Cybersecurity Research Institute TOP日本語

Analysis Team

The Cybersecurity Laboratory has a dedicated analysis team whose mission is to analyze and respond to real world data related to cyber attacks collected by various self-developed monitoring systems. The analysis team consists of specialized security analysts dedicated to; darknet monitoring, security operations center (aka livenet monitoring), artifact analysis, and red team operations. Details on each security operation will be given in the following sections.

The results of various analyses and their expertise are not only shared internally with researchers, developers, and NICT-CSIRT members but with external collaborators as well. For example, the NICT analysis team has contributed to the cybersecurity operations of the Tokyo 2020 Olympic and Paralympic games and shared cyber threat intelligence related to the Tokyo 2020 games.

Projects

Darknet Monitoring

Early detection of large-scale malware infections (pandemics)

Large-scale IoT malware infection observed by NICTER

The analysis team analyzes the “darknet” traffic data collected daily by NICTER to understand global cyberattack trends.

Darknet data contains network events related to a variety of cyberattacks, but the most frequently observed event is the scanning activities of worm-type malware, which spreads via networks to find its next attack destination. When a vulnerability is discovered in internet facing devices and malware emerges that exploits that vulnerability to spread itself, the number of hosts observed on the darknet shows a sharp spike due to a chain reaction that leads to a pandemic-like infection (the figure above shows actual data observed during a pandemic).

By capturing such anomalous events in darknet data, we can detect large-scale cyberattacks on the Internet at an early stage. By analyzing the target ports, protocols, and types of devices of the source addresses, we can respond appropriately to such attacks.

We have also developed our own honeypots for various types of attacks, and we are conducting detailed analysis on attack activities targeting IoT devices, DRDoS (Distributed Reflection Denial of Service) attacks, etc. Information obtained through these observations and analyses is shared in the “Fixed Point Observation and Friends Group” organized by JPCERT/CC, which consists of organizations conducting domestic attack observations, and is used to alert related organizations provide information to government organizations, disseminate information to the public through the NICTER blog and NICTER observation reports, etc. NICTER also disseminates information to the general public through the NICTER blog and NICTER observation reports.

Livenet Monitoring

Security operations for the organizational network

Building a security operations environment using NIRVANA KAI

The analysis team conducts security operations by monitoring and analyzing NICT’s enterprise network traffic (which we call “livenet”) as a member of NICT-CSIRT.

In addition to analyzing network traffic data, the analysis team conducts the following activities:
- analyzes logging data such as VPN logs and proxy logs,
- analyzes spam mail (phishing, malware spam, etc.) targeting NICT employees,
- monitors alerts raised by various security appliances,
- analyzes EDR (Endpoint Detection and Response) logs ,
- collects and analyzes threat information (new vulnerabilities, malware, attack campaigns, etc.) published on the Internet and estimates the scope of impact by comparing it with actual attack trends.

Additionally, as an important initiative linking R&D and actual cybersecurity operations, the NICT network is used as a large test bed to verify the effectiveness of technologies by applying various detection engines, developed by the Cybersecurity Laboratory, to livenet observations, and the data and findings obtained are fed back to research and development.

Artifact analysis

Investigation of adversary’s goal based on the analysis of tools and malware

Long-term monitoring of adversarial behaviror using STARDUST

The analysis team conducts detailed analyses of malware samples collected by honeypots and livenet observations, and it conducts artifact analyses to clarify their functions and purposes.

In analyzing malware samples, we identify malware families through surface analysis, dynamic analysis, and static analysis, and we extract IoC (Indicator of Compromise) information such as the C2 server to which the malware is connected and the process information it generates. We are also working on automating analysis by developing useful tools for analyzing similar malware samples, such as creating decryption scripts when malware is performing encryption and creating YARA rules based on analysis results. Analysis results are fed back to darknet and livenet observations and utilized to disclose information in the form of analysis reports and for countermeasures. Furthermore, RAT (Remote Administration Tool) and new malware samples are executed on STARDUST, a targeted attack inducement platform developed by the Cybersecurity Laboratory, to lure attackers into an analysis environment that simulates an actual organization. The attacker’s activities are observed over a long period of time, and various traces (artifacts) left behind by the attacker are analyzed to identify their characteristics and effective countermeasures.

Redteam operations

Security risk verification and feedback from an attacker's perspective

The analysis team has red team operations capability to conduct security testing for various systems from the attacker’s perspective.

Red team tests the latest vulnerability, tools, and tactics used by attackers to penetrate real-world systems, and it collects and analyzes the obtained test results to understand the severity, complexity, effectiveness etc. The knowledge and techniques obtained through such testing is used for more advanced, real-attack simulation as well as to improve the security level of NICT’s information system by penetration testing various systems within NICT and the various systems developed by the Cybersecurity Laboratory. For penetration testing, red team not only uses existing tools but also develops custom tools and utilizes knowledge gained from other teams’ attack observations to evaluate the readiness against real-world threats.

At the same time, red team has built their own verification labs using virtual network environments and cloud infrastructures that do not affect the real environment and make verification work repeatable and reproducible. Red team installs target security products such as WAF and IPS into a lab network and verifies the performance of those products by feeding various attacks and feed back the knowledge obtained from the verification to our research and development activities.

back to page top