Key to Enterprise Resilience : Dark Web Intelligence
ThreatSonar Resources

Extend threat hunting services to overseas bases by ITOCHU CSIRT

2024.06.02Product Management
Share:
Macnica Networks offers a "Mpression Threat Hunting Service" in which the security analysts analyze the scan results from TeamT5's ThreatSonar and perform threat hunting on behalf of customers. Additionally, by incorporating custom signatures created based on the threat intelligence Macnica has accumulated, Macnica aims to improve the detection rate of attacks targeting Japan.
The threat hunting service offers "one-time" scan and "annual" subscription.

Point

  • Advanced targeted attacks, designed to bypass existing security products, are detected by unique detection using AI technology and analysis by analysts.
  • Investigated 20,000 devices and built up a diagnostic lifecycle from information collection to detection and response
  • Visualize the security of endpoints at overseas locations where there is no IT administrator

ITOCHU Corporation's ITCCERT focuses on incident prevention

In recent years, cyber attacks have become more advanced and complex due to the industrialization of criminal purposes. Attacks targeting companies and organizations have to face the management risks. In addition, attacks aimed at making money, such as ransomware and business email fraud, are a familiar threat to many companies.
Therefore, recently more and more organizations establish a CSIRT (Computer Security Incident Response Team) to deal with cybersecurity incidents. ITOCHU Corporation launched the CSIRT in 2012 and named it as "ITCCERT". “R” includes three elements: Readiness, Response, and Recovery.
"ITCCERT is a virtual organization created within the IT Planning Department that manages and operates the company's networks. ITCCERT specializes in cybersecurity operations, focusing on incident prevention, response, analysis, and recurrence prevention. We will also provide direct support if any of the more than 300 ITOCHU Group companies request support," says Motohiko Sato, Senior Cyber Security Analyst at ITCCERT, Technology Management Office, IT Planning Department, ITOCHU Corporation.
ITOCHU Corporation has a corporation system, and each company within the corporation group has its own information system department, but when a cybersecurity incident occurs, ITCCERT takes the lead in responding.
Additionally, ITCCERT constantly monitors network communications and emails sent from outside the company. By setting its detection rules based on the knowledge Macnica accumulated in-house, users can grasp characteristics that cannot be detected by existing security products, and constantly create rules that can detect similar attacks when occur.
Information such as malware communication destinations and hashes obtained through independent intelligence activities is used to protect ITOCHU Corporation and prevent cyber security incidents occurring.
"ITCCERT focuses on incident prevention, and we work every day with the belief that it is important to prevent incidents from occurring," Mr. Sato emphasizes.

ITOCHU Group's threat hunting services

On the other hand, the ITOCHU Group's companies and its overseas bases use a network different from that of ITOCHU Corporation's headquarters, so these defense measures can't result in direct effects.
For this reason, ITCCERT develops a special cyber security program "I" series for group companies and overseas locations.
This program covers wide-ranging services, including URL filtering services, business email fraud prevention tools, cybersecurity-specific risk assessments, and workshops that can be immediately useful in actual work. One of the services, "I" Discovery, is an endpoint security service that inspects malware hidden on devices, and has a track record of threat inspections on more than 20,000 devices since its launch in October 2017. Its core technology uses the hunting tool "ThreatSonar" developed by TeamT5 from Taiwan.

Forensic technology collects essential information for threat hunting

ThreatSonar quickly collects data needed for computer forensics, including information about running processes on a device, deleted files, and data in memory. By analyzing the collected data using a proprietary engine, it is possible to precisely extract suspicious files.
It uses a unique AI-assisted behavioral model to detect suspicious behavior, allowing for thorough investigations that cannot be detected by signature-based antivirus solutions. The collected data is analyzed by ITCCERT staff with specialized knowledge, making it possible to detect hidden malware that cannot be detected by existing antivirus software.
In addition, by jointly analyzing the detection results between ITCCERT and the information systems departments of each group company, Macnica can quickly determine the appropriate response.

Discover threats that cannot be detected by existing endpoint security solutions

Among the various endpoint security solutions, Mr. Sato chose ThreatSonar because its basic technology is not an antivirus, but an excellent software that can significantly improve security levels.
The ITOCHU Group has over 300 subsidiaries and approximately 100,000 employees. Furthermore, from the perspective of a trading company, the establishment of joint ventures and capital and business alliances are thriving. Therefore, the ITOCHU Group does not force the installation of specific endpoint security products, and each company installs the most suitable product based on its requirements. The only thing that all companies have in common is that they have installed antivirus products.
Next-generation antivirus products are also an extension of existing antivirus software. Antivirus vendors have strengths and weaknesses in technology, and it is difficult to comprehensively eliminate all threats. For me, ThreatSonar is very appealing security product that enables companies to utilize the existing antivirus software and to detect threats with its unique features.
When Macnica started offering “I” Discovery, more than 50 group companies volunteered to use the service. More than half of the companies that applied for the program performed one-time scanning. Some companies began to perform regular scans. Information systems departments at companies that regularly run “I” Discovery are satisfied with the capabilities to confirm that their devices have not been compromised by unknown or evasive attacks, which cannot be detected by existing security products.

Ease of implementation is the deciding factor for expansion to group companies

"ThreatSonar does not require any installation. It simply distributes and runs a lightweight scanner, so it runs in the background without requiring any knowledge or operational skills from the users. Another advantage is that the operation communication is light, so there is less burden on the network, and there are no problems such as conflicts with the OS or applications and environment dependence.'' says Motohiko Sato.

Build a monitoring system even at overseas bases with limited resources

There have been reports of cases in which banking malware that had been hidden in legitimate processes for many years was discovered by implementing “I” Discovery. Mr. Sato also believes that it is reassuring that the system detects not only active malware, but also latent malware and high-risk software installed by users.
Additionally, “I” Discovery is also adopted by users based overseas. Some overseas locations may not have an IT administrator, or even only have one expatriate employee. Additionally, the devices at overseas locations vary in Windows OS versions and languages. One of the advantages of ThreatSonar is that it can be easily deployed in such environments and there are no operational problems.
Finally, Mr. Sato said that ITCCERT is considering applying custom signatures to "I" Discovery in the future, and will work to further strengthen the ITOCHU Group's security.

User Profile

ITOCHU Corporation
ITOCHU Corporation was founded in 1858 when the Company's founder Chubei Itoh commenced linen trading operations in Azabu. Afterwards, he built a foundation for his business by running a kimono and goods business in Osaka. Currently, as a major general trading company with approximately 130 bases in 65 countries around the world including Japan, ITOCHU is a major trading company in the fields of textiles, machinery, metals, energy, chemicals, food, housing, information, insurance, logistics, construction, and finance and engages in a wide range of businesses, including import/export and trilateral transactions, as well as business investment both domestically and internationally.
Interviewee:
ITOCHU Corporation - IT Planning Department - Technology Management Office
ITCCERT - Senior Cyber Security Analyst
Mr. Motohiko Sato
Original article is from: Macnica
2024.06.02Product Management
Share:

Related Post

We use cookies to provide you with the best user experience. By continuing to use this website, you agree to ourPrivacy & Cookies Policy.