Fujitsu has developed a new technology that rapidly analyzes damage status after detexting a cyber attack against businesses. In the event of malware attacks, it was previously necessary to analyze a range of logs on networks and devices to clarify attack status. However, in order to grasp the whole picture of the attack, analysis by an expert over the course of many hours was required.
By automating and improving the efficiency of the information collection components necessary for attack status analysis via network communications analysis, Fujitsu Laboratories has developed forensics technology to analyze the status of a targeted cyber-attack in a short period of time and show the whole picture at a glance.
Fujitsu's technology collects data flowing through the network, and then, by inferring from the communications data the commands carried out on the PC, it abstracts the huge volume of communications data at the operation level and compresses it. Furthermore, by efficiently connecting command operations with specified user information, it can identify who executed what type of remote control and collect trace information about command operations. This enables communications data flowing through a network to be compressed to about 1/10,000th the scale for storage.
Analyzing the trace information collected with the above technology by distinguishing between communications generated by ordinary tasks and communications with a high probability of being attacks on the basis of defined actions characteristic of targeted cyber-attacks, this technology can extract the state of progress of an attack in a short period of time.
By installing an analysis system incorporating these technologies into an internal network with a high volume of communications, it becomes possible to extract a series of command operations from a specific PC from amongst a day's worth of communication trace logs in a few seconds or a few tens of seconds, for example. In this way, users of this newly developed analysis system can constantly collect and investigate these traces, so when a targeted cyber-attack is detected, PCs related to the attack can be extracted one after another, and because the attack status is automatically drawn as a bird's-eye view, it is possible to grasp the whole picture of the attack at a glance.
Fujitsu will continue to improve this technology's functions, aiming for a practical implementation in fiscal 2016 and incorporation into services provided by Fujitsu Limited after fiscal 2016.