Real-Time Detection Technology for Back-and-Forth Type Targeted Email Attacks

Data Breaches Getting Worse

Data breaches caused by email attacks targeting a certain organization or an individual are frequently in the news. Attackers include fake sender names and messages in emails, making it difficult for recipients to distinguish them from real inquiries. This makes it impossible to completely avoid opening high-risk emails. According to a government report,* about 10% of government agency, local government, and company employees opened email attachments in training sessions. Currently, damage caused by targeted email attacks of the so-called "back-and-forth type" has become particularly serious. In this type of attack, attackers first pretend to be a regular business and exchange messages with recipients a few times instead of suddenly sending them a malicious program. They only send an email with malware** after the recipients have begun to trust them.

Recipients are unlikely to notice the activities of malicious programs hiding in their network. This exacerbates the situation. Once malware breaks into the intranet via targeted emails, it uses the infected PC to repeatedly access the network to send its information to an external server. Since attackers remotely control the authorized commands and tools, network administrators cannot easily separate attacker activities from user activities. The issue is how quickly and efficiently these suspicious activities by hidden malware can be detected.

*: "2011 Overview of Targeted Email Attack Training (Interim Report)" by the National Information Security Center (NISC)

**: A general term describing malicious software or code developed to cause harm

Real Time Detection of Suspicious Activities

To fight these hard-to-prevent and hard-to-detect email attacks, Fujitsu Limited and Fujitsu Laboratories Ltd. have prioritized post-infection security measures on the assumption that there will be a successful virus intrusion, instead of focusing on virus prevention. Their concept was to detect on a real-time basis any suspicious activities inside the network during the initial stage of email attacks. Information on such activities can then be shared across the organization in order to prevent the unauthorized forwarding of confidential information.

Based on this idea, Fujitsu Limited and Fujitsu Laboratories Ltd. became the first in the industry to develop technology that allows the real-time detection of suspicious activities in email exchanges. The technology learns about normal activity patterns in email exchanges by making connections between regular email exchanges and user operation before and after the exchanges. It then detects on a real-time basis anomalous activity patterns as targeted attacks.
This real-time detection is the result of two specific technologies. One distinguishes regular operational patterns from those of a user who is under an email attack. Let us assume that a user (1) receives an email, (2) reads the message, and (3) clicks an URL in the message to access the website on a browser. The technology connects these activities to form an operational pattern that occurs at the time of receiving an email. Since it creates an operational pattern for each email sender, it can decide whether the downloading of data from a website took place during the course of exchanges with a specific individual.

The other technology achieves real-time anomaly detection using combinations of operational logs. Traditionally, real-time anomaly detection required the long-term collection of all user operational logs. This large volume of data failed to achieve instantaneous risk detection. This new technology, on the other hand, detects anomalies via machine learning*** by combining user operational logs associated with a series of email exchanges, learning compact regular operational patterns, and comparing learning results with current activities. This process has achieved a 90% reduction of the volume of data necessary for anomaly detection and the high-speed detection of the back-and-forth type of targeted email attack, which usually lasts for a few days. The machine learning technology features a combination of Fujitsu's AI technologies: Human Centric AI Zinrai.

Thanks to these two technologies, the detection of a series of suspicious activity patterns associated with back-and-forth targeted email attacks while excluding irrelevant activities has become possible. As a result, the number of total activities detected as being suspicious has decreased by 90% (compared to previous Fujitsu products), focusing warnings onto only high-risk emails during the course of exchanges.

***: A technology or method involving the use of a computer to automatically extract rules and patterns from sample data

Activities circled in red were deemed to be exchanges involving attack emails so warnings were issued. With this technology, an activity is only deemed to be anomalous upon request to download data; operations can be stopped just before download.

Enabling Organizations to Prevent Targeted Attacks

A combination of the detection technology described above and expanded cyberattack measures that Fujitsu has developed will allow organizations to implement pre-emptive measures and prevent data breaches affecting their internal information.

Fujitsu Limited and Fujitsu Laboratories Ltd. have so far worked on analysis and detection of cyberattacks by developing two technologies: behavioral characteristic analysis technology and high-speed technology to detect hidden malware network activities (hereinafter "network detection technology"). Behavioral characteristic analysis technology is a type of security technology developed to uncover the characteristics of users prone to security risks. This technology helps create security measures that suit the characteristics of organizations or users. Network detection technology allows detection of hidden activities without needing to find the actual malware. Expanding these two technologies and combining them with the detection technology described above will allow organizations to proactively implement measures against data breaches affecting confidential information.

The expanded version of the behavioral characteristic analysis technology has a new feature which presents individual or organizational risk status as an IT risk dashboard. New network sensors have been connected to network detection technology. With these new features, monitoring levels can be adjusted during the early stages of attack in accordance with the individual or organizational risk status. Also, a dialog box appears on the screen to warn a user who has received an email similar to an attack email. An organization as a whole can proactively implement necessary measures, such as temporarily restricting a user’s Internet or network access to prevent the unauthorized forwarding of internal information.

New cyberattack prevention measures featuring the new anomaly detection technology

Future Commercialization

The new technology introduced in this article detects in real-time unusual and suspicious activities inside a network and allows organizations to proactively prevent data breaches affecting internal information. Much can be expected of this technology as a way to protect confidential corporate information from the threat of increasingly sophisticated targeted email attacks. Fujitsu Limited and Fujitsu Laboratories Ltd. will expand the range of detectable targeted email attacks and enhance detection accuracy, with a view to commercializing the technology in FY2016.

New technology detects high-risk targeted emails. In line with risk level it boosts security policy regarding entities our clients do business with, actively prevents data breaches and allows clients to see on dashboard status of Internet access limits.