Fujitsu has worked with BAE Systems – one of the largest US defense companies offering comprehensive threat analytics capabilities for managing threat intelligence, detecting and investigating unknown cyber threats, advanced persistent threats, and zero-day attacks – to develop a cyber threat intelligence (CTI) utilisation system, which efficiently utilises CTI, the details of cyber-attacks and responses in a computational format.
The system merges BAE Systems’ meta-modeling technology, which makes CTI sharing easy, Fujitsu’s automation technology, for efficient cyber-attack response, and cyber-attack response know-how being developed by both companies since 2015. The system offers CTI sharing function that enables secure and easy CTI sharing between organisations and CTI generation function, which brings together multiple CTI pieces into a more comprehensive CTI.
The aim of this system is to share knowledge related to cyber-attacks between various organisations and companies, and to offer a structure whereby effective responses are taken efficiently. It will provide functions to make it safe and easy to share CTI, and that make it possible to generate and utilise more advanced CTI by fusing multiple CTI sources.
The system will enable cyber-attack analysts, even those with little experience, to rapidly provide high-quality analysis and strong responses. Going forward, this system will be utilised and improved in the field, such as at the Fujitsu Advanced Artifact Analysis Laboratory, which is a facility providing advanced security analysis for the Fujitsu Group. Fujitsu plans to commercialise the technology in fiscal 2016.
Fujitsu is working hard to build a safe and secure ICT environment by promoting the spread of this system, contributing to the advancement of cyber-attack analysis and responses.
The threat of cyber-attacks is expanding in line with the spread of computer systems and the Internet, but there is a lack of high-level cyber-attack analysts who can respond to difficult-to-detect cyber-attacks using sophisticated methods. As such, there is an increasing need for methods and technologies to efficiently utilise analysts’ know-how and techniques in as many fields as possible.
CTI is created when high-level analysts put the results of their cyber-attack analysis, including the essential details of the attack (including attacker information, time, likely objectives, attack targets, and intrusion paths and methods) as well as information on response methods, into a computational format. In reality, government institutions, large companies, and even individual analysts create their own unique CTI, using it in cyber-attack responses.
By further advancing the use of CTI, integrating multiple sources of CTI, and creating CTI with even more cyber-attack and response information, it is now possible to do relational analysis between cyber-attacks, which could not be done with just one CTI source, and create more effective cyber-attack responses.
In the US, in order to promote the sharing of CTI between organisations and companies, new legislation is now in place and standardisation is moving forward, including CTI frameworks and CTI information representations and protocols standards from the OASIS CTI Technical Committee.
The CTI utilisation system developed with BAE Systems offers the following functions:
Functions to safely and easily share CTI among businesses and organisations
When exchanging CTI between all sorts of organisations and companies, CTI sharing policies, which determine what sort of information is shared, are established on the basis of each company’s or organisation’s information security policies. Then, on the basis of the CTI sharing policy, information that can be shared is extracted from their CTI, then shared through email or other methods.
As a result, methods of extracting information from CTI become individualised, creating a problem in that it is difficult to extract information in a way that accurately follows the CTI sharing policy. In addition, because it is necessary to convert and store information shared through email in a format that can be used by the system, causing a lack of active CTI sharing.
The newly developed system provides a function to transmit and receive CTI information in a standard format established by the OASIS CTI Technical Committee, as well as an information extraction function that accurately implements CTI sharing policies.
Functions to create and use advanced CTI
* Sample similarity scoring system to find similar malware – This system determines the similarity between multiple pieces of malware based on the structure of malware executable files obtained as samples and the characteristics of their behaviour. This makes it possible to easily discover the relationship between similar cyber-attacks.
* CTI graph analytics and editing – This system includes a function to display an overview of the constituent elements of cyber-attacks recorded in CTI information, including essential details (including attacker information, time, likely objectives, attack targets, and intrusion paths and methods) and response methods, and displays a diagram of the relationship between these elements. By extracting cyber-attacks with elements identical or similar to the original attack and displaying them side-by-side as related cyber-attacks, this system makes it possible to visually study the relationship between them. By lining up diagrams of multiple cyber-attacks, it becomes easier to discover cyber-attack elements, such as attacker information, which would previously have been difficult to find.
* Secure private translation to support CTI sharing with European and US organisations – Because CTI information is recorded in the language of the country where it is created, translation is necessary before it can be connected with CTI created in other countries. Because using a translation function provided online would mean putting the cyber-attack information that is to be translated onto the internet, there is a possibility that attackers might detect that their cyber-attacks have already been analyzed and are being shared as CTI. In order to avoid this and to promote incorporation of CTI created in English in the US and Europe, where cyber-attack responses are very advanced, this system is equipped with a translation function of English-to-Japanese translation completely within the system.
* Automation engine to allow efficient, advanced analysis – This system is equipped with a function that suggests analysis and response methods it thinks appropriate, based on the malware and IP addresses that come up in the analysis. This makes possible simple and rapid responses to a cyber-attack.
* A strong partnership with BAE Systems – US defence industries have extensive experience protecting their data from advanced cyber-attacks. Through dealing with such attacks, they have accumulated know-how and established capabilities for cyber-attack analysis and response. In particular, BAE Systems has operated its Global SOC for many years and with efficient security processes that enable effective security with a minimal number of senior analysts.
BAE Systems leverages their heritage in data analytics and draw upon their extensive experience gained in providing cyber protection to governments and businesses worldwide. BAE Systems offers comprehensive threat analytics capabilities to manage threat intelligence, detect and investigate unknown cyber threats, advanced persistent threats, and zero-day attacks.
Fujitsu will continue this partnership with BAE Systems and refine the system toward commercialisation of this technology.