Utilization of intelligence tools is essential for efficient investigation and analysis of cyberattacks

LAC is known as a leading company in the cyber security field. The pillars of the company's business are the SI business it has developed since its founding, and the security business it launched in line with the progress in Internet utilization. We provide service.

In addition, the company operates the "Cyber Emergency Center", a specialized organization that provides support to companies and organizations that have suffered cyber damage, and the "JSOC", one of the largest security monitoring and operation centers in Japan. Furthermore, in 2014, we established CYBER GRID JAPAN a research division that brings together security experts to prevent damage caused by cyberattacks. We are working on related technology research and human resource development. Mr. Tsuneo Ogasawara, Director of the CYBER GRID JAPAN Generation Technology Development Center, said, "the Company is engaged in various activities like this, but in doing so, it is important to investigate and analyze threats such as fraudulent sites. It is the intelligence tools that play a role.”

Intelligence tools are essential for efficient investigation and analysis by checking the IP address/domain name information and WHOIS information of unauthorized communication destinations grasped during malware analysis and incident response. Yoshihiro Ishikawa of the Cyber Emergency Center, Cyber Security Division, IT Professional Headquarters said, "When investigating and analyzing cyberattacks, it is necessary to find out who the malware communicated with externally, but many of the malicious sites are IP addresses and domain names. changes frequently, it is necessary to grasp past IP address/domain name information to some extent, such as when the abuse started and when it was revived. “There was a growing need for intelligence tools,” he explains.

Under these circumstances, the effectiveness of a method called "Passive DNS" has gradually begun to attract attention among analysts. Passive DNS makes it possible to check changes in the relationship between IP addresses and domain names by passively recording, monitoring, and investigating communications between DNS servers. Specifically, by using Passive DNS, it is possible to expose other fraudulent sites related to attackers based on the IP address and domain name information they know. “the Company started to use it for analysis work in earnest around 2013. While searching for an excellent tool, we came to know of the threat analysis tool 'PassiveTotal' provided by RiskIQ of the United States. (Mr. Ogasawara)

Realize the effect by using the free version Appreciate the rich amount of information, excellent operability, and full API

PassiveTotal is a SaaS type solution that accumulates data such as DNS information and WHOIS information collected independently and enables multifaceted threat analysis. At first, LAC used the free version, partly because PassiveTotal was not available in Japan. Although the free version has some limitations compared to the paid version, it is still very effective in understanding threats and tracking attackers.

Later, in May 2016, Macnica entered into a sales agency agreement with RiskIQ. Since it has started being available in Japan, Rack has decided to introduce a paid version with no restrictions on usage. "When introducing the service, we compared and considered the services of three to four other companies, and found that PassiveTotal had an excellent user interface, in addition to its rich amount of information and the breadth of what it collected." (Mr. Ishikawa)

In addition to this, in addition to being able to search for communication content, it also adds tag information, hash information, related reports on the Internet, etc., and has a full API. embarked on the introduction. “As a researcher, I would like to try various things when conducting research, and PassiveTotal seemed to be the most suitable for my needs.” (Mr. Ogasawara)

Significant improvement in work efficiency and significant labor savings Enable proactive defense to get ahead of attackers

At LAC, three people, a malware analyst, a threat intelligence analyst, and a threat intelligence platform development engineer, are using PassiveTotal in their groups.

Among them, malware analysts use PassiveTotal to investigate fraudulent domain names and IP addresses. Threat information created through this analysis is used in each service provided by LAC.

On the other hand, threat intelligence analysts are mainly used for attribution activities (identifying attackers). Specifically, they analyze the techniques of attackers and investigate and analyze specific threats and malware themes. It is said that it is used for such things.

And the threat intelligence platform development engineer is mainly used for research at "CYBER GRID JAPAN", and is useful for enhancing the threat information accumulated by the company. In addition, they are also working on improving the environment to support the activities of analysts at research institutes, that is, building an intelligence platform that makes analysis quick and easy. “By introducing PassiveTotal, work efficiency has improved dramatically and significant labor savings have been achieved.In addition, functions such as accumulating WHOIS information in addition to Passive DNS have been enhanced, making it even more useful. is expanding.” (Mr. Ishikawa)

Another big effect is that the countermeasure side was able to have a way to get ahead of the attacker.
"PassiveTotal also contributes greatly to the realization of proactive defense. By using PassiveTotal, we are now able to pay attention to IP addresses and domain names that are suspected of being abused in the future." (Mr. Ogasawara)

Cooperate with other tools and use to provide new solutions

In the future, LAC aims to provide new solutions that utilize PassiveTotal. Mr. Ogasawara says, "By linking with other solutions, we would like to realize a service that can automatically perform proactive defense."

By combining PassiveTotal with the independently developed analyst support system, it is possible to automatically detect, investigate, and analyze threats based on various collected data. This enables appropriate responses and contributes to the protection and stable operation of information systems. We are also considering collaboration with the data analysis platform "Splunk". "I would like to expect PassiveTotal to further enhance its API and strengthen cooperation with other services." (Mr. Ogasawara)

User Profile