Accurately Identifying Upcoming Risks: Why Mercari’s CSIRT Makes Sure to Conduct Its Own Threat Intelligence Research #MercariSecurityPrivacy

This article is part of our Meet Mercari’s Security & Privacy Team series, where we will be introducing you to the teams that make up the wider Security & Privacy Team at Mercari over the next two months or so. This time, we’re looking at the Computer Security Incident Response Team (CSIRT), Mercari’s permanent, dedicated team of incident response professionals.

Cyber attacks grow more sophisticated each year. You might call them “an invisible threat.” Mercari’s CSIRT needs to detect these threats as soon as possible. With the team finally filling out its ranks, we decided to check back in to see what kind of initiatives they are focusing on now.

Why Mercari’s CSIRT Is Focused On Threat Intelligence Research

──We first featured CSIRT in Mercan in April. What would you like to highlight this time?

@shimesaba：Last time, @yamada and I talked about CSIRT’s overall work—but since then, we had Florencio join our team in October, with a wealth of experience in incident response and threat hunting. Since our team is much more filled out now, I think it would be good to look closely at the threat intelligence research we’re working on.

Miki Takahashi (@shimesaba)

@yamada：The threat intelligence research that Mercari’s CSIRT is working on represents one way that we are trying to identify risk for incidents likely to occur in the future, before those incidents occur. This is something we have been gradually working on as part of our efforts to “stay one step ahead” as described in the previous Mercan article, detecting invisible threats in advance. We also have Sana, our CSIRT intern, helping out with this. She’s joining the interview today as well!

@Sana：I’m Sana, and I’ve been interning with CSIRT as part of a three-month program that started in September. I’m researching security as part of a graduate research lab, and I want to work in a position related to security in the future.

──To get right into it: What does “threat intelligence research” actually entail?

@yamada：The word “threat intelligence” actually encompasses a wide range of tasks and processes. When it comes to cyber attacks targeting Mercari, for example, the Threat Detection Engineering Team is working on collecting so-called “tactical” threat intelligence, collecting info on hacking groups or the IOCs and TTPs used in attack campaigns. Meanwhile, CSIRT is in charge of collecting and analyzing the “strategic” threat intelligence data. This deals more with the overall state of affairs regarding threats. Additionally, for cyber attacks targeting Mercari users or those that involve abuse of the Mercari service, we collect and analyze information such as trends in relevant cyber attack business dealings, attack campaigns, and TTPs. The latter is what we’ve had @shimesaba lead.

──Can you tell us a little more about the “strategic” threat intelligence you’ve collected regarding cyber attacks targeting Mercari?

@yamada：Strategic threat intelligence can be hard to act on and difficult to tie to visible results. What’s important is to ingratiate ourselves with information sources and somehow or other understand geopolitical factors and the business dealings backing these threats.
To give a specific example: There was a case in September where a certain hacking group conducted a DDoS attack against Japanese government agencies and other businesses. We were contacted by several external organizations at the time, saying that Mercari was included in the list of targets. The team acting as the point of contact for these messages escalated it to CSIRT as a matter of urgency. Since we were able to survey the Telegram channel used by the hacking group to an extent, we were able to confirm immediately that there was no real basis for believing that we were included in some concrete attack plan. In fact, we were nothing more than one of several Japanese companies named by users (who were not part of the group) on the hacking group’s public site that anyone could view, in a thread asking for Japanese companies that should be attacked. Although this meant that we needed to prepare to an extent, we were able to maintain a balance between watching the situation carefully and not overcommitting resources.
Furthermore, once this hacking group seemed to turn their attention away from Japan, we no longer received any messages from external entities. The group was not featured in any media reports either, so unless we continued to monitor them ourselves, it would be difficult to tell when to put up our defenses.

Masahiro Yamada (@yamada)

To go one step further: There were reports only a few days later that a group with a similar background would be targeting Japanese companies, but this was also not featured by the media in any major way. As the strategy for selecting targets seemed a bit different, it was conceivable that some companies might see the latter group as posing a greater risk.
But based on our experience up to that point, we found that threat intelligence solely defined by information gained unilaterally through a third party—information whose nature and accuracy we could not verify ourselves—could mislead us into underestimating or overestimating the risk, in a kind of “telephone” game. We believe that even if it means committing some resources, the best threat intelligence comes from doing the research yourself, without leaving it up to another party.

@shimesaba：We’re having the intern Sana try tracking down information on these trends herself.

Bringing the People, Organizations, Places, and Roles Behind Attacks Into Greater Focus

──Could you tell us a little more about the area that you’re leading?

@shimesaba：Sure. I’m collecting information regarding criminal elements who target Mercari users. That information is used in, say, coming up with countermeasures to address phishing and other criminal activity. The usual way companies deal with phishing sites is to aim for early detection and takedown. But that case-by-case approach just turns the whole endeavor into a game of whack-a-mole. It’s cheap and easy to make a phishing site and send out a bunch of emails. No matter how hard we work to take them down, they’ll keep popping up.

In order to stop phishing at the source, we need to make it inconvenient to target Mercari users. That’s the core of our anti-phishing measures. In collecting information, I mostly use scamming communities on social media, where members exchange information on phishing practices. These communities bring me a lot of information on tools and methods used in phishing, how to disguise oneself so your fake account doesn’t get exposed, etc. By bringing their methods into greater focus, we can determine with certainty what we need to do to damage them the most. In that sense, it might actually have a little in common with the cyber kill chain and MITRE ATT&CK frameworks. We share the collected information with relevant teams working on anti-fraud measures within Mercari Group, and we work together with them to improve our services.

While I can’t share any specifics, we had one case where the information gained through actual research made it clear that countermeasures that had generally been effective up to that point were losing efficacy in the face of new criminal methods. This became the impetus to come up with a new direction for our countermeasures.

Although we generally only see the very surface elements of these scamming groups, I hope that bringing the people, organizations, places, and roles within these communities into greater focus will lead to the arrest of some of these criminals.

──I had no idea there was so much behind Mercari’s anti-phishing measures! As an intern, what are you working on, Sana?

@Sana：This is my first experience with threat intelligence research. While first learning the ins and outs of this kind of research, I plan to develop tools that can ultimately aid research efforts. I’m always surprised at how many threats are lurking in the shadows of the social media we casually view every day, like Twitter and Instagram. Both @yamada and @shimesaba are not only teaching me research methods, but also sharing the mindset and approach they take to threat intelligence.

Sana Okumura (@Sana)

──Wow, you’re even looking to develop tools! When it comes to these two, can you share something you’ve learned from them specifically?

@Sana： They taught me that there are a lot of things we have to be careful about when collecting information. Especially bias. Even before we start to analyze the information, bias can creep in during the information collection stage. I’m always trying to be mindful in handling the information so that I don’t end up at some misleading conclusion. The work also brings us into contact with criminal and hacking communities. Both @yamada and @shimesaba have taught me how important it is to protect myself and gather information in an ethical manner. I think that these approaches will also inform the research I’m doing as part of my graduate studies.

──The importance of protecting oneself and gathering information in an ethical manner… The rabbit hole runs deep!

Trial and Error to Create Best Practices That Other Companies Can Learn From

──Last, I want to ask about Mercari CSIRT’s future aims.

@yamada：Looking at the hacking group that targeted Japan just the other day or the rise in ransoming attacks, we believe that many companies will need to start taking matters into their own hands, using collected threat intelligence to assess risk on their own and pushing forward specific countermeasures. There still aren’t very many threat intelligence experts in Japan, and there aren’t yet best practices in place that every company can immediately imitate. Many of Mercari CSIRT’s current endeavors are a matter of trial and error. However, we hope that we showcase them in a way that can be educational to other companies, encompassing everything from the actual information collection work to inhouse output.

@shimesaba： I think each company has to decide for themselves which security team should take on the threat intelligence function. In terms of our research output at Mercari, we want to share our approach and vision for security with suitable stakeholders to connect our work to concrete countermeasures and responses. In that sense, CSIRT, which is constantly talking with other teams about how security risk is part of incident response, is the perfect team for the job.

@Sana：I’m very interested in threat intelligence, so it has been very rewarding to experience the role it plays within the Security Team firsthand. During my remaining time on the internship, I want to work hard to figure out what kind of security job I want to pursue in the future.

@yamada：The threat intelligence work that we shared with you today aims to collect external information in order to understand latent risks, like what kind of future incidents could occur, and then use that information to help us prepare for those incidents occurring. Since we just had Florencio, a tech expert in threat intelligence, join us from October, I hope we can kick our threat hunting efforts into high gear, using the information we collect inhouse to identify risks that could manifest in the future. We hope to stay “one step ahead,” identifying invisible threats before they occur, and share that information both inside and outside the company.

A fish figurine that fish-loving @shimesaba brought on the day of the interview (contrary to her Slack name, this is just a generic fish—there aren’t too many shimesaba figurines out there!). Florencio also joined for the photo session (pictured furthest right).