HIS Harnesses Threat Intelligence to Block Credential Abuse and Secure Their Attack Surface

HIS, a leading Japanese travel company, leverages Recorded Future to achieve unified security operations across its 58 global locations. By enabling early detection of credential leaks and effective attack surface management, the company is strengthening its response capabilities against cyber attacks, including ransomware.

Goal

Respond to the global threat of ransomware by implementing proactive countermeasures across all international locations to prevent incidents.

Challenge

The company lacked a method for the early detection of credential leaks, which often resulted in reactive and delayed countermeasures. It was also difficult to trace the leakage path. Additionally, the existing Attack Surface Management (ASM) process was plagued by manual work and false positives.

Outcome

• Enabled rapid response by quickly identifying leaked credentials and the specific devices involved.
• Switching attack surface management tools cut false positives by over 50%, minimizing unnecessary investigations and enabling faster, more focused response.
• Improved global information sharing and collaboration by implementing a single, unified platform worldwide.
• Strengthened immediate response capabilities while also enabling analysis to identify regions and attributes requiring focused security reinforcement.

Focusing on Improving and Building Effective Ransomware Countermeasures

Operating its travel business in 58 countries worldwide, including Japan, HIS aims for sustainable growth under the purpose of “Unleashing the feeling of 'KOKORO ODORU' (a sense of excitement and wonder).” The company's commitment to sustainable growth extends beyond customer experience to encompass robust data protection.

As one of Japan's largest travel agencies, HIS processes millions of customer bookings annually, managing everything from flight reservations to complete vacation packages. Because the company holds personal information, including passport data, it has maintained a strong sense of urgency regarding the increasing sophistication and scale of cyber attacks. "If personal information were to be leaked, it would cause significant trouble for our customers. Furthermore, the financial losses from a system shutdown that halts business operations would be immeasurable," says Susumu Ishitani, Group Leader of the Security Team, Information Security Governance at the IT System Division.

With the rise of remote work and more employees operating outside the office, HIS began by strengthening its endpoint protection to address network vulnerabilities. As a next step, the company focused on enhancing credential protection, with the growing global threat of ransomware in mind.

Naoki Ishizuka of the Security Team, part of the same group, recalls, "Although we conduct employee training, attackers devise sophisticated phishing emails that outmaneuver it, so there's a limit to what training can achieve. Moreover, a full-scale implementation of multi-factor authentication or an IDaaS solution is a massive, time-consuming project. That's why we decided to first reduce risk by focusing on the early detection of credential leaks, allowing us to take swift action like password changes. Previously, even if credentials were leaked, we had no way of knowing how many were compromised or where the leak occurred."

The company also faced challenges with its Attack Surface Management (ASM)—the process of discovering and mitigating unknown or unmanaged IT assets accessible from the external internet. Mai Nogami of the Security Team says of their previous tool:

"Our previous ASM product generated a very high number of false positives, which created a large workload. We also had to perform asset detection manually each time and wanted to make that process more efficient."

Choosing Recorded Future for Its Ease of Use and Multifunctionality

To detect credential leaks, HIS conducted a hands-on comparison of three different products. As a result, they selected Recorded Future's Identity Intelligence.

As they deepened their understanding of Recorded Future during this selection process, the ASM capabilities of Attack Surface Intelligence caught their attention, and they decided to replace their existing product with it. Ms. Nogami explains, "Recorded Future’s easy-to-view interface and low rate of false positives were very appealing."

At the same time, Mr. Ishitani evaluated Recorded Future from the perspective of strengthening global information security. "Beyond its functional aspects, a key reason for choosing Recorded Future was its ability to be deployed and used worldwide, with a support system in place at each of our overseas locations. A strong recommendation from our European branch, which had already implemented Recorded Future’s Attack Surface Intelligence, was also a major factor."

The support from Recorded Future during the selection and implementation process was another crucial element. "Their response to our inquiries about how to use the platform was fast, which allowed us to transition smoothly into full operation," Mr. Ishizuka notes.

Protecting the Organization and Employees Through Early Detection of Leaked Credentials

Regarding the benefits of implementing Identity Intelligence, Mr. Ishizuka says, "We can now identify where credentials have been leaked in a timely manner and take swift action, such as changing passwords or suspending accounts. Being able to stop potential threats before they escalate into major incidents is a significant achievement."

Mr. Ishitani also praises Identity Intelligence. "It's often difficult to speak to the concrete results of a security product, as its purpose is to 'prevent problems from occurring,' but there is a night-and-day difference in our sense of security compared to before Recorded Future. I also believe this is a valuable initiative for protecting our employees. As cyber attack methods become more sophisticated, it is crucial to detect ID and password leaks as early as possible and take swift countermeasures."

Another major success has been strengthening security on a global scale. "Even when a credential leak is detected at an overseas office, we can now collaborate closely through the common platform of Recorded Future. The same goes for Attack Surface Intelligence; our headquarters can grasp the situation and then provide remote support while looking at the same information, which makes our conversations much smoother," Mr. Ishizuka explains.

Halving False Positives and Drastically Reducing Operational Workload

A particularly notable effect of implementing Attack Surface Intelligence has been the reduction in workload associated with false positives. "False positives not only require a direct response but also consume resources in communicating with relevant parties for investigation, which strains our operations.”

While their previous tool required selecting each target domain one by one to run a scan, Recorded Future’s Attack Surface Intelligence automatically discovers and scans targets, freeing the team from this manual effort.

Ms. Nogami is satisfied with the clarity of the detection results. "With the previous tool, the descriptions of alerts were extremely long, and it was a chore just to read through them. Recorded Future displays information in simple sentences, so I can understand the content quickly. The level of detail is just right—not too much, not too little—which also makes it easy to communicate to stakeholders. I was initially hesitant about the English-language interface as a team primarily speaking Japanese, but with the high accuracy of modern translation tools, it hasn't been a problem."

The support system during operation also received high marks. "No matter what tool you use, ASM operations require specialized expertise," Ms. Nogami says. "It's not uncommon to have questions about interpreting detection results that you can't solve on your own. But Recorded Future's support is highly responsive. Inquiries are acknowledged within a few hours, and we typically receive an answer within a day at the latest, which is extremely helpful."

Further Streamlining Immediate Response with Recorded Future, AI, and Automation

Looking ahead, Mr. Ishizuka states, "Although it's a difficult challenge, our ideal goal is to reduce credential leaks to zero." He adds, "While strengthening our immediate response capabilities with Recorded Future, we can also analyze the current situation to identify regions and attributes that require focused countermeasures, allowing us to efficiently nip threats in the bud. It has become one of our key indicators for security enhancement."

Mr. Ishitani spoke about the future with the scarcity of IT talent and the need for reliable incident response in mind:

"To minimize operational effort as much as possible, we want to expand the scope of what can be automated. We have high expectations for Recorded Future's future evolution, including its use of AI and integrations with various systems to advance automation."