Technology for Grasping an Entire Cyber Attack at a Glance and Significantly Reducing Incident Analysis Time

Countermeasures Predicated on the Occurrence of Malware Intrusion

The number of cyber attacks carried out to gain unauthorized access to targeted computers and networks via the Internet or other means in order to steal, destroy, or corrupt data has been increasing year after year. According to a survey by the Information-technology Promotion Agency (IPA) of Japan, the number of requests for consultations on cyber attacks in 2015 was almost five times that of 2014, and attack methods have become increasingly ingenious (*1). After having infected an organization, attackers can control the malware remotely (*2), leaking important information to the outside. As this sort of malware attack is extremely difficult to prevent completely, there is a pressing need for companies to take countermeasures predicated on the occurrence of malware intrusion.

Conventionally, if malware is detected within an organization, the following steps are taken: 1) isolate the infected device(s), 2) analyze logs/files, and 3) identify the details of the malware attack. However, because organizations rely on experts to perform malware analysis and identification, it sometimes takes several weeks to grasp the complete picture of the attack. Also, because the volume of network communications is so enormous, it is costly to collect and analyze all communication data, and it is extremely difficult to efficiently analyze only those communications related to an attack because they are hidden within the huge volume of ordinary communications.

(*1) Source: "Cyber Rescue and Advice Team against targeted attack of Japan (J-CRAT) activity report (second half of 2015)" published by the Information-technology Promotion Agency (IPA) of Japan
https://www.ipa.go.jp/files/000053392.pdf

(*2) A collective name for malicious software or code intended to perform unauthorized or harmful actions

Grasping an Entire Targeted Cyber Attack at a Glance

To address this issue, Fujitsu Laboratories has developed technology for quickly analyzing the status of targeted cyber attacks and to show the entire picture of an attack at a glance.

This technology collects the communications data flowing through networks and then abstracts and compresses the huge volume of communications data at the operation level by inferring from the communications data which commands were carried out on PCs. Moreover, by efficiently connecting command operations with specified user information, it can identify who executed what type of remote control as well as collect trace information about command operations. Also, the technology quickly extracts the extent of progress of the attack by performing analysis that distinguishes between communications generated by ordinary tasks and communications that are highly likely to be part of attacks.

By installing an analysis system that incorporates these technologies on an internal network that has a high volume of communications, the time required to perform major analysis can be significantly reduced. For example, doing so makes it possible to extract a series of command operations from a specific PC from amongst a day's worth of communication trace logs within a few seconds or a few tens of seconds. In addition, it enables communications data flowing through the network to be compressed to about 1/10,000th for storage purposes.

In this way, Fujitsu's newly developed analysis system constantly collects and investigates traces so that when a targeted cyber attack is detected, data from the PCs affected by the attack can be extracted in succession. In addition, because the status of the attack is automatically illustrated from a bird's-eye view, the entire picture of the attack can be grasped at a glance.

Summary of newly developed technologies

Quickly Performing Security Incident Analysis

With this newly developed technology, security incident analysis, which previously had to be entrusted to experts and took a great deal of time, can now be done quickly even by non-experts. As a result, when stricken by a targeted cyber attack, it is now possible to take countermeasures rapidly and comprehensively before the damage spreads, thus enabling safe, secure intranet use.

Fujitsu Laboratories will continue to improve this technology's functions, including operability, while aiming to realize practical implementation during FY2016 and incorporation into Fujitsu Limited's services after FY2016.