The phrase “hindsight is a beautiful thing” is often used in the cybersecurity industry, and it’s easy to see why. It is a statement borne out of real wisdom, and everyone can identify with the idea that they would have done things differently in a given circumstance if they had known all of the facts.
But the next part of that quote from the poet William Blake reads “but foresight is better,” and that is the sentiment that those responsible for the protection of their organization’s cybersecurity need to grasp.
We frequently see reports of cyberattacks in the press and we are increasingly seeing reports of the damage those attacks do to an organization’s operations and their customers or citizens.
The damage can be very tangible as expert estimates now put the average cost of a data breach at $3.86M. We are also seeing more reports of lawsuits from disgruntled consumers whose personal data has been compromised by a breach.
With those trends in mind, it is easy to see why foresight is much more important than hindsight for today’s organizations.
2020 has taught us that no-one can predict the future but there is a way to gather intelligence about potential threats and vulnerabilities to your organization so that you have the foresight you need to tackle those threats before they can cause damage.
Uncovering that intelligence and turning it into something actionable is exactly what our Cyber Threat Intelligence team does every day by applying their expertise, using industry-leading tools and information sources, to keep our customers ahead of threats to their business.
At Fujitsu, we continually deliver the foresight organizations need to stay ahead of cyber threats. We call this Intelligence-led Security, and this is how we do it.
Fujitsu’s Cyber Threat Intelligence (CTI) team continually monitors multiple information sources and threat intelligence streams to stay abreast of the latest reports of newly identified vulnerabilities, threats, and exploits.
Our CTI experts corroborate any intelligence gathered against additional advisories, Open Source Intelligence (OSINT), and existing security research sources to check the validity, impact, and ease of an exploit.
If known POCs (proof-of-concept) or exploits are available then the data reported is also collected for intelligence and signature creation.
Analysis and collection
Once a new threat, vulnerability or exploit has been confirmed, the CTI team uses multiple sources to identify high fidelity IOCs (indicators of compromise) and key indicators. The CTI team uses an open-source threat intelligence platform called MISP (Malware Information Sharing Platform) to record IOCs and key indicators relating to the exploit of the vulnerability.
These key indicators could be what is captured in logs files from a host or network traffic targeting an affected product, for example, file paths accessed by an attacker are recorded in MISP as “pattern-in-traffic.”
Details of the IOC/indicator are provided to our Threat Logic team to create rules and alerts.
Building search rules
Once the details have been stored in MISP, the Fujitsu Threat Logic team can use the information provided to create dynamic rules that allow them to perform searches on log data to detect these IOCs in our SIEM (Security Information and Event Management) system.
Once implemented the rules are tested to ensure that they perform correctly.
Creating the Threat Advisory
All of the information gathered is compiled into a Threat Advisory report by one of our expert analysts. This Advisory outlines the vulnerability, its characteristics and severity, references to CVE identifiers, and recommends steps for mitigation.
Providing the foresight
The Threat Advisory is shared with our customer-facing teams so that they can share details of the vulnerability with customers, and confirm that our Advanced Threat Centre (ATC) has already implemented rules to detect any attacks that would exploit that vulnerability.
The power of foresight
This methodology is already helping our customers to stay ahead of potentially damaging threats.
In August this year, our CTI team witnessed a customer continue to be targeted by a malicious email campaign, attributed to Ursnif malware. The attempts in August were blocked by a custom rule the team had created and implemented on the email security solution in April. This rule was created based on a very specific attribute that the team had identified.
Prior to our implementation of the rule, these campaigns were bypassing the email security solution and making their way into user mailboxes. Our investigation into these new campaigns in August revealed that the threat actor had adapted some of their methods, as well as trying to deliver Ursnif, we observed what appeared to be an Emotet payload in one campaign and, in another campaign, an attached PPSX file that aims to download some form of Trojan from a malicious web server.
The proactive, intelligence-based work in April meant that the threat in August was blocked and the customer was kept secure. This was a true example of how Fujitsu’s intelligence-led security keeps customers secure from advancing threats, and shows why foresight is much better than hindsight.