, file signatures, and known sensitive document formats.
The attacker uses a steganography tool to embed the documents inside legitimate-looking JPEG images (photos of engineering equipment taken at the facility). The images pass all DLP checks β they're valid JPEGs with no keyword hits, no suspicious file types, no encrypted content. The attacker emails them to a personal account as "photo archives."
Detection: A steganalysis tool analyzes the statistical properties of image data. Natural photographs have certain statistical distributions in pixel values. LSB steganography disturbs these distributions in detectable ways. The steganalysis tool flags the images, and forensic analysis extracts the hidden documents.
Example 2: Malware Using Network Steganography for C2
An advanced persistent threat (APT) deploys malware on a corporate network. The malware needs to communicate with its command-and-control server without triggering network monitoring that blocks unusual protocols or scans payload content.
The malware sends DNS queries that look legitimate but encode commands in the subdomain portion of the query: cmdencode-aGVsbG8.attacker.com. To a DNS monitor, this looks like a DNS lookup for an unusual hostname β nothing more. The embedded base64 payload is invisible in normal monitoring.
Detection: DNS traffic analysis looking for unusually long subdomain names, high query volume to a single domain, or base64-encoded patterns in DNS subdomains. SIEM rules tuned for DNS tunneling patterns.
Example 3: Tokenization for PCI-DSS Scope Reduction
A subscription e-commerce company processes credit cards monthly for thousands of subscribers. Before tokenization, their entire payment infrastructure β web servers, databases, application servers β was in PCI-DSS scope because real card numbers flowed through all of it.
After implementing tokenization: the real card number is captured at checkout by the payment processor's JavaScript widget (the merchant's server never sees it). The processor returns a token. The merchant stores the token. Monthly billing sends the token to the processor, which charges the card.
Result: the merchant's infrastructure is almost entirely out of PCI-DSS scope because no real card numbers ever touch their systems. Their compliance burden drops dramatically β fewer systems to audit, fewer controls to implement, lower compliance costs.
Example 4: Static Data Masking for Development Environment
A bank has a production database with 10 million customer records including SSNs, account numbers, and transaction history. The development team needs realistic data to test new features, but should not have access to real customer information.
Static data masking creates a copy of the production database where: SSNs are replaced with algorithmically valid but fictitious numbers, account numbers are replaced with random strings in the same format, names are replaced with generated names, email addresses are replaced with @example.com addresses, and transaction amounts are preserved (for realistic volume testing) but rounded.
The masked database has the same structure, the same volume, and realistic characteristics β but zero real PII. Developers can use it freely without privacy or compliance risk. The original production database is unmodified.
Example 5: Invisible Watermarks for Document Tracking
A law firm distributes a confidential merger document to five parties: two clients, two opposing counsel, and one mediator. Six weeks later, the document appears in a press leak.
Each copy of the document had a unique digital watermark embedded β invisible, surviving PDF re-saving, and surviving printing and scanning (using slight variations in spacing, font rendering, and whitespace that are imperceptible but statistically detectable). The leaked copy's watermark identified it as the copy sent to one specific opposing counsel.
This is steganography used defensively as a canary β the hidden marker doesn't protect the document from being read, but it identifies the source of a leak after the fact.
Exam Scenario 1
Question: A retailer wants to store customer payment information for recurring billing but doesn't want to keep actual card numbers in their database. What technique should they use?
Answer: Tokenization. The payment processor stores the actual card number in a secure token vault and provides the retailer with a token. The retailer stores only the token. For future billing, the retailer submits the token to the payment processor, which retrieves the real card number from the vault and processes the charge. The retailer never stores, processes, or transmits real card numbers.
Exam Scenario 2
Question: A call center needs to verify customer identity using the last four digits of their account number, but agents should not be able to see the full number. What technique accomplishes this?
Answer: Dynamic data masking. The database stores the full account number, but the call center application applies a masking rule at query time that shows only the last four digits to agents (****1234). The full number remains in the database unchanged and is accessible to authorized systems (billing, statements), but the call center agents' view is masked based on their role. This is role-based dynamic masking, not tokenization (the original data is intact in storage).