Fujitsu has demonstrated its ability to link and achieve mutual compatibility between its in-house-developed cyber threat intelligence (CTI)(1) utilization system and the US Department of Homeland Security’s (DHS) system for sharing CTI provided through its Automated Indicator Sharing (AIS) program which rapidly shares cyber threat indicators between government and private companies.
By linking these systems, Fujitsu will be able to analyze both the CTI it already possesses as well as the CTI from AIS. In so doing, when a cyberattack occurs, threat indicators about attacks with the same or similar elements, as well as intelligence about countermeasures can be rapidly supplied from AIS and used to respond. In addition, by setting the link so that the latest CTI is uploaded onto AIS and automatically reflected to Fujitsu’s security products and services that protect customer systems, Fujitsu can automate tasks such as the addition of rules to respond to new cyberattacks, which previously had to be done manually. This shortens the work time required of those responsible for cybersecurity and reduces the chance for mistakes.
Fujitsu is positioning this CTI utilization system as a linchpin in building a proactive defense against an expanding number of cyberattacks. Going forward, Fujitsu will link this system with its security products and services for malware detection and other tasks in response to the latest cyberattacks.
Background
As the threat of cyberattacks has increased in recent years, demand has been growing for enhanced security countermeasures to protect the critical infrastructure that supports society. In addition, there have been issues with a lack of analysts with advanced skills that can respond to ingenious and difficult-to-detect cyberattacks, making it increasingly important to utilize CTI on a global scale.
The DHS is promoting its AIS program, which is an effort to rapidly share massive amounts of CTI around the world between participating organizations and corporations. Fujitsu has been connected to the framework since June 2017.
In order to more efficiently use CTI from AIS, Fujitsu has now connected the CTI utilization system it developed with AIS’s CTI sharing system, enabling its use in rapid responses to cyberattacks.
The AIS program
The AIS program consists of the US government and government institutions and private companies, both inside and outside the US, rapidly sharing CTI through a system operated by the DHS. As of the end of June 2017, 147 organizations are now connected. CTI shared through AIS uses the STIX(2) format and TAXII(3) protocol standardized by the OASIS CTI Technical Committee(4) for the sharing of CTI.
AIS offers the following features.
1. Rapid sharing of CTI
The CTI provided by participating government institutions and private corporations can be shared with a simple process so that this program facilitates the rapid sharing of CTI among participating organizations.
2. Anonymization of CTI provider
The name of the organization or company that provided CTI can be anonymized as necessary, enabling the provision of CTI without revealing the source to the end user.
3. Participating organizations can utilize CTI safely and securely
To participate in AIS, an organization is required to submit application documents to DHS for approval. Participating organizations are therefore able to mutually utilize CTI safely and securely.
About Fujitsu’s CTI Utilization System
In order to efficiently share CTI between various organizations and companies, and rapidly build effective countermeasures, Fujitsu developed a CTI utilization system that incorporates functionality to safely and easily generate and use advanced CTI, and has been operating this system internally since August 2016.
1. Functionality safely and easily shares CTI between organizations and companies
This system incorporates functions to accept CTI in standard formats established by the OASIS CTI Technical Committee, as well as a function that enables users to choose who shares what information from within the CTI. With these capabilities, CTI can be collected from a variety of providers, combined, and utilized. This system’s ability to link with FireEye iSIGHT Intelligence(5) has already been confirmed.
2. Advanced CTI analysis and editing functionality
This system incorporates functionality providing visibility into the relationships between the constituent elements of a cyberattack recorded in each piece of CTI, including basic information such as the attacker, the time, the target, the machines attacked, and intrusion pathways and methods, as well as countermeasures. This enables users to extract cyberattacks with identical or similar elements to another cyberattack, visually checking the relationship between them, and simplifying discovery of new commonalities between cyberattacks, including information about attackers that could not have been discovered previously.
Linking Fujitsu’s CTI Utilization System with CTI from AIS
Fujitsu has confirmed it successfully linked its CTI utilization system with AIS. Through this, Fujitsu expects the following results.
– Because it is possible to rapidly collect cyber threat indicators from around the world and immediately build concrete countermeasures, this connection is capable of preemptively preventing risks such as information leaks.
– By connecting CTI from AIS with Fujitsu’s security products and services, and setting the system to automatically update with new CTI, even existing security products and services become capable of immediately responding to new cyberattacks. This will shorten the time spent by those responsible for security on operations, and reduce the number of mistakes.
Future Plans
Fujitsu is beginning to link its CTI utilization system, now linked with CTI from AIS, with a variety of security products and services, implementing them internally under the Fujitsu Advanced Artifact Analysis Laboratory(6), an advanced security analysis organization. Going forward, Fujitsu aims to provide security products and services that can respond to the very latest cyberattacks by reflecting the results of this implementation in its security products and services.
(1) Cyber Threat Intelligence
The kinds of information yielded by a sophisticated analysis of a cyberattack (such as the attacker, timing, objective, target of the attack, and route and method of the intrusion), as well as information on ways of dealing with the attack, all in a format that can be used by a computer.
(2) STIX (Structured Threat Information eXpression)
A structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.
(3) TAXII (Trusted Automated eXchange of Indicator Information)
An application layer protocol for the communication of cyber threat information in a simple and scalable manner.
(4) OASIS CTI Technical Committee
The OASIS Cyber Threat Intelligence (CTI) TC was chartered to define a set of information representations and protocols to address the need to model, analyze, and share cyber threat intelligence.
(5) FireEye iSIGHT Intelligence
The cyber threat intelligence service provided by FireEye, Inc. https://www.fireeye.com/products/isight-cyber-threat-intelligence-subscriptions.html
(6) Fujitsu Advanced Artifact Analysis Laboratory
Jointly established by Fujitsu Limited and PFU Limited in Tokyo and Yokohama on November 18, 2015, this organization brings together and analyzes security information on a global scale.
About Fujitsu Ltd
Fujitsu is the leading Japanese information and communication technology (ICT) company, offering a full range of technology products, solutions, and services. Approximately 155,000 Fujitsu people support customers in more than 100 countries. We use our experience and the power of ICT to shape the future of society with our customers. Fujitsu Limited (TSE: 6702) reported consolidated revenues of 4.5 trillion yen (US$40 billion) for the fiscal year ended March 31, 2017. For more information, please see http://www.fujitsu.com.