Fujitsu's High-Speed Forensic Technology to Analyze Cyber Attack Impacts
KAWASAKI, JP: Fujitsu announces the development of a new technology that responds by analyzing the damage and Impact of a cyber attack, immediately after the attack is detected. The technology analyzes the status of a targeted cyber-attack in a short period of time and shows the whole picture at a glance.
Cyber attacks have increased in recent times, targeting specific organization or individuals. Cyber criminals are infecting organizations with malware, which they later use to leak confidential information which is dangerous to both the organization as well as its partners. Preventing these sorts of malware attacks is extremely difficult resulting in a mounting need for countermeasures to be formulated against malware intrusion.
Traditional methods used to assess the damage created by malware attacks on a particular organization require analyzing all sorts of logs on networks and PCs. This method is time consuming and is unable to give a complete picture of the severity of the attack as only fragmentary information can be gained by each log. Other methods include collecting and analyzing network communications constantly but due to the enormous volume of data involved, it is difficult to collect andanalyze the data.
Taking the above challenges into consideration Fujitsu Laboratories has now developed technology to quickly analyze the status of a targeted cyber-attack and show the whole picture at a glance. The key features of the technology include Trace collection technology and Attack progress status extraction technology.
Trace collection technology
This technology collects communications data flowing through the network, and then, by inferring from the communications data the commands carried out on the PC, it abstracts the huge volume of communications data at the operation level and compresses it. Furthermore, by efficiently connecting command operations with specified user information, it can identify who executed what type of remote control and collect trace information about command operations. This enables communications data flowing through a network to be compressed to about 1/10,000th the scale for storage.
Attack progress status extraction technology
Analyzing the trace information collected with the above technology by distinguishing between communications generated by ordinary tasks and communications with a high probability of being attacks on the basis of defined actions characteristic of targeted cyber-attacks, this technology can extract the state of progress of an attack in a short period of time.
By installing an analysis system incorporating these technologies into an internal network with a high volume of communications, it becomes possible to extract a series of command operations from a specific PC from amongst a day's worth of communication trace logs in a few seconds or a few tens of seconds, for example. In this way, users of this newly developed analysis system can constantly collect and investigate these traces, so when a targeted cyber-attack is detected, PCs related to the attack can be extracted one after another, and because the attack status is automatically drawn as a bird's-eye view, it is possible to grasp the whole picture of the attack at a glance.
Implementing this newly developed technology, security incident analysis can be performed by non-experts as compared to experts previously. This technology also saves time by responding with the required countermeasures to be made before the damage caused by the cyber-attack spreads.